Category Archives: Blog

“Art of Writing Technical Books” title added to Forbes Council Executive Library

One of my recent books, The Art of Writing Technical Books: The Tools, Techniques, and Lifestyle of a Published Author, is featured in Forbes Council’s Executive Library. The listing at Forbes can be found here:

Forbes Councils are elite, closed communities of business leaders in numerous industry categories. I am a member of the Forbes Technology Council, and a group leader for the Book Authors community within the Technology Council.

I’m pleased that Forbes decided to include The Art of Writing Technical Books in their library. The Forbes Technology Council has numerous published authors, and many more who aspire to be published, but aren’t certain how to get published. The process of becoming published is complex, and there are several trades involved. I wrote the book to help professionals navigate the entire process, from idea to promoting a book once it is published, and writing updated editions.

A Chromebook is likely the only laptop you need

“Google rocked the computer world in 2011 with the introduction of the Chromebook because there was nothing on the market quite like it. It was and still is an affordable laptop that offers an internet-centric platform. Today, more than 50 million Chromebooks are used in classrooms by teachers and students in blended learning environments that allow students to have unlimited access to educational resources. Chromebooks are also increasingly being used by businesses, remote workers, and digital nomads that need an inexpensive laptop that allows them to work from the office, home, or the nearest coffee shop. The Chromebook has evolved far from its humble beginnings and will likely be the only laptop you need.”

The preceding is the opening paragraph in Chapter 1 of the upcoming book, Chromebook For Dummies, 3rd edition.

The core statement here: Chromebook is likely the only laptop you need, is due to the security, simplicity, and utility of the Chromebook. Secure, because it has the first OS built with Internet security in mind (Unix and Windows were designed before the Internet, in the dial-up era). Simple, because it’s pared down to modern essentials. Utility, because in today’s online Internet world, the Chromebook is exceedingly useful.

Windows and Unix (Linux, Mac, and others) systems are highly complex and packed with features that 99% of end users will never use. Yet, users pay a premium for more RAM and larger hard drives to store and run these complex operating systems when, 98% of the time, we only need to use a browser. Most of us use only a browser when we use a laptop, so why would we purchase expensive, feature-rich machines when a Chromebook, at a fraction of the cost, gets the same job done?

Cybersecurity Pros: Be Sure To Stay Relevant

The tech sector is experiencing layoffs in significant numbers – tens of thousands, perhaps even hundreds of thousands by now. I’m old enough to remember several recessions – this is all a normal part of the boom-bust business cycle.


Several tech industry articles (here, here, and here) cite that cybersecurity professionals are still in high demand.

If you are a cybersecurity professional, I caution you to avoid thinking you are layoff-proof: many cybersecurity professionals are losing their jobs. Instead, take an inventory of your skills and certifications, and identify any gaps that might make you a weak candidate if you find yourself in the job market. Even in our business, applicants are quite competitive, so I’d advise you to honestly appraise the effectiveness and visual appeal of your resume. Hire a resume coach if you need to. I don’t want to see you unprepared if you are caught in a layoff.

To help identify skills gaps, look at cybersecurity job listings on LinkedIn, Indeed, or whatever platform you prefer. Understand what skills and experience companies are looking for, and how you compare. There is no better time to be honest with yourself.

I’m speaking from experience: I’ve been laid off twice in my career. It hurts a lot, and it can be hard at times to keep a positive attitude. I’ve been through all of it. Don’t blame yourself if you are targeted for a reduction in force.

Peter H Gregory’s Study Guides Available For 2023 Top-Rated Certifications

Gregory’s best-selling books cover five of the top ten certifications ranked by salary

January 23, 2023

SEATTLE, Washington – Peter H Gregory’s best-selling certification study guides cover several of the highest-ranked certifications in the 2023 Salary Survey 75 list, including the #1 and #3 spots. Gregory’s books cover five of the top ten paying IT certifications, according to Certification Magazine, which just released its 2023 Salary Survey 75, the top 75 IT certifications ranked by U.S. salaries. The survey covered over 1,200 vendor and non-vendor certifications in IT, IT Security, and privacy.

The top certifications in the survey with best-selling study guides written by Peter H Gregory include:

“I am pleased that these certifications have made such a strong showing,” says Peter H Gregory, who has published over fifty books since 2000. “This success would not be possible, however, without strong support from McGraw-Hill Professional over the past thirteen years with the publication of the first edition of the CISA Certified Information Systems Auditor All-In-One Exam Guide.”

Gregory has written a total of sixteen titles for McGraw-Hill Professional since 2009, including CRISC Certified in Risk and Information Systems Control All-In-One Exam Guide, second edition, co-authored with Bobby Rogers and Dawn Dunkerley. Gregory’s other notable books include CISSP For Dummies (first published in 2002, now in its 7th edition), CISSP Guide to Security Essentials, second editionThe Art of Writing Technical Books, Chromebook For Dummies, and Solaris Security. “All of my published books have fueled my passion for helping IT professionals successfully pursue IT security and privacy careers,” Gregory adds. “The skills that my readers learn enable them to better understand how to protect their organizations’ sensitive information and critical systems.”

About Peter H Gregory

Peter H Gregory is a career information security and privacy leader. He is the author of over fifty books on information security and emerging technology. Visit him at

For interviews with Peter H Gregory, please contact: peter.gregory [at]

# # #

You are free to disseminate this news story. We request that you reference Peter H Gregory and include his web address,

The WFH Book I Did Not Publish

In my tenure at McCaw Cellular Communications, later known as AT&T Wireless Services, I was placed on a task force in 2000 to study all aspects of working from home as a part of the company’s objective of shuttering numerous office buildings around the USA. We planned on identifying thousands of corporate workers who would work in their residences full-time, and developed a detailed plan on how to properly execute this vision from every conceivable perspective.

In this task force, we studied all aspects of WFH and had representatives from IT, Legal, HR, enterprise risk management (me), and others. The areas we explored deeply included:

  • Being a WFH employee – we identified the characteristics of a WFH employee, what it would take, what the employee needed where they live (a quiet and ideally-dedicated space), whether they would be distracted, and whether they had the discipline to work an 8 hour day when many things begged for attention at home.
  • Managing WFH employees – we explored how managers would manage WFH employees, since there would be apparent differences, particularly if they lived so far from an office that they rarely came in for anything. We identified the need to manage employees by measuring work products and milestones, versus just showing up.
  • Being a WFH manager – we explored the concept of managers being WFH themselves, and how they would manage from their remote perspective.
  • Information Technology – we developed an architecture for communications – what equipment would need to be at home and how it would be remotely managed. This was in the era before cable modems and DSL. The web was still quite new, and many business applications were still client-server and now designed for large numbers of dial-up users. We also considered voice telephony in this architecture.
  • Security and Privacy – our planning considered both physical security (theft prevention, confidentiality of printed matter) and cybersecurity.
  • Workplace Safety – we explored employment law, company personnel policies, and other legal aspects of employees whose workplaces were also their residences.
  • Insurance – we considered company and personal homeowners’/renters’ insurance and attempted to discern the boundaries and the rules.

This project, interleaved with many others, took more than a year to complete. It proved to be valuable for me in the future.

We did this in the era before videoconferencing, or should I say “affordable” videoconferencing. Our organization had numerous room systems that were ridiculously expensive, and did not scale down to the individual worker economically.

I joined a B2B SAAS company in 2005 as the global thought leader in cybersecurity and physical security, and was 20% WFH. There were few WFH employees in this company, and my background in WFH helped me navigate it successfully.

Fast-forward four years, when the SARS and MERS outbreaks threatened to become global pandemics, our larger customers asked us what our pandemic contingency plan was and whether we were prepared to execute it if a pandemic occurred. I responded by leading the effort to build a pandemic contingency plan. Not surprisingly, it mirrored guidance developed later by the CDC and WHO. This, too, would be valuable for me later.

