Category Archives: Blog

Peter H. Gregory accepted into Forbes Technology Council

Forbes Technology Council Is an Invitation-Only Community for World-Class CIOs, CTOs, and Technology Executives.

Seattle (September 2, 2021) — Peter H. Gregory, career security professional and best selling author, has been accepted into Forbes Technology Council, an invitation-only community for world-class CIOs, CTOs, and technology executives.

Gregory was vetted and selected by a review committee based on the depth and diversity of his experience. Criteria for acceptance include a track record of successfully impacting business growth metrics, as well as personal and professional achievements and honors.

“We are honored to welcome Peter H. Gregory into the community,” said Scott Gerber, founder of Forbes Councils, the collective that includes Forbes Technology Council. “Our mission with Forbes Councils is to bring together proven leaders from every industry, creating a curated, social capital-driven network that helps every member grow professionally and make an even greater impact on the business world.”

As an accepted member of the Council, Peter H. Gregory has access to a variety of exclusive opportunities designed to help him reach peak professional influence. He will connect and collaborate with other respected local leaders in a private forum. Peter will also be invited to work with a professional editorial team to share his expert insights in original business articles on Forbes.com, and to contribute to published Q&A panels alongside other experts.

Finally, Gregory will benefit from exclusive access to vetted business service partners, membership-branded marketing collateral, and the high-touch support of the Forbes Councils member concierge team.

“I’m thrilled to be a member of the Forbes Technology Council,” states Gregory. “While the opportunity to learn from my Council peers is sure to help my career, I hope to begin giving back to the community as soon as possible.”

ABOUT FORBES COUNCILS

Forbes Councils is a collective of invitation-only communities created in partnership with Forbes and the expert community builders who founded Young Entrepreneur Council (YEC). In Forbes Councils, exceptional business owners and leaders come together with the people and resources that can help them thrive.

For more information about Forbes Technology Council, visit forbestechcouncil.com. To learn more about Forbes Councils, visit forbescouncils.com.

ABOUT PETER H. GREGORY

For more information about Peter H. Gregory, visit www.peterhgregory.com.

His Forbes Technology Council profile can be viewed at https://bit.ly/3n23zYD or at https://profiles.forbes.com/members/tech/profile/Peter-Gregory-Senior-Director-Cyber-GRC-GCI-Communications/50c6ac2f-7c83-4512-8082-2e2d60acfe4f

WFH Workers: What’s your Power and Internet DR Plan?

When we all worked in corporate offices, our enterprises (if they were large enough) developed DR plans for power and Internet connectivity, enough that it took a significant event to take a workforce offline. Through economy of scale, workers were all covered by DR plans for power, Internet, and environmental controls, resulting in a decent level of resilience.

APC UPS for laptop and WiFi

But now that many of us are home, our DR is not what it should be. In our home offices, we lack multiple ISP and power feeds. In almost every respect, our critical infrastructure at home (power, Internet, environmentals) are N+0: if our power goes out, or our Internet goes out, or if our heat or A/C go out, there are probably no backup systems.

We are each responsible for our own DR in our home offices. If we want resilient power, we need a UPS and/or a generator. If we want resilient Internet, we have to have a fallback plan. If we want resilient heat or A/C, we must have another source of heating or cooling.

We live in the country, where there’s no landline, no cable, and no fiber. We’ve lived in WA for decades, and are accustomed to extended power outages due to severe weather events. For us, Internet outages are infrequent, but they happen, particularly at harvest time when farm equipment parks in front of our fixed wireless antenna, or when our local ISP is doing maintenance on network elements such as patching routers.

Fixed Wireless Internet Antenna

Here are the details of my primary and backup plans:

ResourcePrimaryBackup
InternetFixed Wireless WiFi (12Mbps/12Mbps)iPhone tethering (3Mbps/3Mbps)
PowerUtility PowerCyberpower UPS for Internet POE (5 hrs)
APC UPS for WiFi and Laptop Computer (6 hrs
Honda EU2200 Generator
Future: 10 circuit transfer switch + larger generator + EMP circuit protection

Our utility power does go out from time to time. Since living here in our present home since mid-2020, we have had one outage lasting ~30 hours, and three outages lasting 1-3 hours. In the more prolonged outage, we fired up our larger generator (not pictured) to run our freezers and charge the UPSs.

Our source of water is a well that is on our property. When the power goes out, we have no water. For this reason, we have purchased a transfer switch that can enable us to run our well using our larger generator (I doubt that the little Honda can power it).

Gas generator

All of these measures have given me confidence that we will have power and Internet for short-term outages. For longer-term outages, the larger generator and transfer switch will enable us to run water and remain in our home for as long as we have generator fuel.

