Certification Cybersecurity

I Failed the CISM Exam and Lived to Tell the Tale

teodulfo.espero

May 25, 2025

Photo by Milan Malkomes on Unsplash

What Failing CISM Taught Me About Cybersecurity (and Humility)

So, I took the CISM exam.

And I failed.

Not in a cute, “missed it by one point!” way either. More like, “Well that escalated quickly” level of failure. Picture the Titanic, but instead of an iceberg, it was 150 scenario-based questions that punched me square in the professional pride.

Let me tell you how this all went down—from the perspective of a solo IT admin who thought they could casually walk into a globally respected management exam like it was a helpdesk ticket.

CISM: The Exam That Reads Your Soul

If you’ve never taken the ISACA CISM, let me paint you a picture.

It’s not like your regular cert exam. It doesn’t care how many firewalls you’ve configured, how many users you’ve saved from clicking malware, or how many printers you’ve rebooted with your Jedi mind tricks. Nope.

CISM wants to know if you can govern an enterprise, manage risk, and align security goals with business objectives—all while the CEO wants answers, and the compliance officer is side-eyeing your incident response plan.

What I Thought Would Happen

Me: “I’m experienced. I manage cybersecurity. I’ve written policies. I’ve handled risk. I even have an MS in Cybersecurity.”

CISM: “That’s cute.”

Where I Crashed and Burned

Let’s call this the “Oh no” montage:

  • I skimmed the ISACA Review Manual like it was bedtime reading. Mistake #1.
  • I ignored practice questions. Mistake #2.
  • I assumed managing IT solo = automatically being ready for a manager-level exam. Mistake #3, 4, and probably 5.

Add to that a dash of overconfidence and a full-time job where half my week is spent putting out digital fires, and you’ve got the perfect recipe for a learning experience.

What Failing Taught Me (Besides Pain)

Honestly? I needed this.

It reminded me that leadership-level certifications require leadership-level thinking. CISM isn’t about tech wizardry—it’s about strategy, prioritization, and knowing how to make decisions that hold up in a board meeting and a cyber incident.

It’s about answering, “Which control do you implement first?” with “Whichever one reduces enterprise risk while supporting business continuity” instead of “The coolest one with an acronym.”

What Now?

I’m not quitting. I’m regrouping.

  • I’ve got the 2024 ISACA Review Manual actually open on my desk.
  • I’m deep diving into scenario questions and watching my assumptions get wrecked in real-time.
  • I’m building a realistic study plan that doesn’t require time travel or 36-hour days.

To Anyone Else Who’s Failed a Cert Exam

You’re not alone. And it doesn’t mean you’re not smart or capable. It means the exam was hard, and you were brave enough to take it.

So own it. Learn from it. And come back swinging like a GRC-powered ninja.

Final Thoughts?
I failed CISM. But I still run IT for an entire water district. And I’m still coming back stronger.

Because one test doesn’t define your worth—how you respond does.

Now, if you’ll excuse me… I’ve got to go cry into my risk register and then get back to studying.

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *