CGEIT – WHY YOU SHOULD TAKE IT!

Posted on by Henrik Parkkinen

You who are reading this article might have asked yourself one or several of these questions:

  • Why should I take CGEIT?
  • Who should take CGEIT?
  • Is CGEIT worth it?
  • When, in my career, should I take CGEIT?
  • Does CGEIT add value for me as a security <suffix>?
  • What does even Governance mean?

Or maybe you haven’t asked yourself these questions at all and are just curious to know more about what CGEIT from ISACA is(?).

This article is written to guide you as a reader through the questions and also let you take part in my reflections about the certification.

INFORMATION
No, this is not a “how to pass CGEIT” article. If you are looking for it, I will make you disappointed.

TERMS & DEFINITIONS

Below are terms and definitions that will be used several times in this article:

  • CGEIT – Certified in the Governance of Enterprise IT. This certification is targeted toward those who want to demonstrate their knowledge of IT Governance and strategy. For example CIO, IT Directors, security leaders (CISO, Directors, Managers), and decision-makers in both IT and security.
  • ISACA – Information Systems Audit and Control Association
    (ISACA) is the organization that provides the certification mentioned above.

WHAT IS GOVERNANCE?

Before I jump into CGEIT I think it is a valid point that we set the foundation for the context of what governance is.


What do the word "Governance" means?

Answer:
The word governance derives the latin word “gubernare”, or more originally from the Greek verb kußEpvaw [kubernáo] which means “to steer”. Governance refers to steering, controlling, directing people or a group of people. For example a team, state or business organization.


What is "Governance"?

Answer:
“The system by which entities are directed and controlled.  It is concerned with structure and processes for decision making, accountability, control and behavior at the top of an entity.

Governance influences how an organization's objectives are set and achieved, how risk is monitored and addressed and how performance is optimized.

WWW[.]GOVERNANCETODAY[.]COM"

I will elaborate more on the explanation in the article but I will not go into the deep dive about the subject, that is for a future article. But with the context above I think it serves as a good foundation for describing what Governance means. The difference when it comes to IT and security is not that different. More about this later though.

WHY IS GOVERNANCE NEEDED?

So, why does an organization need Governance for IT, security, and other corporate functions (Finance, HR, Operations etcetera) and the organization as a totality? What purpose does it serve?

Governance does not only serve one purpose, it is something that feeds into several aspects of an organization.

Some of these are:

  • Ethics
  • Transparency
  • Accountability
  • Control
  • Direction
  • Monitoring
  • Measurement
  • Reporting

Governance is not purely about IT or security. And it is not something that is forged from the IT or security industry. IT and/or Security governance is not a pure result of that governance being established somewhere else in the organization. IT and Security governance need to be integrated and interact with other governance structures existing in an organization. For example business, corporate, financial, and so on.

Keep in mind, that security does not exist or operate as an isolated vertical in an organization. It is the opposite. Security is horizontal and runs through every business process in the organization.

Security might manifest itself a bit differently in the different business processes. It is not enough for an organization to only have security governance established, or IT governance for that reason. It all should start with the establishment of corporate and business governance. If these things are not established, it will be somewhat hard to gain those synergy effects and to establish security throughout the organization from a governance perspective.

CLARIFICATION

And change management does not equal governance. I have many times been approached by people who say:

“Yes Henrik we have governance implemented, we have a process for managing change.”.

Managing change or for the sake of having a change enablement process in place (which are two different things) does not equate to that “governance” being implemented. Both these things are parts of what can be found in an implementation of governance. But they are not what constitutes the implementation of governance.

WHAT TO LEARN FROM CGEIT?

CGEIT is about “IT governance” built on agnostic and vendor-neutral principles. It is not about a certain product or methodology. And, governance is not a solution or appliance you install. And it should not be treated as such either. It is not a next-next-next installation or a checkbox exercise.

Yes, some certain products and solutions can be helpful in managing the elements that a governance framework consists of. However, a technical product or solution does not equate to the establishment of a governance framework.

