CISM ‘A Natural Fit’ for My Career in Information Security Management

Headshot of Josh Hamit
Author: ISACA Now
Date Published: 23 April 2020

Editor’s note: Josh Hamit, vice president, chief information officer at Altra Federal Credit Union, was among a recent set of professionals achieving Certified Information Security Manager (CISM) who helped CISM surpass the milestone of 50,000 certification-holders since its inception. Hamit, a resident of Minnesota, USA, recently visited with ISACA Now to discuss why he pursued CISM and how it has aided in his career progression. The following is a transcript, edited for length and clarity.

ISACA Now: Can you provide a brief summary of your career path so far, and what sparked your interest in information security?
I’ve been working in IT since about 2002, and like many, started out in the technical trenches and worked my way up into management. My background in IT was more on the infrastructure side, overseeing workstations, servers, networks, telecommunications and data centers. Eventually, out of necessity, I took on more responsibility in the security realm as the organization I worked for at the time grew and needed a more established security discipline.

Initially the business drivers were largely tied to regulatory compliance, but as my exposure to information security increased, it was evident this was something I was really interested in and passionate about. As my responsibilities and successes increased at a division level, I was eventually asked to take a lead role overseeing the corporate information security program for a large global enterprise. Right around that time I also obtained my CISSP certification, which really added credibility to my role, and also increased my personal confidence to do the job.

Today, I’m serving as a CIO in financial services, overseeing both the IT and information security disciplines. Information security continues to be a passion of mine professionally and is an integral part of what I do each day. Having the security background really affords me the opportunity to ensure that security is always factored in and prioritized.

ISACA Now: How did you find out about the CISM certification?
CISM has been on my radar for a long time since obtaining my CISSP and CCSP certifications through (ISC)2. Many of my former colleagues were CISA-certified, so I was very familiar with ISACA. My interest in the CISM was primarily the result of evaluating my career path and looking at the next logical step after achieving the CISSP.

ISACA Now: What motivated you to take the CISM?
I’m a big believer in pursuing certifications that are well respected, increase credibility, and include curriculum that teach you something (hopefully many things) that you can apply on the job. In other words, it’s not just about putting some letters behind your name, but really looking for credentials that are differentiators. CISM in particular was a natural fit after CISSP as my career has transitioned into managing and overseeing information security at a strategic level.

ISACA Now: How do you see the CISM furthering your career goals?
From my standpoint CISM is the pinnacle credential for anyone who is responsible for managing an information security program and providing strategic oversight. First and foremost, pursuing the CISM forced me to put the time and energy into knowing the material inside and out, which made me a better security professional in the process. The icing on the cake is having a designation that increases my credibility to oversee this important discipline within my organization.

ISACA Now: What might be examples of some challenges in your daily work that having the CISM body of knowledge is helpful to address?
Soon after passing the CISM exam and sharing the news with some members of our senior management team, I said that every security professional should pursue CISM because it really forces you to see information security through a business lens. More specifically, the CISM curriculum helps a security professional to have a more pragmatic view of security that places the ultimate emphasis on ensuring the security program is well-aligned to the business at a strategic level. Both need to work in harmony to help the business achieve its goals and objectives. Sometimes information security can get too caught up in policing, perhaps even getting in the way of the business operationally. The CISM body of knowledge stresses the need to have a balanced view of information security that really demonstrates the value the program is delivering to the organization.

Also, in my role I have the responsibility to routinely communicate about information security to our board of directors and senior management team. The CISM is very helpful for anyone who is communicating security at that level, as it emphasizes the need for establishing meaningful metrics, creating effective business cases, using the business risk appetite to guide risk treatment, and also the need for security leaders to be effective facilitators in order to help the business make informed decisions. Other challenging areas for which I am able to put the CISM body of knowledge into practice are the ongoing development and testing of our disaster recovery and incident response plans.

ISACA Now:  You helped push CISM to recently surpass the 50,000 certification-holder milestone. What does it mean to you to be part of the community of CISM-certified professionals around the world?
I’ve always considered it to be a privilege to be part of the community of security professionals around the world, and certainly it’s an honor to be one of around 50,000 CISM certification-holders globally. It holds special meaning because CISM represents a standard of excellence in information security leadership. As leaders, we have such an important responsibility to not only lead the information security discipline within our own organizations, but to also champion information security by getting more people involved. When I think back on my early years in information security, I had some incredible mentors that helped me along the way. To me, being a CISM carries the responsibility to continue paying it forward to our incredible community of security professionals.

ISACA Now: What else might people be interested to know about you?
Well, first of all, I never think of myself as being all that interesting. Outside of what I do professionally, I love spending time with my incredible wife and two daughters (ages 6 and 3). They keep me pretty busy outside of the office. We enjoy traveling whenever we get the opportunity to do so. Lately most of our trips seem to involve Disney, but perhaps the most interesting place my wife and I have ever visited was Italy. We talk about that trip quite often and hope to experience Italy with our daughters in the not-too-distant future.