In 2015, I changed employers and was 100% WFH. I thrived in this environment and was fortunate to have a separate, dedicated space for both my day job and my writing career.

In late 2019, having been immersed in pandemic planning, I recognized the early signs of what would later be known as the COVID-19 pandemic. In four days, I wrote a book summarizing all I had learned in the prior two decades and prepared to publish it on March 18, 2020. It was to be called WFH: Succeeding With Remote Work Through a Focus on Technology and Culture.

My employer said no. My book would have cut into the company’s revenue, as the company was also advising firms’ preparation and response for the highly-anticipated pandemic. So, this book sits on an SSD on my laptop, unknown to the world. It’s no longer relevant today, as anyone could publish an all-perspectives WFH playbook by just looking around to see how everyone else has already done it.

This was not an entirely wasted effort. I’ve used material in the book to help my current employer (where I am a WFH director, managing WFH managers who manage WFH employees) and to ensure we all succeed. The effort also gave me the experience I would need in 2022 when I published The Art of Writing Technical Books: The Tools, Techniques, and Lifestyle of a Published Author.

Wisdom from a grieving parent to a grieving parent

Like many things in life, grief is a rite of passage. While unwelcome, it can be hard to avoid. Running away from it only prolongs its effects.

Someone I know (sorry, I cannot provide further details) lost a child to suicide recently. Every time I hear such news, particularly regarding those near me, my heart just aches.

I lost a child many years ago, my son Evan, who passed at age 3, due to heart illness. One of my older brothers, upon hearing this news, imparted wisdom to me, as he too had lost two young children. I have passed this on to others who are grieving, and it goes like this:

  1. It is okay to grieve, as you have experienced a profound loss.
  2. For days, weeks, and even months: you’ll experience flashbacks – memories of your child’s life and death. The flashbacks will “take over” your thoughts. This could be awkward at work, as you might even stop speaking and appear to just stare. These flashbacks will subside over time, in both intensity and frequency.
  3. Because of #2, you should be extra careful when driving and during other activities. Your thinking and reaction times may be impaired.
  4. The pain will ease, but not the memories. It hurts profoundly, but the pain slowly subsides. Do not fear that you will forget your child. As time progresses, you’ll still have your memories to treasure, and it will hurt less. For me, decades later, I still feel the pull of my heartstrings sometimes, but the sharpness of pain is behind me now.
  5. Do not feel guilt as your life moves on. You need to keep on living and get back into the routine of life. It’s what we all do. You will, in time, smile, laugh, and love again.
  6. If you cling too tightly to your child’s memories, you won’t be able to experience the gradual closure that you and others around you need. You do not need to enshrine your child, but neither do you need to completely remove them from your life. Find the middle ground.
  7. Don’t hate God. The reason for your loss may not be known to you for some time.

It’s also helpful to find someone who can relate to your loss, perhaps someone you know who has experienced a loss like your own.

I have learned through my own experiences that grieving is a process that one must travel through to the end. It cannot be bypassed, but if you refuse to grieve, you’ll be stuck in the grieving process and may have difficulty finding closure. Grieving is painful, but the pain does end. If you try to bypass the grief, you’ll find instead that it will stay with you, and you could find yourself in a serious state of depression.

I have benefited from help from mental health professionals, whether psychologists, psychiatrists, and marriage counselors. Consider these as expert guides who can help you through your grief journey.

You’ll know when you have completed the grieving process when you realize that you have begun to resume living. You’ll discover that grieving is not about forgetting, but about processing the grief and finding a way through it.

Cybersecurity New Years’ Resolutions

New Years is a great time to reboot your life habits, including diet, exercise, relationships, and more. To keep your systems safe and your personal information private, consider adopting one or more of the following News Years’ resolutions:

  • Use strong passwords – On each website and service you use, construct strong passwords, consisting of lower case and upper case letters, numbers, and one or more special characters.
  • Use unique passwords – Use a different password for each service you use. This will help prevent a compromise of one service (where cybercriminals are able to obtain its users’ login credentials) from spreading to others.
  • Use a password manager – If you use strong, unique passwords, you’ll need a password manager such as Password Safe or KeePass to store them. I recommend you NOT use your browser to store passwords.
  • Use multi-factor authentication – when available, select multi-factor authentication, whether by a text message (SMS), or an authenticator app such as Google Authenticator. Doing so will make it more difficult for criminals to break into your accounts.
  • Install OS security patches – Configure your operating system (Windows, macOS, ChromeOS, iOS, Android, etc.) to automatically download and install security patches. This helps prevent criminals from compromising your device. When security patches are no longer available, you’ll need to upgrade your OS to keep your system safe.
  • Keep applications up to date – Configure your system to update all of the applications you use. This helps keep your system and your data safer by fixing security flaws that criminals can exploit.
  • Be wary of spam and phishing – Be wary of all incoming email, so that you can better spot scams and fraud. If someone you know has sent you a strange looking email, confirm by calling them (but not by replying, as the reply could go back to the fraudster who is trying to con you). Resist the temptation to click on “too good to be true” links and attachments.
  • Use a VPN – If you frequently go online at hotels, restaurants, airports, and other public places, install a VPN software package to help protect your network traffic from prying eyes. It can be surprisingly easy for cybercriminals to see your network traffic while on a public Wi-Fi network. Avoid free VPN services as they likely eavesdrop on your traffic.
  • Upgrade your home Wi-Fi router – If your home Wi-Fi router is more than four years old, chances are good that it has exploitable vulnerabilities that the manufacturer will not fix. These vulnerabilities can make it easy for criminals to take over control of your router, resulting in eavesdropping and routing your traffic through their systems to help them steal your data.
  • Move your home’s smart devices to your guest Wi-Fi – Often, smart devices are vulnerable to attack by cybercriminals. Some smart devices do more than they advertise, looking around on your network for other targets. Moving your smart devices to your guest network prevents them from accessing your computers and smartphones.
  • Check your credit report – Cybercriminals are exceedingly good at identity theft. The best way to stay on top of this is to periodically check your credit report, and even to put a freeze on your credit to make it more difficult for criminals to open credit accounts in your name. Freezing your credit may be a minor inconvenience when you try to open a new account, but this is minor when compared to the inconvenience of having your identity stolen.
  • Place transaction alerts on all your credit and debit cards – Log in to your online banking and set up alerts (texting, email, or both) to notify you of every transaction. If any of your cards have been compromised, you’ll know it when you see transactions that you did not authorize.
  • Learn more about these and other kinds of risks – Visit the National Cybersecurity Alliance at to learn about more steps to protect your network, systems, and identity.

More phishing leaks into Gmail

I’ve been a Gmail user since its beginning in 2004. Unlike Yahoo! email, Gmail has historically done an exemplary job of blocking spam and phishing.

Until this year.

New forms of phishing are evading Google’s filters: the first is what I call the “invoice scam,” where the sender emails an attachment claiming to be an invoice. I surmise that either the attachment has malware embedded in it, or they are hoping that I will pay the invoice by sending money to who-knows-where.

Another form of phishing I’m seeing a lot (several each day) are emails in which the entire contents of the message is a single image. The image claims to originate from a major retailer such as Home Depot, Ace Hardware, and others. I’m told that I have been selected to win a product of some sort. Like the invoice scam, I’m certain that clicking the image will take me to a watering hole attack, a page where I’ll be asked for login credentials or payment information.

I don’t doubt that Google will figure out how to block these types of phishing messages. But the senders are not going to give up so easily. We must continue to be on our guard and practice the principles of incoming emails:

  • Be wary of emails from people you don’t know.
  • Be wary of emails from people you DO know that are out of character.
  • Confirm the message through independent means (NOT a reply).
  • Do not be curious and click, just to see what happens next.

Crypto Purchase Scam

Over the past three weeks, I’ve received several invoices through PayPal for alleged purchases of cryptocurrency. One such invoice is shown here.

Recent PayPal invoice

I don’t have a PayPal account, and I have not been in contact with this seller, so my natural inclination is to consider this a scam.