This is my personal 2nd masterpiece that I have constructed on my own. All credits and bragging rights reserved.

CGEIT makes sense for those who are or aspire to work in a leadership position. The knowledge you will gain will certainly help you better understand and accomplish tasks and activities related to such a role. But, just because you hold the CGEIT certification you will not propel into a CIO or CISO role, IT or security director/manager role either. I have read this statement here and there in some blogs and I do not agree with these statements at all. You may have the “technical” skills needed for conducting the activities though, if you understand the concepts, and principles AND can translate these into the real world and make them applicable. This is what it is about. To be able to translate and apply the knowledge into the real world you gained from the studies and the certification you accomplished, that could be CGEIT or any other one for that sake. More on this later, now let’s get back to the subject of this section.

Taking on a leadership role, such as for example as CISO, requires you to have the capability to lead and manage a group of people and an organization. This is paramount for any type of leadership role. And this is not something that can be learned from any form of exam in my opinion. You can pick up knowledge and inspiration of course. But I would say that there are many better ways to out there to become a better leader. And if you want to take on that path I recommend leadership coaching and personal leadership as a starting point. This is a subject on its own, so I will stop here for now.

If you want to read a word or two about leadership I recommend you to check these articles out:

But, as I said: the knowledge gained from CGEIT will most likely, or should at least, make you a more technically accomplished leader. I am a firm believer that good leaders practice what they preach. And actions speak louder than words. An accomplished leader, in whatever field he is operating in, can and has the capability to pull up their sleeves and get down into the trenches if needed. He does not need to be a specialist in the field but he knows the way, shows the way, and goes the way. This is what CGEIT potentially can provide you with. Knowledge in terms of agnostic and vendor-neutral governance principles. And as a leader, with responsibility for governance, I think knowledge of the subject is key.

WHO SHOULD TAKE CGEIT?

If you are, an aspiring or working as an IT or security leader looking to increase your knowledge in governance I think CGEIT is for you. The CGEIT certification will provide you with:

  • agnostic and principle-based governance knowledge
  • vendor-neutral principles around governance
  • a test to validate your skills and knowledge in governance

CGEIT is a potential value add for anyone who is seeking to increase their knowledge within the subject. Why I say potential is due to the fact that a certification provides the value you, or someone else, give it. I have written a bit more about my general take on certifications in this article:

Keep this in mind though. Just because one passes the CGEIT test and holds the certification does not translate, in any absolute terms or promises, that the dude or girl knows:

  • How to develop a governance framework
  • How to lead a governance function
  • How to manage a governance function
  • How to design organizational governance principles
  • How to develop measurement methodologies and objectives
  • How to <insert governance-related subject here>

These are just a few of the skills that a governance practitioner needs to demonstrate in the real world. An exam, independent of whether it is practical or theoretical, is still an exam. This is true for CGEIT and other exams. Practical exams are, as I see it, more comparable to the real world (to some extent) but it is still an exam. So what do I mean by that?

In the real world, you will be “judged” based on your performance and your actual skill in the domain/area you are conducting the work in. This is also, and should be, something based on an extended period of time. In the real world, your performance and accomplishments are and shall be less based on a snapshot of time (as during an exam).

And in the real world, those who judge you most of the time are people that are working close to you. People who know you and work beside you. Like your manager for example. Or a group of colleagues. The skills you demonstrate, more or less related to any job role, are a piece of a bigger puzzle. Your individual skills are as powerful as the realization of them in the real world together with those dependent on them. It is very, very, very much about your individual contribution to the team. It is very much about how well you and your team can translate each other’s skills into value-adding effects, both for the team and the organization you support. I have said it countless times on my website when it comes to security –> security is a team sport.

I think that a valid question to ask oneself, from time to time when new skills are learned, is:

“These skills that I have gained, from learning X from studying Y and completing exam Z, how can I translate them into in real life value for those I help and support?”.