Since I do not work in a corporate office in a commercial building, I must implement my own resilience strategy. No one else is going to do it for me.

Smartphone WiFi hotspot

From a cybersecurity perspective, I’m pretty confident in our setup, but I’m not going to go into details here. We have a commercial NG-Firewall protecting our entire network, advanced anti-malware, secure DNS from cleanbrowsing.org, and other safeguards.

Blameshifting is not a good defense strategy

Today, in my newsfeed, two stories about breaches caught my attention.

In this first story, a class-action lawsuit is filed against Waste Management for failing to protect PII in the trash.

In the second story, a South Africa port operator declares force majeure as a result of a security breach, in essence declaring that nothing could have been done to prevent the breach.

In both of these situations, the victim organizations attempt to shift the blame for the failure to protect sensitive information on others. Those of us in the profession have seen victim companies do this in the past, and it generally does not work out well.

Back to the Waste Management story. Here, I argue that when an organization places something in dumpsters, they should take steps to ensure that no recoverable information is discarded. Unless the business arrangement between companies and Waste Management is more akin to secure document shredding by companies like Shred-It, I assert that the garbage company has no obligation to protect anything of value placed in the trash.

On to the South Africa port operator. Declaring force majeure as a result of a security breach is an interesting tactic. In my opinion (note that I am not a lawyer and have had no formal law education), this strategy will backfire. There are numerous examples of organizations that successfully defend themselves against attacks like this. Granted, these attacks are a global plague, and defense – while challenging – is absolutely possible.

Disruption of branch banking is of their own making

An experience late last week was an epiphany for me.

While managing the financial affairs of a relative, I needed to get a one-page document notarized. I live in a small town, where there are only two or three local bank branches.

One of the branches is K** Bank. On their website, K** Bank makes available the capability of making an appointment at a nearby branch. I filled in the appointment form, including the specific nature of the visit. Another relative who was visiting a few weeks ago got a document notarized there, so I knew that this branch of K** Bank had a notary.

I showed up, was greeted by branch staff, and invited to have a seat while someone came to assist me. Soon, another branch employee came over and said she was ready. I presented my document and my photo ID. The employee asked for my K** Bank account number, and I replied that I was not a customer. She replied that Key Bank only notarizes documents for customers. When I asked whether K** Bank would notarize my one-page document for a fee, the answer was, no, sorry. The branch was not busy: there were six employees in the branch, and I saw one or two customers come and go in the ten minutes that I was there.

I left and drove two blocks to the town’s professional building, where a lawyer, an accountant, a marriage counselor, and a financial advisor have small offices. I poked my head into the CPA’s office and asked, do you know of a notary here in town? The CPA got up, greeted me, and took me across the hall to the financial advisor’s office, where she introduced me to an independent financial advisor. He gladly took a couple of minutes to notarize my document. He refused to accept a fee. Since he was conversational and polite, I asked him about his business, asked for some business cards, and may have some business to refer to him.

Branch banking is going the way of the bookstore. Key Bank had an excellent opportunity to take a few minutes to meet a new potential customer by showing a bit of goodwill. Instead, they turned me away, and frankly, I will probably never set foot in that branch again.

Consumer Infosec Tech is Hard – No Wonder So Many are Pwned

I’ve been a MacBook Pro user for close to fourteen years now, both at home and at work. At home, I write my many books and conduct supporting research on my personal MacBook Pro.

Since I’m an infosec professional, I’m aware of threats to MacOS and associated components, so I run several security tools, among them Cylance, Malwarebytes, and Sophos. I use privacy-centric browsers and search tools.

Starting yesterday morning, my browser (Brave) started acting up quite badly: new pages simply would not load, and the browser would throw nonresponsive page errors left and right. I also use Firefox, which continued to function normally, Safari too, so I was pretty sure the problem was with Brave itself.

I cleared all cache and cookies, tried building a different profile in Brave, and even removed and reinstalled Brave. No go. I posted an entry in the Brave Community in the hopes that someone else would recognize my problem in case I could not fix it. I am somewhat tied to Chromium-based browsers, but prefer not to use Google Chrome. SRware Iron is an alternative, but they don’t update it frequently enough for my needs.

Since other browsers were working normally, I could dismiss my Internet connection, my local network, and DNS as possible culprits.

Next, I turned to my security tools. I had noticed that Cylance had been using about 90% of a CPU core for a few days, so that was my first object of study. I shut down Cylance, and immediately my Brave browser problem was solved. I turned Cylance back on, and the problem returned. Gotcha!

I removed and reinstalled Cylance, hoping that this would solve the problem. That was a few hours ago, and Brave is happy as a pig.