The email actually originated at PayPal, per the SMTP and DKIM headers, and the View and Pay Invoice link actually goes to

Computer Glasses

I suffered from eyestrain from working on computers all day long, until my optometrist recommended computer glasses. I had not heard of them before, but could not work without them today.

What computer glasses are – prescription eyeglasses with a specific strength where the eyes are completely relaxed (as though looking at objects far, far away, which completely relaxes the muscles that shape the eye’s lens) when viewing objects about an arm’s length away (the typical distance to a monitor). Further, my computer glasses have a yellow tint that blocks excessive blue light – more benefit that helps prevent cataracts, macular degeneration, and retina damage. 

I also use those “night light” features on laptops, tablets, and smartphones that reduce blue light after hours. I used to purchase third-party software to do this, but modern OS’s have this as a standard feature nowadays. 

More info: (not a product endorsement, but an informative article). 

Are You Ready?

Social unrest. Inflation. Supply chain shortages. Earthquakes. Freak storms. Floods. Rampant crime. Wars and rumors of wars. Disease. Famine. Erosion of culture and social values.

It’s hard not to recognize that the world is going through some kind of distress. Its root cause is difficult to discern and may be invisible. But to many, it feels as though something big is about to happen, although what that something may be will depend on what you believe and who you ask.

Some of the possibilities being discussed include:

  • A drastic change in the global financial system with a significant impact on standards of living
  • A drastic change in global political systems with significant impact on personal freedom
  • A world war that includes the use of weapons of mass destruction
  • The sudden, inexplicable disappearance of a substantial portion of the world’s population
  • A pandemic with a high mortality rate
  • A dramatic appearance of UFOs and their occupants
  • An unexpected weather, geological, meteoric, or astronomical event that causes widespread damage over much of the world

Whatever it might be, it feels as though we should get our lives in order. What that means for each of us will vary, but at its core are our relationships with others.

Do not be afraid to dig deep into your memory, so that you may settle accounts with others. Do not delay.

Chance Meetings Are Not Chance Meetings

I was on a business flight between Seattle and Anchorage earlier today. In the days coming up to the flight, I was re-checking seat assignments to see if I could get something better than the premium cabin middle seat. This morning, before the flight, I saw an exit row seat in coach open up, and I decided to go for it as I knew I would want to work on a book I’m finishing up.

A man in the same row as me arrived and sat down. He had a C.S. Lewis book that I have not read, so I asked him if he liked it. He said that he did. I shared a couple of other C.S. Lewis titles that I have read over the years. As we talked a bit more, I shared that Lewis’ title, A Grief Observed, was a good read many years ago after my son passed away. The man told me that he had lost a son as well.

Three weeks ago.

My heart ached for him. I know this pain well. I imparted some of my own experiences and observations, including sage advice imparted to me, including that given by one of my half-brothers who lost two children. I told him that the memories will remain and the pain will slowly ebb.

Our conversation lasted but ten minutes.

You never know who you are going to run into or what opportunities will come your way to help others.

Cross-Country Road Trip

I’d thought of a cross-country road trip all of my adult life, but never thought I’d have the opportunity or take the time to do it.

That all changed in June, 2022, when we purchased a moderately rare vehicle from a private party in Rhode Island and drove it home to Washington State.

a brief road stop at Painted Canyon, North Dakota

The journey was moderately stressful, as this was a new-to-us 17-year-old complex machine, and a couple of minor things didn’t work right. And the trip was a bit of a dash. I would have preferred to do the trip in two weeks instead of one, and take the time to see some of the sights.

Still, we saw a ton of farmland, and from our vantage point, realize again that America has vast agricultural resources that could feed the entire world. We live in the middle of farmland back home, so it was familiar to us, but there was so much of it to see along the little strip of land that was our journey’s path.

The entire trip – flying to Boston and driving back home, was nearly two weeks. It’s the longest stretch of vacation away from work I’ve had in decades. Unplugging from work was hugely valuable to me. As a type-A, I need to take more breaks, and am grateful for the opportunity to have done so.