Holding certifications, degrees, and theoretical know-how has value for sure. I do not in any way say or claim the opposite. I am a strong believer in continuous learning. And I hold several certifications and certificates myself and do each year spend a significant portion of my time in “learning”. For me, this is what it is about. The learning, and less about collecting those Pokemon’s. The certification is a form of external and internal validation through a test but it does not, for me personally at least, explain how good I am at a certain subject. How good I am at a certain subject is for others to decide who depends on me and my knowledge.

I am a pragmatic dude and will always be. I believe in stuff that works in real life. I support a learning-by-doing mindset. I like to pull up the sleeves. Test things out. Learn from it. Improve. And repeat. Throughout my career, I have been focusing on the learning part primarily. I do not say that this is something that everyone should do but this is how I operate myself.

And for CGEIT and the knowledge within it was nothing different for me in that sense. I have practiced the knowledge and still do. I am still sharpening my skills within the governance realm. I do not see this, I.e. accomplishing CGEIT, as an end goal for my development in the area. I should also add that my daily work, for years and still, is mainly focused on security governance and strategy. These were THE primary sources that helped me pass the exam. I can not emphasize enough on this part. More about this in the next section.

MY LEARNING PATH

To sum it up, without going into the brag mode too much, my knowledge was not gained only by reading or learning the content in a specific book or framework. Yes, those things have added up to it. I read the CGEIT book twice, that was my exam preparation. I went it through once two months before the exam and then scrolled it through one week before the exam. End of bragging.

I have heard and read that many say the book is “dry”, boring, and hard to read and understand. Personally, I do not agree. I can see that the material will be hard to grasp if you lack practical knowledge of the principles in the book. The learnings will most likely become very abstract for the student. This is not something unique for CGEIT though. This is my general philosophy. The lack of practical knowledge is impossible to substitute for.

The CGEIT book was how I did my practical preparation for the exam, but here comes the deal breaker: it was not that one thing that enabled my knowledge. Because I do not really think knowledge works that way either.

“I have
<read the book/conducted the labs>
and passed the exam.
Now I am the end boss.”.

No, not really. I am not a believer in that approach. And that is not how end bosses are created as I see it. Security, and IT for that sake, are practical disciplines. They do not take place in only a theoretical or multiple-choice land. To become that end boss you need to have practical knowledge. You need to be able to translate your skills into reality. You need to be able to demonstrate and provide value to those who depend on you.

So, how did I practically gain “governance knowledge”? Some stuff along the road, during my +20-year professional career, that helped me to accomplish the CGEIT exam are:

  • ITIL
  • COBIT
  • ISO 27K
  • ISO 31K
  • NIST CSF
  • CSA CCM
  • CISA ISACA
  • CISM ISACA
  • CRISC ISACA
  • Project management
  • Program management
  • Portfolio management
  • IT Service management
  • Bunch of non-IT and security-related knowledge, such as:
    • Governance
    • Leadership
    • Strategic planning
    • Business management
    • Strategy development

And I have most likely missed out on a thing or two that can be added to the list.

The CISM and CRISC certifications from ISACA overlap with CGEIT. You will also find part of CISA useful but primarily the closest overlap from CGEIT is to CISM and CRISC. Keep in mind though, now you are supposed to look at the subjects from an enterprise and management point of view. Just because there is an overlap does not mean that the context is the same. For example, “risk” is still “risk” but can be used as an instrument in different ways depending on the role you have or those who are in your audience. The purpose is still the same though.

Certificate of Cloud Security Knowledge (CCSK) from Cloud Security Alliance is another good certificate that will provide you with insightful information. You do not in any circumstance need to take the certificate to pass CGEIT. The CCSK learning material from CSA covers foundational knowledge related to Cloud Security governance that is good to know in any way if you are working with or aiming towards working with governance. CCSK is also a very good certification that I strongly recommend to anyone who wants to improve his/her knowledge of cloud security. Learn and read, it is a good investment. The self-study material is provided by CSA for free. And no, I am not affiliated or sponsored by CSA. I’m not receiving any commission for my recommendation.