Retrospective: I cannot imagine ordinary consumers going through troubleshooting like this. My decades of daily hands-on software / network / systems / OS / security engineering on Unix and other OS’s helped me zero in on this fairly quickly. I shudder to think that most consumers just turn security tools off when things stop working, and go unprotected thereafter.

The Breaches Will Continue

As I write this, it’s been one day since news of the latest LinkedIn breach hit the news. To summarize, about 92% of LinkedIn users’ information was leaked via LinkedIn’s API. LinkedIn is officially denying this is a breach but is just a data scrape that violated the API’s terms of use. Interesting twist of terms. This reminds me of a former President who explained, “It depends upon what your definition of IS is.”

During my six years as a strategic cybersecurity consultant, I learned that most organizations do not take cybersecurity seriously. Breaches are things that happen to other companies, those with larger and more valuable troves of data.

Organizations, up to and including boards of directors, are locked in normalcy bias. No breach has occurred (that they are aware of), and therefore no breach will occur in the future. It is normalcy bias that is also responsible for the fact that most citizens fail to prepare for emergencies such as extended power outages, fires, floods, hurricanes, tornadoes, identity theft, serious illness, and so many other calamities. I’d be lying if I said that I’m immune to this: while we’re well prepared for some types of events, our preparedness could be far better in certain areas.

A fellow security leader once told me, “Cybersecurity is not important until it is.” Like in our personal lives, we don’t implement the safeguards until after being bitten. Whether it’s security cameras, better locks, bars on windows, bear spray, or better cyber defenses, it’s our nature to believe we’re not a target and that such safeguards are unnecessary. Until they are.

2021: The Summer of Unions and Reunions

Last summer, I started a new job as Senior Director of Cyber GRC for GCI Communications, an Alaska-based telecommunications company. Being a resident of central Washington State, this was to be a mostly WFH job with occasional (monthly-ish) travel to Anchorage and elsewhere to meet with GCI personnel and others.

image from tcsp360.com

The COVID-19 pandemic lockdown was in full swing when I was hired, and non-essential business travel was prohibited. So our days were consumed with video meetings on Teams and Zoom. I met and managed my team of 13 managers, analysts, and specialists, worked with my director, senior director, and VP peers, and was accustomed to full days of video conversations and a bit of time to do real work. And over the past year, I hired five additional team members (including two managers) via video calls. WFH and remote work was the only way.

This week, I met my security department leadership peers in person for the first time, the director of security architecture and planning, and the senior director of security operations. None of us had met in person before, ever. Later, our CISO joined us (our CISO had not met the secops leader in person either).

We spent two long days understanding each others’ departments better, and we spent a lot of time doing some strategic planning. We had bits of time telling stories, and there was plenty of laughter as well.

Meeting and working face-to-face is definitely better than WFH and Zoom meetings. I always knew it, but after 15 months of hunkering down, finally meeting some of my colleagues face to face was confirmation for me. While the three of us live in three different states, we’ll spend most of our working time on video calls, but occasional in-person work is valuable and strengthens and improves work relationships.

I’m certain that thousands of you are having the same experience – as business travel and office work slowly return, you’re meeting many of your colleagues in person for the first time. Relish it.

My Writing Tools

As a professional writer for over twenty years, I have been using a small set of tools that helps me improve my writing. Whether I’m writing a new blog entry, commenting on a LinkedIn post, updating my resume, or writing the first draft of a new book, one or more tools help spot errors in my copy.

The primary tools at my disposal include these:

  • Microsoft Word. I’ve been using Microsoft Word since the mid-1980s when DOS and Word 1.0 fit on a 360k floppy disc with room left over for several documents. A few years ago, I considered stopping using Microsoft Word in favor of other word processors. However, Word is the mainstay of the major publishing houses (John Wiley, McGraw-Hill, Cengage Learning) with detailed requirements that include the use of customized template (.dot) files, Track Changes, and more. These features require that authors use Microsoft Word and nothing else. And to Microsoft’s credit, Word for Mac has improved significantly over the past couple of years.
  • Microsoft Word spell check. While I turn on real-time spell check, I generally just do batch spell checks on sections of chapters (or entire chapters) to correct spelling errors.
  • Microsoft Word grammar check. I used to use Microsoft Word grammar check, until I started using Grammarly a few years ago. Now I just keep the MS Word grammar checking turned off.
  • Grammarly Premium. I use Grammarly Premium as my primary grammar and readability tool. Grammarly Premium is integrated into Brave Browser, so it checks most of my browser-based writing such as email, short LinkedIn postings and comments, and most free-form text fields. Ironically, it does not (yet) work with WordPress, so as I write this, Grammarly is blind. Often I will copy my blog post directly into the Grammarly desktop tool and check my grammar there and manually make corrections in my blog posting. The nice thing about Grammarly Premium is that it works on all of my devices, although in slightly different ways. A disadvantage of Grammarly is that it cannot process large chapter files; I manually have to copy large blocks of text (20-30 pages) into Grammarly manually and then transcribe my corrections into my manuscript.
  • ProWritingAid. This is the latest tool in my collection, having learned about it from Stephanie Newell. I have the ProWritingAid extension installed on the Brave Browser on my MacBook Pro. Interestingly, ProWritingAid checks my WordPress (Grammarly does not), and most other web-based input. It’s interesting to see Grammarly Premium and ProWritingAid working on the same text side by side.