My LinkedIn Connection Management Strategy

Spoiler: the mute connection feature is the most effective tool to improve your feed.

In the eighteen years since joining LinkedIn, I’ve adapted my connection management strategy. For the first 10-12 years, I would accept connection requests only from people I actually knew and, often, met once or more in person or by phone. That approach served me well.

In recent years, I shifted this slightly. Today, if an incoming connection is well known to one of my trusted connections, I’ll accept the request. Otherwise, I often reject them. I will reject incoming requests based on other criteria that I will not reveal here.

I generally reject requests from vendors, particularly if their tagline or their invite implies that they see me as a business prospect. I already receive too many vendor communications, and I know how to find vendors if and when I need them.

For those who are already connected to me, I will retain them as a connection, unless:

  • They do an excessive number of posts, re-posts, or likes. If my feed starts to look like their feed, I’ll most likely mute the connection. They will remain a connection, but I’ll no longer see their posts, comments, or likes.
  • They are overly political. Whether I agree with them or not, I’m here in LinkedIn for business, not for politics or social issues. Connection muted.
  • They are overly non-business. LinkedIn is not Facebook. Connections whose posts look more like Facebook are immediately muted.
  • They post clickbait.
  • They post those ridiculous questions, such as: Click Like if your first programming language was C; click Celebrate if your first programming language was Pascal; click Support if your first programming language was Fortran; click Love if your first programming language was Java.
  • They are abusive. No further comments needed.

I have found that these practices result in a really clean feed with little or no politics, cat pictures, and so on.

One thing about the Mute Connection feature. To my knowledge, LinkedIn does not provide a list of muted connections, nor do they show that a connection has been muted. That means that being muted is kind of a LinkedIn death penalty. You can be muted, but you can never leave.

The Real Reasons for the Infosec Skills Shortage

I’ve been in technology for more years than I’ll publicly admit, and I’ve been full-time infosec for 23 years now. In the past ten years, it’s been hard to escape the rallying cry of the skills shortage: organizations take weeks, months, and longer to fill infosec positions.

I’m going to tell you now why, in many cases, this so-called skills shortage exists.

We’re lazy.

Yes, we are lazy. We don’t want to take the time to find a motivated, solid foundation, perfect personality, tech worker, and train them up on cybersecurity. Instead, we want only the finished product.

We all want unicorns.

Further, we want someone who has experience in all ten of the main preventive / detection / response tools we use. I think we’d have better luck on Power Ball.

We’re cheap.

If we are fortunate to find a candidate who checks all of the boxes, we probably can’t afford them. Unicorns are rare, and rare things are expensive.

There – I said it. Most of us fit into one or more of the above categories. Me included.

Modern Infosec is Older Than You

While researching a project I’m working on, I found an interesting publication, National Bureau of Standards Special Publication 500-19, Audit and Evaluation of Computer Security. This publication contains most of the principles found in modern infosec management and control frameworks today. Indeed, looking into the details, one finds discussions of static and dynamic evaluation of computer programs and numerous other familiar topics.

Here’s the punchline. This document was published in 1977. Forty-five years ago.

The next time someone complains to you about having to deal with these “new” cybersecurity standards and practices, you can remind them that these standards and practices are older than most living people in the world today.

Selected screenshots from the Table of Contents.

Source: U.S. National Institute for Standards and Technology legacy archive

The entire document is available from NIST here.

RTO Takes Some Adjusting

Chuck Nolan, after four years of WFH (source: Dreamworks Pictures)

Historically and collectively, the COVID-19 pandemic was one of the most impactful events in a generation. Entire industries were uprooted, resulting in significant shifts in how and where people live and work. The work-from-home (WFH) phenomenon was wrenching for some, welcome by others, and transformational for all. Workers and companies adjusted and continued to operate as best as they could, and WFH became the new normal for entire industries and professions.

