Category Archives: Blog

My Coffee Journey

Chemex urn (source: Wikipedia)

My earliest memories of coffee are of my parents using their large Chemex coffee urn to brew coffee in “pour over” style.  I think they brewed 3-4 cups, and kept the coffee warm on their electric cooktop with a star-shaped wire thingy that kept the borosilicate glass from directly contacting the electric burners. In those days, I had little interest in coffee: I didn’t care for the smell, and it seemed to be one of those things adults liked that children did not.

Fast-forward to the early 1990s. I was in a new job at World Vision, helping them move their computer programs from old mainframe computers to new ones. They put a bunch of us in a class on network technology fundamentals. I had already mastered this knowledge but wanted to attend to know what my colleagues were being taught. I was hired as a technology mentor, familiar with the kinds of computers new to the organization.

The class was painfully dull, and I was literally head-bobbing. I recalled a coffee maker in the back of the room, and I thought that perhaps this magic potion would help me stay awake.

By my current standards, the coffee was terrible, but it did have the intended effect.

Later that year, I met a friend who liked to patronize Coffee Bean & Tea Leaf, a coffee shop chain in malls and airports. I found their mocha java coffee delightful with a healthy (?) dose of cream. My coffee senses were awakened.

For the next few years, I was drinking coffee at home with a lot of cream (or you might way, I was drinking cream with a bit of coffee).  But as I came to love the taste of coffee, I gradually reduced the cream dose and switched to half-and-half, which I use to this day.

In the mid-1990s, I moved to Seattle and discovered Starbucks Coffee. I gravitated to their Café Mocha, and drank them daily for years.  My standard order became “double tall 175 degree non-fat mocha with whip,” which rolled off my tongue as easily as supercalifragilisticexpialidocious. But that was not the end.

My work situation changed, and my daily Starbucks mocha became my weekly Starbucks mocha. At the same time, I began to buy Starbucks Italian Roast coffee for brewing at home. This, too, would last for many years.

A few years ago, I decided to venture forth and try other brands of drip coffee. On a particular business trip, I was traveling through the Silicon Valley with a couple of colleagues one afternoon, when one of my colleagues asked, “who wants coffee?”  We stopped at a small Philz Coffee stand, where I ordered a cup of Ether blend coffee.  Philz is a pour-over coffeehouse, no espresso. And Philz makes the complete cup: if you want cream or sugar, they add it as they make it. Imagine my mild embarrassment when I ordered my coffee “with a little room,” to which they replied that they add all the fixings.

This cup of coffee was the best tasting coffee I had ever had in my life. Believing it to be the coffee itself, I bought two pounds on the spot and took them home. And indeed, this was delicious coffee, but it was not as good at home. Then I recalled that the brew method at Philz may have played a part. Remembering my parents’ Chemex coffee, I purchased a 3-cup Chemex coffee maker and soon mastered the art of pour-over.

I switched back to Starbucks Italian Roast for a while, but soon tried other brands, including Black Rifle Coffee, Peet’s, and others.

About two years ago, I was on a business trip to Marina Del Rey and was having breakfast on the restaurant patio. The server asked if I’d like some coffee. Again, this coffee was wonderful, among the best that I had ever tasted. I asked the server what kind it was; he wasn’t sure and went back to check. He brought back a large bag of Lavazza Intenso – a rich, dark blend that induced Handel’s Halleluiah Chorus in my brain with each sip. I sourced this myself, and a pound of Lavazza Intenso was waiting for me when I arrived home two days later. This is my daily coffee to this day.

I generally have two cups of Lavazza in the morning, and a cup of coffee in the afternoon. My afternoon coffee is locally produced, Blue Star Espresso Roast. This blend has some high notes absent from Lavazza and is a welcome afternoon flavor.  I make Blue Star with my Chemex using the standard method used for my morning coffee.

On business travel, I sometimes patronize Starbucks. But my sweet tooth has waned, and I rarely order a mocha. Instead, my choice is a cup of dark roast drip, to which I add a dash of half-and-half. Today, I patronize Starbucks less than one visit per month: I work from home full time and do not frequently travel, and the nearest Starbucks is 25 miles from my house.

Thankfulness is a choice

Thankfulness is a choice, and it is about perspective.

If you are not thankful, then perhaps you are not seeing the complete picture of your life.

Are you bitter about a job with pressure, deadlines, and quotas, or are you thankful that you have a job?  Are you bitter about family relationships, or are you thankful that you have a family? Are you bitter about your living situation, or are you thankful that you have a roof over your head? Are you bitter about your health, or are you thankful that you are alive another day?

Thankfulness, like gratitude, is a choice. Thankfulness should come through any circumstance, not just when things go your way.

Do you notice that one or more of your co-workers always seem to have a good attitude? I doubt it is because their life is perfect and everything for them is going great. Instead, I propose that they have simply decided to be thankful, regardless of their circumstances.

An old saying comes to mind as I write this: “I cried when I had no shoes, until I met a man who had no feet.”

Clean out your contact lists

I recently watched Rob Braxman on the security of encrypted messaging apps like Signal and WhatsApp. In his video, Rob pointed out that many apps access our contact lists and build webs of associations. Even though the cryptography protecting message contents is generally effective, it may be possible for law enforcement and intelligence agencies to know the identity of a person’s connections.

Let’s dig deeper.

If a law enforcement agency considers you a person of interest, they may discover that you use encrypted messaging apps like Signal. While law enforcement will not be able to easily view the contents of your conversations, they will be able to see with whom you are conversing.

Image courtesy Aussie Broadband

Also, the appearance of using an encrypted messaging app could suggest that you have something to hide.

Let’s look at this from a different perspective. Consider an active law enforcement investigation focusing on a particular person. If you are in the person’s contact list, and if that person is known to be communicating with you on an encrypted service, then you may become another person of interest in the investigation.

I watched Rob’s video twice, and then I recalled something I see in Signal often: when someone in my contact list installs Signal, I get a notification from Signal that the contact is using the app. I recently noticed that I frequently do not recognize the contact’s name, and I dismiss the notification. I’ve had this occur dozens of times this year.

Then it hit me: I have been collecting contacts for decades, and they’re stored in multiple services (primarily, Yahoo and Google). In previous jobs, I’ve had associations with numerous clients, partners, vendors, co-workers, and other associates, resulting in an accumulation of thousands of contacts, most of whom I barely know.

Last week, I found it difficult to rationalize keeping all of these contacts and purged them. In Google alone, I had well over one-thousand contacts. After spending time last weekend deleting extraneous contacts, I’m down to about three hundred, and I might go back through them and remove many more.

Encrypted apps and your association with contacts are not the only risks related to maintaining a long contact list. Another issue is this: if someone breaks into any of my services where I keep many contacts, I don’t want people getting Joe Job and other attacks made possible through contact harvesting.

Until recently, I didn’t consider my accumulated contacts a liability, but I do now.

In my day job, one of my responsibilities includes leading numerous programs, including data governance, which includes data classification and data retention. And, having been a QSA for many years, the concept of data-as-asset and data-as-liability are clear to me. For instance, retaining credit card data after a transaction has been completed may provide value to an organization. Still, it also presents itself as a liability: if that stored card data is compromised, the consequences may significantly outweigh its benefit.  Somehow, I didn’t apply this concept to personal contact data. Thanks again to Rob Braxman for nudging me to realize that contact data can be just as toxic as other forms of sensitive information.

Postscript: think about this in another way: would you want others you worked with in the past to remove you from their contact lists?

Backups – the apparently forgotten craft

At the dawn of my career, I worked in two different old-school computer mainframe operations organizations. We spent a considerable amount of time (I’m estimating 20%) doing backups. Sure, computers were a lot slower then, and we had a lot less data.

We did backups for a reason: things happen. All kinds of things, like hardware failures, software bugs, accidents, mistakes, small and large disasters, and more. I can recall numerous times when we had to recover individual files, complete databases, and ground-up (“bare metal”) recoveries to get things going again.

We didn’t wait for these scenarios to occur to see whether we could do any of these types of restores. We practiced, regularly. In one mainframe shop early in my career, we completely restored our OS every Sunday night. Okay, this was in part a storage defragmentation measure and performed mainly for this purpose. However, we were still doing a bare metal restoration, precisely like what we would do if our data center burned down and we had to recover our data and applications on a different system.

Was this exciting work? Certainly not.

Interesting? Not in the least.

Essential? Absolutely.

So what am I getting at here? Am I merely reminiscing about the good old days? Hardly.

I’m talking about ransomware. At times, it’s difficult for me to sympathize with the organizations that are victims of ransomware. It’s hard for me to rationalize why an organization would even remotely consider paying a ransom (particularly when the FBI reported that only about half of organizations would be able to decrypt their data when they paid the ransom) (sorry, I cannot find the link to that advisory, I’ll keep looking and update this article when I find it).

A survey by Kaspersky indicated some facts that shocked me:

  • 37 percent of respondents were unable to accurately define ransomware let alone understand the damage it can deliver.
  • Of those survey respondents who suffered a ransomware attack, 40 percent said they would not know the immediate steps to take in response.

I’m amazed by these results. Do IT organizations no longer understand IT operations fundamentals that have been around for decades? I hate to sound harsh, but if this is the case, organizations deserve the consequences they experience when ransomware (or human error, or software bugs, etc.) strikes.

That said…. I am acutely aware that it can be difficult to find good IT help these days. However, if an organization is crippled by ransomware, they’ve already gone “all-in” with information technology, but neglected to implement common safeguards like data backup.

(image courtesy recordnations.com)

The CIA Triad is Dead

For decades, those in cybersecurity were fed the doctrine of CIA: Confidentiality, Integrity, and Availability – the pillars or foundational principles of information security. Advances and changes in information technology have rendered the CIA triad obsolete.

For many years, information technology has been used in numerous applications where life safety is a major concern. Examples include:

  • Patient health monitoring
  • Patient medication delivery (e.g., IV pumps)
  • Robotic surgery
  • Autonomous vehicles
  • Autopilots
  • Domestic robots

You can probably add more examples to the above list.

The former CIA Triad should give way to the CIAS pyramid: confidentiality, integrity, availability, and life safety. I first argued for this in my book, CISSP For Dummies, 5th edition (2016), on page 37, as well as in CISM Certified Information Security Manager All-In-One Exam Guide (2018) on page 382, where I called argued for confidentiality, integrity, availability, and life safety.

As a simple model and a reminder of foundational principles, the CIA triad has served us well. However, as a foundational principle, the CIA triad now falls short, as arguably the most critical aspect, when applicable, is safety and life safety.

CISOs are not risk owners

Many organizations have implicitly adopted the mistaken notion that the chief information security officer (CISO) is the de facto risk owner for all identified cyber risk matters.

In a properly run risk management program, risk owners are business unit leaders and department heads who own the business activity where a risk has been identified. For instance, if a risk is identified regarding the long-term storage of full credit card numbers in an e-commerce environment, the risk owner would be the executive who runs the e-commerce function. That executive would decide to mitigate, avoid, transfer, or accept that risk.

The role of the CISO is to operate the risk management program and facilitate discussions and risk treatment decisions, but not make those risk treatment decisions. A CISO can be considered a risk facilitator, but not a risk owner.

Even when embraced and practiced, this concept does not always stop an organization from sacking the CISO should a breach occur. A dismissal might even be appropriate, for example, if the risk management program that the CISO operated was not performing as expected.

— excerpt from CRISC Certified in Risk and Information Systems ControlTM All-In-One Exam Guide, 2nd edition.

Peter H. Gregory accepted into Forbes Technology Council

Forbes Technology Council Is an Invitation-Only Community for World-Class CIOs, CTOs, and Technology Executives.

Seattle (September 2, 2021) — Peter H. Gregory, career security professional and best selling author, has been accepted into Forbes Technology Council, an invitation-only community for world-class CIOs, CTOs, and technology executives.

Gregory was vetted and selected by a review committee based on the depth and diversity of his experience. Criteria for acceptance include a track record of successfully impacting business growth metrics, as well as personal and professional achievements and honors.

“We are honored to welcome Peter H. Gregory into the community,” said Scott Gerber, founder of Forbes Councils, the collective that includes Forbes Technology Council. “Our mission with Forbes Councils is to bring together proven leaders from every industry, creating a curated, social capital-driven network that helps every member grow professionally and make an even greater impact on the business world.”

As an accepted member of the Council, Peter H. Gregory has access to a variety of exclusive opportunities designed to help him reach peak professional influence. He will connect and collaborate with other respected local leaders in a private forum. Peter will also be invited to work with a professional editorial team to share his expert insights in original business articles on Forbes.com, and to contribute to published Q&A panels alongside other experts.

Finally, Gregory will benefit from exclusive access to vetted business service partners, membership-branded marketing collateral, and the high-touch support of the Forbes Councils member concierge team.

“I’m thrilled to be a member of the Forbes Technology Council,” states Gregory. “While the opportunity to learn from my Council peers is sure to help my career, I hope to begin giving back to the community as soon as possible.”

ABOUT FORBES COUNCILS

Forbes Councils is a collective of invitation-only communities created in partnership with Forbes and the expert community builders who founded Young Entrepreneur Council (YEC). In Forbes Councils, exceptional business owners and leaders come together with the people and resources that can help them thrive.

For more information about Forbes Technology Council, visit forbestechcouncil.com. To learn more about Forbes Councils, visit forbescouncils.com.

ABOUT PETER H. GREGORY

For more information about Peter H. Gregory, visit www.peterhgregory.com.

His Forbes Technology Council profile can be viewed at https://bit.ly/3n23zYD or at https://profiles.forbes.com/members/tech/profile/Peter-Gregory-Senior-Director-Cyber-GRC-GCI-Communications/50c6ac2f-7c83-4512-8082-2e2d60acfe4f

WFH Workers: What’s your Power and Internet DR Plan?

When we all worked in corporate offices, our enterprises (if they were large enough) developed DR plans for power and Internet connectivity, enough that it took a significant event to take a workforce offline. Through economy of scale, workers were all covered by DR plans for power, Internet, and environmental controls, resulting in a decent level of resilience.

APC UPS for laptop and WiFi

But now that many of us are home, our DR is not what it should be. In our home offices, we lack multiple ISP and power feeds. In almost every respect, our critical infrastructure at home (power, Internet, environmentals) are N+0: if our power goes out, or our Internet goes out, or if our heat or A/C go out, there are probably no backup systems.

We are each responsible for our own DR in our home offices. If we want resilient power, we need a UPS and/or a generator. If we want resilient Internet, we have to have a fallback plan. If we want resilient heat or A/C, we must have another source of heating or cooling.

We live in the country, where there’s no landline, no cable, and no fiber. We’ve lived in WA for decades, and are accustomed to extended power outages due to severe weather events. For us, Internet outages are infrequent, but they happen, particularly at harvest time when farm equipment parks in front of our fixed wireless antenna, or when our local ISP is doing maintenance on network elements such as patching routers.

Fixed Wireless Internet Antenna

Here are the details of my primary and backup plans:

ResourcePrimaryBackup
InternetFixed Wireless WiFi (12Mbps/12Mbps)iPhone tethering (3Mbps/3Mbps)
PowerUtility PowerCyberpower UPS for Internet POE (5 hrs)
APC UPS for WiFi and Laptop Computer (6 hrs
Honda EU2200 Generator
Future: 10 circuit transfer switch + larger generator + EMP circuit protection

Our utility power does go out from time to time. Since living here in our present home since mid-2020, we have had one outage lasting ~30 hours, and three outages lasting 1-3 hours. In the more prolonged outage, we fired up our larger generator (not pictured) to run our freezers and charge the UPSs.

Our source of water is a well that is on our property. When the power goes out, we have no water. For this reason, we have purchased a transfer switch that can enable us to run our well using our larger generator (I doubt that the little Honda can power it).

Gas generator

All of these measures have given me confidence that we will have power and Internet for short-term outages. For longer-term outages, the larger generator and transfer switch will enable us to run water and remain in our home for as long as we have generator fuel.

Since I do not work in a corporate office in a commercial building, I must implement my own resilience strategy. No one else is going to do it for me.

Smartphone WiFi hotspot

From a cybersecurity perspective, I’m pretty confident in our setup, but I’m not going to go into details here. We have a commercial NG-Firewall protecting our entire network, advanced anti-malware, secure DNS from cleanbrowsing.org, and other safeguards.

Blameshifting is not a good defense strategy

Today, in my newsfeed, two stories about breaches caught my attention.

In this first story, a class-action lawsuit is filed against Waste Management for failing to protect PII in the trash.

In the second story, a South Africa port operator declares force majeure as a result of a security breach, in essence declaring that nothing could have been done to prevent the breach.

In both of these situations, the victim organizations attempt to shift the blame for the failure to protect sensitive information on others. Those of us in the profession have seen victim companies do this in the past, and it generally does not work out well.

Back to the Waste Management story. Here, I argue that when an organization places something in dumpsters, they should take steps to ensure that no recoverable information is discarded. Unless the business arrangement between companies and Waste Management is more akin to secure document shredding by companies like Shred-It, I assert that the garbage company has no obligation to protect anything of value placed in the trash.

On to the South Africa port operator. Declaring force majeure as a result of a security breach is an interesting tactic. In my opinion (note that I am not a lawyer and have had no formal law education), this strategy will backfire. There are numerous examples of organizations that successfully defend themselves against attacks like this. Granted, these attacks are a global plague, and defense – while challenging – is absolutely possible.

Disruption of branch banking is of their own making

An experience late last week was an epiphany for me.

While managing the financial affairs of a relative, I needed to get a one-page document notarized. I live in a small town, where there are only two or three local bank branches.

One of the branches is K** Bank. On their website, K** Bank makes available the capability of making an appointment at a nearby branch. I filled in the appointment form, including the specific nature of the visit. Another relative who was visiting a few weeks ago got a document notarized there, so I knew that this branch of K** Bank had a notary.

I showed up, was greeted by branch staff, and invited to have a seat while someone came to assist me. Soon, another branch employee came over and said she was ready. I presented my document and my photo ID. The employee asked for my K** Bank account number, and I replied that I was not a customer. She replied that Key Bank only notarizes documents for customers. When I asked whether K** Bank would notarize my one-page document for a fee, the answer was, no, sorry. The branch was not busy: there were six employees in the branch, and I saw one or two customers come and go in the ten minutes that I was there.

I left and drove two blocks to the town’s professional building, where a lawyer, an accountant, a marriage counselor, and a financial advisor have small offices. I poked my head into the CPA’s office and asked, do you know of a notary here in town? The CPA got up, greeted me, and took me across the hall to the financial advisor’s office, where she introduced me to an independent financial advisor. He gladly took a couple of minutes to notarize my document. He refused to accept a fee. Since he was conversational and polite, I asked him about his business, asked for some business cards, and may have some business to refer to him.

Branch banking is going the way of the bookstore. Key Bank had an excellent opportunity to take a few minutes to meet a new potential customer by showing a bit of goodwill. Instead, they turned me away, and frankly, I will probably never set foot in that branch again.

Consumer Infosec Tech is Hard – No Wonder So Many are Pwned

I’ve been a MacBook Pro user for close to fourteen years now, both at home and at work. At home, I write my many books and conduct supporting research on my personal MacBook Pro.

Since I’m an infosec professional, I’m aware of threats to MacOS and associated components, so I run several security tools, among them Cylance, Malwarebytes, and Sophos. I use privacy-centric browsers and search tools.

Starting yesterday morning, my browser (Brave) started acting up quite badly: new pages simply would not load, and the browser would throw nonresponsive page errors left and right. I also use Firefox, which continued to function normally, Safari too, so I was pretty sure the problem was with Brave itself.

I cleared all cache and cookies, tried building a different profile in Brave, and even removed and reinstalled Brave. No go. I posted an entry in the Brave Community in the hopes that someone else would recognize my problem in case I could not fix it. I am somewhat tied to Chromium-based browsers, but prefer not to use Google Chrome. SRware Iron is an alternative, but they don’t update it frequently enough for my needs.

Since other browsers were working normally, I could dismiss my Internet connection, my local network, and DNS as possible culprits.

Next, I turned to my security tools. I had noticed that Cylance had been using about 90% of a CPU core for a few days, so that was my first object of study. I shut down Cylance, and immediately my Brave browser problem was solved. I turned Cylance back on, and the problem returned. Gotcha!

I removed and reinstalled Cylance, hoping that this would solve the problem. That was a few hours ago, and Brave is happy as a pig.

Retrospective: I cannot imagine ordinary consumers going through troubleshooting like this. My decades of daily hands-on software / network / systems / OS / security engineering on Unix and other OS’s helped me zero in on this fairly quickly. I shudder to think that most consumers just turn security tools off when things stop working, and go unprotected thereafter.

The Breaches Will Continue

As I write this, it’s been one day since news of the latest LinkedIn breach hit the news. To summarize, about 92% of LinkedIn users’ information was leaked via LinkedIn’s API. LinkedIn is officially denying this is a breach but is just a data scrape that violated the API’s terms of use. Interesting twist of terms. This reminds me of a former President who explained, “It depends upon what your definition of IS is.”

During my six years as a strategic cybersecurity consultant, I learned that most organizations do not take cybersecurity seriously. Breaches are things that happen to other companies, those with larger and more valuable troves of data.

Organizations, up to and including boards of directors, are locked in normalcy bias. No breach has occurred (that they are aware of), and therefore no breach will occur in the future. It is normalcy bias that is also responsible for the fact that most citizens fail to prepare for emergencies such as extended power outages, fires, floods, hurricanes, tornadoes, identity theft, serious illness, and so many other calamities. I’d be lying if I said that I’m immune to this: while we’re well prepared for some types of events, our preparedness could be far better in certain areas.

A fellow security leader once told me, “Cybersecurity is not important until it is.” Like in our personal lives, we don’t implement the safeguards until after being bitten. Whether it’s security cameras, better locks, bars on windows, bear spray, or better cyber defenses, it’s our nature to believe we’re not a target and that such safeguards are unnecessary. Until they are.

2021: The Summer of Unions and Reunions

Last summer, I started a new job as Senior Director of Cyber GRC for GCI Communications, an Alaska-based telecommunications company. Being a resident of central Washington State, this was to be a mostly WFH job with occasional (monthly-ish) travel to Anchorage and elsewhere to meet with GCI personnel and others.

image from tcsp360.com

The COVID-19 pandemic lockdown was in full swing when I was hired, and non-essential business travel was prohibited. So our days were consumed with video meetings on Teams and Zoom. I met and managed my team of 13 managers, analysts, and specialists, worked with my director, senior director, and VP peers, and was accustomed to full days of video conversations and a bit of time to do real work. And over the past year, I hired five additional team members (including two managers) via video calls. WFH and remote work was the only way.

This week, I met my security department leadership peers in person for the first time, the director of security architecture and planning, and the senior director of security operations. None of us had met in person before, ever. Later, our CISO joined us (our CISO had not met the secops leader in person either).

We spent two long days understanding each others’ departments better, and we spent a lot of time doing some strategic planning. We had bits of time telling stories, and there was plenty of laughter as well.

Meeting and working face-to-face is definitely better than WFH and Zoom meetings. I always knew it, but after 15 months of hunkering down, finally meeting some of my colleagues face to face was confirmation for me. While the three of us live in three different states, we’ll spend most of our working time on video calls, but occasional in-person work is valuable and strengthens and improves work relationships.

I’m certain that thousands of you are having the same experience – as business travel and office work slowly return, you’re meeting many of your colleagues in person for the first time. Relish it.

My Writing Tools

As a professional writer for over twenty years, I have been using a small set of tools that helps me improve my writing. Whether I’m writing a new blog entry, commenting on a LinkedIn post, updating my resume, or writing the first draft of a new book, one or more tools help spot errors in my copy.

The primary tools at my disposal include these:

  • Microsoft Word. I’ve been using Microsoft Word since the mid-1980s when DOS and Word 1.0 fit on a 360k floppy disc with room left over for several documents. A few years ago, I considered stopping using Microsoft Word in favor of other word processors. However, Word is the mainstay of the major publishing houses (John Wiley, McGraw-Hill, Cengage Learning) with detailed requirements that include the use of customized template (.dot) files, Track Changes, and more. These features require that authors use Microsoft Word and nothing else. And to Microsoft’s credit, Word for Mac has improved significantly over the past couple of years.
  • Microsoft Word spell check. While I turn on real-time spell check, I generally just do batch spell checks on sections of chapters (or entire chapters) to correct spelling errors.
  • Microsoft Word grammar check. I used to use Microsoft Word grammar check, until I started using Grammarly a few years ago. Now I just keep the MS Word grammar checking turned off.
  • Grammarly Premium. I use Grammarly Premium as my primary grammar and readability tool. Grammarly Premium is integrated into Brave Browser, so it checks most of my browser-based writing such as email, short LinkedIn postings and comments, and most free-form text fields. Ironically, it does not (yet) work with WordPress, so as I write this, Grammarly is blind. Often I will copy my blog post directly into the Grammarly desktop tool and check my grammar there and manually make corrections in my blog posting. The nice thing about Grammarly Premium is that it works on all of my devices, although in slightly different ways. A disadvantage of Grammarly is that it cannot process large chapter files; I manually have to copy large blocks of text (20-30 pages) into Grammarly manually and then transcribe my corrections into my manuscript.
  • ProWritingAid. This is the latest tool in my collection, having learned about it from Stephanie Newell. I have the ProWritingAid extension installed on the Brave Browser on my MacBook Pro. Interestingly, ProWritingAid checks my WordPress (Grammarly does not), and most other web-based input. It’s interesting to see Grammarly Premium and ProWritingAid working on the same text side by side.

Having recently watched a video by Stephanie Newell, I’m considering turning off real-time spell checking in Microsoft Word, as it may prove a distraction while I write. I do wonder, however, whether doing spell checking later might leave me puzzled on whether I’ll remember what I was thinking and if I will make the proper corrections. My Word spelling and grammar settings are shown below.

WFH Book for Employers and Employees: Lost Opportunity?

Short version: should I publish my “how to WFH for employers and employees” book, or has the opportunity passed me by?

Long version:

In 2001, I was on a task group for a large (50,000+ employees) employer to determine the corporate, technology, management, and cultural structure for changing thousands of office workers into work-from-home workers. This immersion in every aspect of work from home (WFH) enriched me in ways I would not understand for many years.

I became part-time WFH in 2005 and began living out the experiment on my own. The learning and planning we did a few years earlier proved to be pretty realistic, and I was able to apply those principles to my new situation.

A couple of years later, when the SARS and MERS epidemics threatened to go global, I was asked to write a pandemic response plan for my employer so that our corporate customers would have more comfort knowing we were prepared. We would be able to continue delivering services without sacrificing quality or security.

When news of COVID-19 began spreading in February 2020, I immediately recognized the signs that this could be a global pandemic and made specific preparations for my family. In addition, my employer started taking steps that were similar to the plan I made over a decade earlier.

On March 16-18, 2020, in response to the emerging pandemic, I wrote a fifty-page manuscript on working from home and adapting technology and corporate culture to make it work. Unfortunately, my employer did not permit me to publish this book, as it would undermine the advisory practice (despite my having accumulated this expertise before working for this company). As a result, my completed manuscript is still under wraps.

Recently I’ve returned to this completed manuscript and wonder today whether there would be any value in publishing it. The book treated a pandemic as a future event, so there would be changes in tense that would have to be fixed. And of course, thousands of organizations figured out on their own a lot of what my book tells readers to do.