Having recently watched a video by Stephanie Newell, I’m considering turning off real-time spell checking in Microsoft Word, as it may prove a distraction while I write. I do wonder, however, whether doing spell checking later might leave me puzzled on whether I’ll remember what I was thinking and if I will make the proper corrections. My Word spelling and grammar settings are shown below.

WFH Book for Employers and Employees: Lost Opportunity?

Short version: should I publish my “how to WFH for employers and employees” book, or has the opportunity passed me by?

Long version:

In 2001, I was on a task group for a large (50,000+ employees) employer to determine the corporate, technology, management, and cultural structure for changing thousands of office workers into work-from-home workers. This immersion in every aspect of work from home (WFH) enriched me in ways I would not understand for many years.

I became part-time WFH in 2005 and began living out the experiment on my own. The learning and planning we did a few years earlier proved to be pretty realistic, and I was able to apply those principles to my new situation.

A couple of years later, when the SARS and MERS epidemics threatened to go global, I was asked to write a pandemic response plan for my employer so that our corporate customers would have more comfort knowing we were prepared. We would be able to continue delivering services without sacrificing quality or security.

When news of COVID-19 began spreading in February 2020, I immediately recognized the signs that this could be a global pandemic and made specific preparations for my family. In addition, my employer started taking steps that were similar to the plan I made over a decade earlier.

On March 16-18, 2020, in response to the emerging pandemic, I wrote a fifty-page manuscript on working from home and adapting technology and corporate culture to make it work. Unfortunately, my employer did not permit me to publish this book, as it would undermine the advisory practice (despite my having accumulated this expertise before working for this company). As a result, my completed manuscript is still under wraps.

Recently I’ve returned to this completed manuscript and wonder today whether there would be any value in publishing it. The book treated a pandemic as a future event, so there would be changes in tense that would have to be fixed. And of course, thousands of organizations figured out on their own a lot of what my book tells readers to do.

Checkbox CPEs

Those of us with security certifications like CISSP, CISA, CISM, and others are acutely aware of the need to get those CPE hours completed each year. Typically, we’re required to accumulate 40 hours per year and that we keep accurate records of learning events, along with evidence that we did indeed attend those events. 

I was audited once, over a decade ago, and came up a bit short on my evidence. Since then, I’ve been meticulous in my recordkeeping and maintaining proof of attendance. But this piece is not about recordkeeping.

Are you finding your CPE events to check the box? Or are you pursuing new knowledge and skills?

I’ll tell you a secret: the certification organizations don’t know whether you are doing the minimum to check the box or pursue knowledge with enthusiasm.  They don’t ask, and they don’t care.

You should care, however, and the difference will show. If you are just checking the CPE box, you will not be learning much, and you’ll be a weaker contestant in the employment market. By not making a real effort to grow professionally, you’ll slowly fall behind.  While you may be able to fake it for a while, your learning negligence will catch up to you, and it will take considerable time and effort to dig yourself out of the hole you slid into. Not only will you have to spend considerable time catching up on security topics, but you’ll also have to undo the habit of doing the minimum to slide by.

Controlling the WFH Genie

As we turn the corner in the COVID-19 pandemic, many companies are beginning to bring their workers back on site. This return to the workplace phenomenon is starting a conversation at the worker level, the company level, and in society as a whole.

Many companies have succeeded with the transition to WFH. It may have been awkward at first, but millions of workers have tasted a better quality of life without a commute, and without many other related costs of money and time. Many workers do not want to give up WFH, now that they’ve seen that they can be effective while working from home.

I’ve been part-time WFH for almost twenty years, but I’ve also had jobs where I was commuting three to four hours each day, so I’m intimately familiar with both ends of the spectrum, as well as the middle. I am working today for an Alaska-based company while living in Washington State, so I’m a living subject in the great WFH experiment. And in the nine months since starting this job, I’ve hired workers on my team who live in Idaho, Texas, Arizona, Washington, and, yes, Alaska.