I do not say that you, who are reading this or aiming for CGEIT, need to walk the same path as I did. You do not need to have knowledge and skills in all the things I listed above to pass the exam and become a CGEIT certification holder. This is how I did it. Many who are going for the CGEIT exam or holding it have skills and knowledge in several of the listed areas above. So I am not a unique dude in any way or another form from that perspective. I have been around the block for quite some time and worked within several different disciplines that have added up to the accumulated knowledge I have in my backpack. I think that a broad perspective is also something that is very helpful for a security practitioner especially if you work in management and leadership positions.

IS CGEIT FOR SECURITY PEOPLE?

Yes, I think this is a certification that a security leader definitely will find CGEIT useful to have in his/her pocket. Let me rephrase that a bit: the knowledge gained from the CGEIT studies is something for a security leader.

So, what value does the knowledge gained from CGEIT add to a security leader you may ask?

To achieve a strong security posture in any organization it needs to include and be built on solid governance. Ethics, transparency, roles & responsibilities, processes, teamwork, procedures, communication & stakeholder management, value realization, continuous improvement, <and more things>.

Without governance, there is no foundation for “building” security. But, this does not mean that this is how all organizations handle security. In many places where I have been, it is the opposite. And this in combo that the main focus is on highly operational things, I.e. putting out small fires that pop up daily. I do not think this is a sustainable approach for any organization or how security should be operated. That is also why I have been doing what I’m doing. Helping organizations to get out from this form of an unhealthy way of doing security things.

I think it is a bit strange that CGEIT has around ~8,000 holders globally (at this date when this article was first created). The certification has been around since 2010. The number of certification holders makes CGEIT a bit more exclusive to attain but I also feel that the knowledge it provides should have a broader reach. The audience and need for this knowledge is out there for sure. I think that many security leaders would benefit from having both a deeper and broader understanding of governance in general and also why it is important from a security perspective. And why it is the foundation for a strong organizational security posture.

I kind of get the feeling that the certification is both either or one of:

  • underrated or unrecognized.

And the number of holders may also come down to a combo of several things, such as :  

  • It is not a HR gatekeeper (like CISM, CISA, CISSP, or CEH)
  • It is less found as a requirement by external authorities, companies, and organizations (like other known certifications, see above)
  • It is a less understood domain by the IT and security people
  • It is less often found in job postings

If the above statements are true or not I can not answer but those do not take away the knowledge that can be gained from the studies for CGEIT. It is a unique exam as there are no other similar exams compared to CGEIT covering agnostic and vendor-neutral governance principles and practices.

CGEIT & REAL LIFE CARRY OVER

To put it out shortly, CGEIT provides highly applicable and relevant IRL knowledge about the subject. Many of the principles translate directly to the real world.

And I do not know of any other certification focused around governance(?) which is agnostic and vendor-neutral. This makes CGEIT, in my opinion, very special and at the same time very attractive. Yes, you will find similarities from COBIT in it but CGEIT it is not built around COBIT or any other model.

But, the stuff within CGEIT or any other exam, theory, framework etcetera need to be adjusted to the reality. Developing a governance framework for one organization may look a bit different from another. The framework might be built on the same principles though but different in shape. Why is that?

Each organization is its own unique entity. What works at one place might not work at another place. And now I speak about the practical real-life implementation of a governance framework. For example, one of the main considerations to take into account when putting a governance framework in place is the organization’s culture.

Invaluable real-life recommendations & tips: adopt the governance framework towards the organizational culture. Not the other way around.

LEARNING MATERIAL

The stuff out there that can help you to pass the exam is very limited. The review manual from ISACA is the only book out there (at the moment). It covers all you need to know as a student. But if you lack IRL experience of the subjects to be tested on it will be harder to grasp the principles. Some things might become very abstract and blurry.