Checkbox CPEs

Those of us with security certifications like CISSP, CISA, CISM, and others are acutely aware of the need to get those CPE hours completed each year. Typically, we’re required to accumulate 40 hours per year and that we keep accurate records of learning events, along with evidence that we did indeed attend those events. 

I was audited once, over a decade ago, and came up a bit short on my evidence. Since then, I’ve been meticulous in my recordkeeping and maintaining proof of attendance. But this piece is not about recordkeeping.

Are you finding your CPE events to check the box? Or are you pursuing new knowledge and skills?

I’ll tell you a secret: the certification organizations don’t know whether you are doing the minimum to check the box or pursue knowledge with enthusiasm.  They don’t ask, and they don’t care.

You should care, however, and the difference will show. If you are just checking the CPE box, you will not be learning much, and you’ll be a weaker contestant in the employment market. By not making a real effort to grow professionally, you’ll slowly fall behind.  While you may be able to fake it for a while, your learning negligence will catch up to you, and it will take considerable time and effort to dig yourself out of the hole you slid into. Not only will you have to spend considerable time catching up on security topics, but you’ll also have to undo the habit of doing the minimum to slide by.

Controlling the WFH Genie

As we turn the corner in the COVID-19 pandemic, many companies are beginning to bring their workers back on site. This return to the workplace phenomenon is starting a conversation at the worker level, the company level, and in society as a whole.

Many companies have succeeded with the transition to WFH. It may have been awkward at first, but millions of workers have tasted a better quality of life without a commute, and without many other related costs of money and time. Many workers do not want to give up WFH, now that they’ve seen that they can be effective while working from home.

I’ve been part-time WFH for almost twenty years, but I’ve also had jobs where I was commuting three to four hours each day, so I’m intimately familiar with both ends of the spectrum, as well as the middle. I am working today for an Alaska-based company while living in Washington State, so I’m a living subject in the great WFH experiment. And in the nine months since starting this job, I’ve hired workers on my team who live in Idaho, Texas, Arizona, Washington, and, yes, Alaska.

For workers, WFH represents a savings of hard money in terms of vehicle, mass transit, work wardrobe, lunches out, but also expenses to equip and maintain a home office. The soft benefits include commute time, quality of life, but also there’s the ability to work in person with colleagues and develop better in-person relationships than can be done only on video calls.

One can draw up a long list of WFH pros and cons. For most of 2020, we had no choice. But from now on, better organizations realize that WFH has many benefits:

  • Workers often put in more hours.
  • Organizations’ office space expenses are lower.
  • Employers can draw from a significantly larger labor pool when looking for new employees.
  • Existing staff have the freedom to relocate their families to other communities while keeping their same jobs.

Organizations unwilling to consider WFH workers will have a more difficult time finding qualified workers, as they will be drawing from a far smaller labor pool. Employers will have to pay more for people to work in the office to compensate for their additional time and hard expenses – AND employers will have the added cost of providing workspace for those workers they require to be on-site (and those workers who want to). Many workers will be willing to work for less if they can WFH as it is a fair exchange for a better quality of life.

One thing is for sure: the WFH genie will not be going back into the bottle. Ever.

Control Self-Assessment Advantages and Disadvantages

In my book, CISA Certified Information Systems Auditor All-In-One Exam Guide, control self-assessment is defined as follows:

“A methodology used by an organization to review key business objectives, risks, and controls. Control self-assessment is a self-regulation activity.”

Control self-assessment (CSA) is a tool used by internal audit, information security, and privacy professionals to better learn how internal controls are being operated. As the name implies, CSA consists of a directive sent to a control owner to ask him or her to answer specific questions about a particular control, and provide particular artifacts about the control to substantiate the answers to some of those questions.

While CSA can be conducted via e-mail, it is often a part of an integrated risk management (IRM) system, formerly known as a governance, risk, and compliance (GRC) system. An IRM can be used to collect information about controls and even score the results electronically.

Appropriately managed, CSA can extend the reach and visibility of internal audit activities, but it is not a silver bullet. I list some of the advantages and disadvantages of CSA here.

Advantages:

  • Saves time. More controls can be assessed in a given period, versus traditional walkthrough sessions that consume meeting time and may be difficult to schedule.
  • Extends visibility. Information about more controls can be obtained than through walkthrough sessions only.
  • Reinforces control ownership responsibility. By having control owners answer questions and provide artifacts on their own, CSA supports the concept that control owners are responsible for the effectiveness of their controls.
  • Digital record. Because CSA is usually performed electronically, it is not necessary to transcribe meeting notes.