For workers, WFH represents a savings of hard money in terms of vehicle, mass transit, work wardrobe, lunches out, but also expenses to equip and maintain a home office. The soft benefits include commute time, quality of life, but also there’s the ability to work in person with colleagues and develop better in-person relationships than can be done only on video calls.

One can draw up a long list of WFH pros and cons. For most of 2020, we had no choice. But from now on, better organizations realize that WFH has many benefits:

  • Workers often put in more hours.
  • Organizations’ office space expenses are lower.
  • Employers can draw from a significantly larger labor pool when looking for new employees.
  • Existing staff have the freedom to relocate their families to other communities while keeping their same jobs.

Organizations unwilling to consider WFH workers will have a more difficult time finding qualified workers, as they will be drawing from a far smaller labor pool. Employers will have to pay more for people to work in the office to compensate for their additional time and hard expenses – AND employers will have the added cost of providing workspace for those workers they require to be on-site (and those workers who want to). Many workers will be willing to work for less if they can WFH as it is a fair exchange for a better quality of life.

One thing is for sure: the WFH genie will not be going back into the bottle. Ever.

Control Self-Assessment Advantages and Disadvantages

In my book, CISA Certified Information Systems Auditor All-In-One Exam Guide, control self-assessment is defined as follows:

“A methodology used by an organization to review key business objectives, risks, and controls. Control self-assessment is a self-regulation activity.”

Control self-assessment (CSA) is a tool used by internal audit, information security, and privacy professionals to better learn how internal controls are being operated. As the name implies, CSA consists of a directive sent to a control owner to ask him or her to answer specific questions about a particular control, and provide particular artifacts about the control to substantiate the answers to some of those questions.

While CSA can be conducted via e-mail, it is often a part of an integrated risk management (IRM) system, formerly known as a governance, risk, and compliance (GRC) system. An IRM can be used to collect information about controls and even score the results electronically.

Appropriately managed, CSA can extend the reach and visibility of internal audit activities, but it is not a silver bullet. I list some of the advantages and disadvantages of CSA here.

Advantages:

  • Saves time. More controls can be assessed in a given period, versus traditional walkthrough sessions that consume meeting time and may be difficult to schedule.
  • Extends visibility. Information about more controls can be obtained than through walkthrough sessions only.
  • Reinforces control ownership responsibility. By having control owners answer questions and provide artifacts on their own, CSA supports the concept that control owners are responsible for the effectiveness of their controls.
  • Digital record. Because CSA is usually performed electronically, it is not necessary to transcribe meeting notes.

Disadvantages:

  • Integrity. Because a control owner is answering questions and providing artifacts away from internal audit personnel, there may at times be a question of whether it was the control owner who answered the questions, and whether they altered any of the provided evidence.
  • Exploration. In a typical walkthrough, an internal auditor will ask follow-up questions based on responses to earlier questions. It can be exceedingly difficult to anticipate all possible responses to questions in a CSA questionnaire.
  • Body language. In an in-person walkthrough, an internal auditor will observe the body language of the control owner as a part of the overall assessment. Body language provides additional information that may help an internal auditor better understand where control weaknesses might exist.
  • Overburdening control owners. In an IRM (integrated risk management), it can be easy to “load up the CSA gun” and fire off numerous CSA assignments to control owners. Unlike in-person walkthroughs, which require a more equal time commitment between auditors and auditees, CSA’s require little up-front time for internal audit. Internal auditors need to be cognizant that the effort to complete a CSA is asymmetrical: the control owner may have to spend considerable time answering questions and gathering artifacts.
  • Problem controls. A CSA should not be used alone for controls known to have problems. Controls with problems require deeper scrutiny in conversations that are difficult to script in a questionnaire.
  • Relationship. In-person control assessments help to establish and deepen relationships between internal auditors and control owners. Since they are purely digital, CSAs do little in this regard. As a corporate function, Internal Audit (and information security and privacy) need to be established as collaborative relationships. Establishing a relationship based on the assignment of digital tasks may hinder this effort.

Planned properly, control self-assessments can extend the reach and visibility of internal audit, information security, and privacy functions. However, because relationships with auditees are vital to the long-term success of these programs, CSA needs to be applied thoughtfully.

WFH’s Silver Lining

Twenty years ago, I was part of a task force at AT&T Wireless to study work-from-home from every aspect. The company had a goal of closing several office buildings across the U.S. to reduce costs. Our task force considered many perspectives, including:

  • Being a WFH employee
  • Managing WFH employees
  • Technology considerations
  • Security considerations
  • Corporate policy considerations
  • Workplace regulations

This experience equipped me with considerable insight that would prove valuable through much of my career. From the early 2000s, I was a part-time WFH employee, switching to full-time in 2014 when I joined Optiv Security. At GCI Communications, I continue to be full-time WFH.