The book is not a “How to manual” describing a step-by-step implementation of governance. This is also what I liked about the book. It is, as the certification, “principle-based”. If you understand the principles in the book they will provide you with an understanding of how to build a governance framework or parts of it. And this is also what I like about the book. It is very much up to you, as a reader and student, to do the math behind the reading. If you want to deep dive into a certain part, the internet is full of resources related to the “How” you build things and people to learn from. Do not underestimate using the power of your network and the people around you for your studies and sharpening your skills.

I think that the limited study material contributes to the low number of certification holders. There is one book, Q&A, and training offered by ISACA. This is for sure enough but maybe people want to have more material. Some people prefer to use non-ISACA material for preparation for their exams. There is no right or wrong. What suits one person may not apply to another.

The official CGEIT book from ISACA was the first ISACA book I read in my preparation for the certifications that I hold from them. At this point CISM, CISA, CRISC, and CGEIT. I think there is some room for improvement in the CGEIT review manual book and would love to participate in such an opportunity. If ISACA announces a subject matter expert review of the book I will certainly be interested in contributing. I am one of those who love to give back my knowledge to others in the community and industry. There is something beautiful in helping others. I try to do so through my website, improving study material, and coaching and mentoring. And I encourage everyone to do it, in one way or another that they find value-adding and fun. This is how we together as security <suffix> make the world a safer place for everyone.

TRICK: LEARNING METHOD

I think this method is very rarely spoken about when it comes to certification preparation. It can be used for any form of certification, certificate, or other forms of learning.

1.) Look through the domains, areas, and subjects the learning covers.


2.) Reflect on your career and your accumulated skills related to the domains, areas, and subjects.


3.) Identify your personal gaps, strengths, and weaknesses in relation to the learning you are taking on.


4.) Find a person, in your network or at work, who is knowledgeable in your weaker areas and discuss these together as a part of your learning.


5.) Contemplate the discussion on your own and form further questions related to the subject. In many cases, you will identify further questions, on a “deeper” level, that you feel you lack answers to. When you start to learn about a certain subject you also better understand what questions to ask yourself and others.


6.) Get back to the person you discussed with in step 4.) or reach out to a group of new people to gain further perspectives where you discuss your new questions from step 5.).

This method is very useful if you for example lack practical knowledge in a certain area. The more abstract you feel a certain area is, this method will help you clear that blurriness a bit. There is a power of verbalizing and talking about things that you read about. And there is so much value in learning from others through their practical experiences.

This method will mainly 1.) increase your knowledge in a certain domain/area/subject, 2.) support your learning journey, and 3.) add “in-real-life” perspectives in, for example, your exam preparation, related to your learning.

EPILOGUE

I have written pretty much about security governance on my website, www.HenrikParkkinen.com. I see that this is a subject that is somewhat forgotten and less spoken about when it comes to security. And I kind of understand it. 

The word and subject Governance has in many organizations gotten a bad reputation and taste in the mouth. But it does not have to be that way. It does not need to be something that tastes bad or is highly bureaucratic and political. Or something painful. If governance ends up only becoming a pain in the a*s, it is a failure. 

Governance shall help the people and organization to do the “right things”. Governance can be looked at as the “how to” mechanism in an organization for achieving its mission, vision, and objectives. (And “strategy” can be seen as “what” an organization will do to realize and create value). Governance shall exist to support the organization to create value. And there is a strong interrelationship between governance and strategy.

Do not confuse “value” with only monetary and tangible stuff. The truth is, when it comes to security, “value” is not only about dollz and tangible things. Everything related to security is not and does not need to be quantified into figures and forecasted stuff. I know that others think otherwise and I am fine with that. And I do not say that those people are wrong and I am right. It comes down to different opinions and perspectives.

If you want to read more about value in relation to the subject security strategy, check this article out.

Thank you ISACA for a great exam, knowledge, and community! I hope that you reading this article found the information useful to guide you in the decision if CGEIT is something you shall add to your personal knowledge-pack back.


Always stay curious.
Always keep learning.
Knowledge is an investment.
Invest in knowledge.
Keep growing.

Henrik Parkkinen