Disadvantages:

  • Integrity. Because a control owner is answering questions and providing artifacts away from internal audit personnel, there may at times be a question of whether it was the control owner who answered the questions, and whether they altered any of the provided evidence.
  • Exploration. In a typical walkthrough, an internal auditor will ask follow-up questions based on responses to earlier questions. It can be exceedingly difficult to anticipate all possible responses to questions in a CSA questionnaire.
  • Body language. In an in-person walkthrough, an internal auditor will observe the body language of the control owner as a part of the overall assessment. Body language provides additional information that may help an internal auditor better understand where control weaknesses might exist.
  • Overburdening control owners. In an IRM (integrated risk management), it can be easy to “load up the CSA gun” and fire off numerous CSA assignments to control owners. Unlike in-person walkthroughs, which require a more equal time commitment between auditors and auditees, CSA’s require little up-front time for internal audit. Internal auditors need to be cognizant that the effort to complete a CSA is asymmetrical: the control owner may have to spend considerable time answering questions and gathering artifacts.
  • Problem controls. A CSA should not be used alone for controls known to have problems. Controls with problems require deeper scrutiny in conversations that are difficult to script in a questionnaire.
  • Relationship. In-person control assessments help to establish and deepen relationships between internal auditors and control owners. Since they are purely digital, CSAs do little in this regard. As a corporate function, Internal Audit (and information security and privacy) need to be established as collaborative relationships. Establishing a relationship based on the assignment of digital tasks may hinder this effort.

Planned properly, control self-assessments can extend the reach and visibility of internal audit, information security, and privacy functions. However, because relationships with auditees are vital to the long-term success of these programs, CSA needs to be applied thoughtfully.

WFH’s Silver Lining

Twenty years ago, I was part of a task force at AT&T Wireless to study work-from-home from every aspect. The company had a goal of closing several office buildings across the U.S. to reduce costs. Our task force considered many perspectives, including:

  • Being a WFH employee
  • Managing WFH employees
  • Technology considerations
  • Security considerations
  • Corporate policy considerations
  • Workplace regulations

This experience equipped me with considerable insight that would prove valuable through much of my career. From the early 2000s, I was a part-time WFH employee, switching to full-time in 2014 when I joined Optiv Security. At GCI Communications, I continue to be full-time WFH.

Image courtesy CNBC.

I’ve seen companies struggle with the transition to WFH – culturally and the learning curve of videoconferencing technology and etiquette. For many of us at Optiv, WFH was just another workday. When I joined GCI in August 2020, WFH was in full swing, and the workforce had gotten over the initial bumps (there is no question that the pandemic has resulted in the unemployment of millions of people, causing widespread financial hardship).

For me, there is a silver lining for the pandemic-induced global WFH. During our videoconference meetings throughout the week, we experience more than just the work side of our colleagues:

  • Virtual backgrounds aside, we get a glimpse into their homes
  • Sometimes we’ll see what’s going on inside or outside
  • Young children sometimes appear, for a moment but sometimes longer
  • Cats, dogs, bunnies, and more are seen and/or heard
  • Spouses and other family members are sometimes seen and occasionally introduced and conversed with
  • Other sights and sounds, including leaf blowers, garbage trucks, sirens, deliveries, and more

Depending upon the formality of the culture and of individual meetings, these are not “interruptions.” Instead, I consider them as a window into the lives of my colleagues, with a potent reminder that we all have homes, families, and lives away from work.

Before the pandemic and before WFH, we could easily compartmentalize our lives into our work life and our home life, and often these remained separate. At work, we would primarily see the work side of each of our colleagues. The pandemic caused these worlds to collide, resulting in the blending of these former separate personas. It reminds me that we are all human.

How My Writing Became More Productive

I was working on my first book, Solaris Security, in 1998. I spent most of my writing after dinner and after kids were in bed, working around 9-11pm three or four nights each week. Most of the time, I’d write until I was head-bobbing and falling asleep mid-sentence. It was slow going.

Image courtesy Web Writer Spotlight

Several people at work knew I was writing this book. One day in the break room, my colleague Mike Cattolico asked me how writing was going. I replied that I was getting a little bit done each night until I was falling asleep. Mike replied, “Dude! You need to flip that schedule: get up early, like 4am, and skim the cream off the top.”

That made sense to me. The very next day, I took his advice and tried it out. After several days of getting up at 4am and writing for a couple of hours before the kids woke up, I found that my productivity skyrocketed. He was right!

For twenty years now, I’ve been writing in the early morning hours, as well as on Saturday mornings (and sometimes all day Saturday). Last year, I made another change and stopped writing on the weekends, essentially spending fewer hours each week writing. But with the experience I’ve gained writing dozens of books over two decades, I’m getting as much writing done on weekday mornings, and I now have my weekends free for other things.