Image courtesy CNBC.

I’ve seen companies struggle with the transition to WFH – culturally and the learning curve of videoconferencing technology and etiquette. For many of us at Optiv, WFH was just another workday. When I joined GCI in August 2020, WFH was in full swing, and the workforce had gotten over the initial bumps (there is no question that the pandemic has resulted in the unemployment of millions of people, causing widespread financial hardship).

For me, there is a silver lining for the pandemic-induced global WFH. During our videoconference meetings throughout the week, we experience more than just the work side of our colleagues:

  • Virtual backgrounds aside, we get a glimpse into their homes
  • Sometimes we’ll see what’s going on inside or outside
  • Young children sometimes appear, for a moment but sometimes longer
  • Cats, dogs, bunnies, and more are seen and/or heard
  • Spouses and other family members are sometimes seen and occasionally introduced and conversed with
  • Other sights and sounds, including leaf blowers, garbage trucks, sirens, deliveries, and more

Depending upon the formality of the culture and of individual meetings, these are not “interruptions.” Instead, I consider them as a window into the lives of my colleagues, with a potent reminder that we all have homes, families, and lives away from work.

Before the pandemic and before WFH, we could easily compartmentalize our lives into our work life and our home life, and often these remained separate. At work, we would primarily see the work side of each of our colleagues. The pandemic caused these worlds to collide, resulting in the blending of these former separate personas. It reminds me that we are all human.

How My Writing Became More Productive

I was working on my first book, Solaris Security, in 1998. I spent most of my writing after dinner and after kids were in bed, working around 9-11pm three or four nights each week. Most of the time, I’d write until I was head-bobbing and falling asleep mid-sentence. It was slow going.

Image courtesy Web Writer Spotlight

Several people at work knew I was writing this book. One day in the break room, my colleague Mike Cattolico asked me how writing was going. I replied that I was getting a little bit done each night until I was falling asleep. Mike replied, “Dude! You need to flip that schedule: get up early, like 4am, and skim the cream off the top.”

That made sense to me. The very next day, I took his advice and tried it out. After several days of getting up at 4am and writing for a couple of hours before the kids woke up, I found that my productivity skyrocketed. He was right!

For twenty years now, I’ve been writing in the early morning hours, as well as on Saturday mornings (and sometimes all day Saturday). Last year, I made another change and stopped writing on the weekends, essentially spending fewer hours each week writing. But with the experience I’ve gained writing dozens of books over two decades, I’m getting as much writing done on weekday mornings, and I now have my weekends free for other things.

Calm in the Face of Stress

My brain seems to be wired to produce metaphors for many of my experiences. This short story is one I’ll share.

I was on a particularly bumpy flight in a small turboprop aircraft. The turbulence was somewhere between moderate and severe. It was quiet in the cabin as everyone was just trying to cope. Seconds seemed like minutes.

I found that I was tightly gripping the armrests to brace myself from the aircraft’s numerous jerky movements, and I had tightened my seatbelt as tight as I could make it. I’m sure that my countenance was one of concern and dread. Gripping the armrests and trying to brace myself from the turbulence raised my stress levels, and I was becoming quite tense. I could feel the adrenalin surging through my muscles, and yet there was nothing that I could do that would change the situation at all.

Then I had a moment of introspection: was all of this gripping and being tense making any difference? Was it helping in any way at all?

Realizing that my efforts to steady myself were doing more harm than good, I took a deep breath, loosed my seatbelt (a little), and let go of the armrests. Doing so felt like a step of faith.

The turbulence continued to toss the plane about. It was still quiet in the cabin. But I felt a change.

After several moments, despite the turbulence, I was more relaxed. The seconds didn’t seem so long, and my stress level decreased. A few times, my reflexes caused me to reach for the armrests when we hit big air pockets. To compensate, I crossed my arms to help resist the temptation to grip the armrests again.

Things got better still. I was able to close my eyes, and soon I was completely relaxed, despite the plane’s continuing to shake violently.

After the flight, I thought of the experience many times. I began to recall how, during difficult moments at work or home, I would try to hang on and maintain a grip on the situation to control it. Using what I learned on that turbulent flight, I began to be more relaxed, particularly in circumstances where I had little control to begin with. There’s no point in getting worked up in situations where one has little or no control.

I’ve long had the reputation of being the “cool and calm” one in a wide variety of situations, including some pretty scary experiences. The experience of that flight has helped me to up my serenity game still further. Does tensing up and gripping the safety handles really help?

My CISSP Journey, Part 7: Mentoring Others

In this series, I’ve described my experience with the CISSP, including studying for the exam, writing exam questions and books, and earning CPEs. In this final part, I describe my work in helping others learn about information security and earn the CISSP certification.