Chuck Nolan readjusting to normal life (source: Dreamworks Pictures)

Return to the office (RTO) has been disruptive for companies and workers. Management in some organizations have insisted that personnel plan on working in offices part-time and full-time. We’ve seen the entire spectrum of compliance and non-compliance, and we’ve seen large organizations order a full- or part-time RTO and then backtrack when employees objected.

Workers are finding the transition from WFH to RTO nearly as disruptive in 2022 as WFH was in 2020. The routines established in WFH have become normal, routine, and comfortable. In many organizations, workers can choose whether to return to the office, continue to work from home, or adopt a hybrid arrangement.

WFH is probably here to stay. During the pandemic lockdown, many organizations began recruiting workers from wider geographic areas who live hundreds and even thousands of miles from workplaces. Organizations have discovered that they can compete for workers across larger areas. Workers have found that they can live almost anywhere and do their jobs effectively in full-time, permanent WFH arrangements.

It’s difficult to know whether a gradual shift back to in-office work will occur, or if work-from-home will be a permanent fixture in today’s workforce. Time will tell.

My Favorite Interview Question

I’ve hired dozens of analysts and engineers in my career, and have always enjoyed the interview process to get to know prospective team members. And I have been interviewed plenty of times myself, so I’m familiar with the pressure we’re under to be hyper-focused on interviewers’ questions and comments, what is said, what is not said, and body language. Being interviewed is a welcome challenge and an exhilarating experience – although terrifying at times.

image courtesy techpreview dot com

I have realized that, when being interviewed, my hyper-focus may not be revealing the real me. So when I interview candidates, I have a favorite question that I like to ask near the end of the interview. For instance, if the candidate’s name is Charles, I would ask,

“Charles, in this meeting, we’ve seen a lot of what I like to call ‘interview Charles,’ who is highly focused on the conversation and exerting a lot of mental energy to be sure the conversation goes well. What I’d like to know is this: how is everyday Charles different from interview Charles?”

Over the years, I’ve seen a wide range of responses. This question has stumped a few candidates, meaning they may lack self-awareness. Or, they might feel like I’m trying to pierce a sacred veil, to go beyond the persona on display to the real person beneath. But this is precisely the point: interviewees are often nervous, and nervousness shows itself in various ways: they talk too much, too little, or they guard what they may feel are personality flaws so that I see only the highly professional, analytical thinker.

In an interview, we strive to show only our best side. As a result, we verbally redact a great deal about our personality – the human side of us. But that human side is exactly who we want to find and know. After all, there is a real prospect of working with this person every day for perhaps many years. We want to be sure we know who we are hiring and whether we will like working with them.

It’s Turtles All the Way Down

A mythological explanation of the world states that the flat earth rests on the back of a giant turtle, which itself rests on the back of an even larger turtle. That turtle rests on a still larger turtle, and so on, forever.

Third-party risk management is like the epistemological stack of world turtles: each organization obtains goods and services from yet other organizations, and so on with no apparent end. All organizations are at least partly dependent upon others for goods or services essential for delivering goods or services to their customers.

So, where does it all end? Depending upon the industry and the criticality of individual goods or services, third party risk management generally vets critical vendors, and determines whether those vendors have effective third party risk management programs.

We’re all in this together.

— excerpt from an upcoming book on information security management

The Criticality of Business Alignment for Information Security Programs

The need for an organization’s information security program to be business-aligned cannot be overstated. The lack of business alignment could be considered a program’s greatest failing if not corrected.

For the most part.

It is critical for an information security program to be aligned in terms of support of the organization’s overall goals, and to utilize existing mechanisms such as corporate governance and policy enforcement. However, if and where there is dysfunction in the organization in terms of culture (for instance, a casual attitude or checkbox approach towards security or privacy), the program may position itself deliberately out of phase with the organization to alter the culture and bring it to a better place. In another example, rather than be satisfied with what may be low organizational maturity, security program leaders may influence process maturity by example through the enactment of higher maturity processes and procedures.

As change agents, security leaders need to thoughtfully understand where alignment is beneficial and where influence is essential.

— excerpt from an upcoming book on information security management