There are too few of us in the information security field. While I’m not going to argue the reasons or the size of the shortfall, each of us in the profession can do our part to ease the situation.

If you have the CISSP today, you are a role model to others who aspire to earn it someday independently. As a role model, others will see how you behave and conduct yourself according to the (ISC)² code of ethics. As I’ve said in my books, those of us in more senior positions in information security lead by example.

Image courtesy overlap (dot) net

We can help aspiring security professionals advance in many ways. Besides leading by example, we can take someone under our wing and mentor them as they try to discern their career direction and figure out how to achieve their goals.  We can organize or support a CISSP study group (something I’m doing at my place of employment today). We can teach a course on information security to those who want to pivot their career from IT into information security. We can help others study for the CISSP and help them understand the required concepts.

Over twenty years ago, my colleague Bob Maynard loaned me his personal notes for months (I did gratefully return them), and others answered questions on topics I was still learning.  Go and do so likewise: as one or more persons helped you earn your CISSP, make it a point to help others do the same.

Series recap:

Part 1: studying for and taking the exam

Part 2: writing CISSP exam questions.

Part 3: proctoring CISSP exams.

Part 4: writing a CISSP study guide.

Part 5: earning the CISA and other certifications.

Part 6: continuous education and CPE recordkeeping.

Part 7: mentoring others.

In terms of cybersecurity and ransomware, most organizations are anti-vaxxers

Prologue: There are many opinions and points of view with regards to the origin and nature of COVID, response to the pandemic (or plandemic if you prefer) and vaccinations. I’m not here to express any opinion, but will borrow from these events as I briefly use vaccinations as a metaphor. And thanks for my former colleague Jason Popp for coining the phrase that I’m borrowing.

In a comment to a LinkedIn post about ransomware, Jason said, “If ransomware is a pandemic, then most organizations are anti-vaxxers.”

Brilliant.

I’ll state this another way: the tools and techniques for ransomware prevention have been around for decades. Decades. By and large, organizations hit with ransomware are not employing these techniques effectively, if at all. Implicitly, most organizations choose not to employ the safeguards that would prevent most ransomware attacks.

Why? Good question. Perhaps it’s normalcy bias. Or that cybersecurity is too expensive, or inconvenient to users, or that it’s too hard to find good cyber persons. Or, cybersecurity is a distraction from the organization’s mission (and ransomware isn’t?).

Ransomware presents several challenges. First, most companies that pay ransoms still don’t get their data back. And, more recently, the U.S. Treasury department Office of Foreign Assets Control (OFAC) has cited that paying ransoms to cybercriminals is a violation of OFAC laws.

The solution? Perform or commission a risk assessment. Hire cybersecurity professionals who knows how to fix deficiencies and manage effective security governance, operations and response.

Or, just stop using computers.

My CISSP Journey, Part 6: Earning and Recording CPEs

Like many professional certifications and designations, CISSP requires that certification holders complete a minimum number of continuous professional education (CPE) hours each year. This requirement makes sense to me, as the information security profession is still changing at a high rate. Were it not for this continuing education requirement, many who earn the CISSP and other certifications would quickly fall behind, and those who had earned the certifications would become irrelevant.

Today, (ISC)² requires CISSP holders to earn 120 CPEs in each three-year cycle and no fewer than 20 CPEs in any individual year. So this is an average of 40 CPEs, or forty hours of training, annually.

Many of us are fortunate enough to attend one or two conferences each year, and alone this would effectively satisfy the 40-hour requirement. But not all of us are so lucky: the rest of us have to earn our CPEs an hour at a time.

In earlier years (before 2005, in my estimation), this was a challenge, but no more. Today, each year, there are scores of opportunities to attend vendor product demos and free instructional sessions from (ISC)², ISACA, and other associations.  There are so many that you can pick and choose those that are of greatest interest to you.

The dark side to CPEs, if there is one, is that we are required to keep precise records of our CPEs. I suggest you create a spreadsheet that lists, line by line, each CPE event that you attend. More than that: (ISC)², ISACA, and others require that you retain evidence of your training. Some events will email you a certificate of completion, and others will provide a certificate download capability at the conclusion of an event. Some do not provide anything at all, so I make it a point to take a few screenshots of the event.

Sample CPE Listing

(ISC)², ISACA, and other associations will randomly audit members’ CPE records to see whether they are truthful in their claims. I was audited by ISACA many years ago, and while I had a good listing of events that I attended, I did a poor job of retaining evidence. Still, I passed the audit because I did have evidence for at least some of the events I attended. The audit put the fear of God in me, and ever since that time, I meticulously obtain and retain evidence for every event I attend. As the published author of several security and privacy-related exam guides in which I stress the importance of good CPE recordkeeping, I doubt that (ISC)², ISACA, or any other organization would cut me any slack at all. And so it should be.

In Part 7: paying it forward.

My CISSP Journey, Part 5: Earning the CISA

In the first four parts of this series, I describe my preparation for the CISSP exam, writing exam questions, proctoring exams, and writing study guides for two different publishers. My CISSP journey took a second, parallel path when I had the opportunity to earn another examination.

I don’t remember now where I first heard of the CISA certification, but it had to be in 2001, early in the purely-security part of my career. CISA, or Certified Information Systems Auditor, is a certification from ISACA (then known as the Information Systems Audit and Control Association, but now simply known as ISACA). CISA was established in 1978, whereas CISSP is much younger, established in 1994.

My distinct impression in 2001 was that possessing the CISSP and CISA certifications together was a Golden Ticket in the information security industry. I was young and aspired to more significant roles in the business, so I pursued the CISA with vigor.

I am grateful that my employer purchased CISA study materials for me, which consisted of a large question bank, and extensive study materials.  While there is considerable overlap between the CISSP and CISA certifications in terms of the domains of required knowledge, I soon learned that the vocabulary of information security was far more extensive than portrayed by CISSP. I especially struggled with the terminology and practices of IS audit, having been audited but not having been an auditor. Still, I was determined to succeed.

I registered for and sat for the CISA exam in June 2002. The exam itself was every bit as difficult as the CISSP examination and was Scantron-based as well. It’s incredible how you can get a cramp in your hand filling in little bubbles, although I think this is in combination with the mental stress that accompanies it.

Like the CISSP exam, I thought I had failed, as the exam questions were tough. However, a month or so later, a letter came in the mail from ISACA that told me that I had passed!  I was over the moon and wore the twin monikers CISSP and CISA proudly.

A year later, ISACA released the new Certified Information Security Manager (CISM) certification, and I had an opportunity to earn it through ISACA’s grandfathering process. I thought to myself: I have the CISSP and CISA certifications; why do I need any more?  I did not pursue the CISM grandfathering opportunity, a decision I would later regret for almost a decade. I did, eventually, sit for and pass the CISM exam, by the way.

In later years, I would earn more certifications in other topics such as disaster recovery planning, cloud security, privacy, and cardholder security – some grandfathered, some with arduous study and exams.

In Part 6: continuous education and CPE recordkeeping.

In Part 7: paying it forward.

My CISSP Journey, Part 4: Writing a Study Guide

In the earlier parts of this series, I describe my experience preparing for and taking the CISSP exam, and later when I had an opportunity to write exam questions and proctor exams. In this part, I tell the story of my chance to write certification study materials.

In part 1 of this series, I mentioned that there were no available books for self-study for the CISSP exam, but instead, I borrowed a colleague’s binder from his in-classroom training a few years before, in the late 1990s.

As today’s story begins, at this time, I had written three books: Solaris Security, Sun Certified System Administrator for Solaris 8 Study Guide, and Enterprise Information Security. In another part of the country, Wiley Publishing and an author were working on the first edition of CISSP For Dummies, a user-friendly study guide for the CISSP exam. The project was apparently behind schedule, and the acquisitions editor at the publishing company called me on the phone one day and asked if I’d be willing to help out.  We negotiated an agreement that survives to this day, in which I am co-author of CISSP For Dummies. Over the last nineteen years, we have published six editions of the book and will soon be working on the seventh edition.

The book covers all of the knowledge domains that a CISSP candidate is expected to know to pass the exam. I especially like the For Dummies style, as we write in a friendly, more casual style while still imparting the knowledge required.

Starting with the 5th edition published in 2016, CISSP For Dummies is the only CISSP study guide approved by (ISC)², and it says so prominently on the cover. This is an endorsement that is not included in any other CISSP study guide.

I genuinely felt like my writing career was going to be sustained, as I had by this time written major titles for three different publishers on two continents. Feeling like I was not writing up to my true potential, I hired a literary agent in 2006, who found more publishing opportunities for me. One of the first such opportunities was to write an academic study guide for the CISSP exam by a publisher that sells direct to colleges, universities, and vo-tech schools. In 2009, the first edition of CISSP Guide to Security Essentials was published. The instructor edition includes the book and explanations for the study questions in the book, along with a complete set of PowerPoint slides to be used for classroom or virtual classroom instruction.  CISSP Guide to Security Essentials was published in a second edition in 2015.

In Part 5: earning the CISA and other certifications.

In Part 6: continuous education and CPE recordkeeping.

In Part 7: paying it forward.