Category Archives: career

State University Gives Copies of Security Career Books to Students

Earlier this year, Georgia State University asked me to speak at an information session for students in its Masters of Science in Information Systems (MSIS). Students needed to choose their study concentration; my job was to describe the information security profession to them so that they could choose whether to elect the security concentration, or one of two other concentrations. 
The university gave to all of its MSIS students a copy of one of my recent books, Getting an Information Security Job For Dummies. University officials recognized that the book accurately describes the profession, how professionals can learn more about the profession, career choices within the profession, and steps someone can take to get into the profession.

After my talk, university officials informed me that twenty-five students elected to pursue the information security concentration. This was greater than they expected, and they were pleased with the outcome. They expressed their gratitude to me for the time I took to describe the profession to them and answer their questions.

Advertisements

Padding Your Resume

It’s a popular notion that everyone embellishes their resume to some extent. Yes, there is probably some truth to that statement. Now and then we hear a news story about people “padding their resumes”, and once in a while we hear a story about some industry or civic leader who is compelled to resign their position because they don’t have that diploma they claimed to have on their resume.

Your resume needs to be truthful. In the information security profession, the nature of our responsibility and our codes of ethics require a high standard of professional integrity. More than in many other professions, we should not ever stretch the truth on our resume, or in any other written statements about ourselves. Not even a little bit. Those “little white lies” will haunt us relentlessly, and the cost could be even higher if we are found out.

– first draft excerpt from Getting An Information Security Job For Dummies

Understanding success in an information security job

There is a basic truth of information security jobs that can be intensely frustrating to some people but represent an exciting challenge to others: your guidance on improving security and reducing risk will often be ignored.

Many security professionals have a difficult time with the feeling of being ineffective. You can spend considerable time on a project that includes recommendations on improving security, and many of those recommendations might be disregarded. A track record of such events can make most professionals feel like a failure.

A security professional needs to understand that they are a change agent. Because information security practices are often not intuitive to others, your job will often involve working with others so that they will embrace small or large changes and do their part in improving security in the organization. To be an effective change agent, you need the skills of negotiation and persuading others to understand and embrace your point of view and why it’s important to the organization.

You need to realize, however, that even if you are a skilled negotiator, you still won’t get your way sometimes. This should not be considered a failure, and here’s why: it’s our job to make sure that decision makers make informed decisions, considering a variety of factors including security issues. As long as decision makers make informed decisions (meaning, we have informed them of the risks associated with their choices), we have done our job, and we need to be comfortable knowing that sometimes decisions are made that we don’t agree with.

– Excerpt from Getting An Information Security Job For Dummies, to be published in 2015

Reno, Nevada

I am visiting Reno, Nevada after quite a long absence. I’m here to speak at a professional event on the topic of human factors and data security (in other words, why we continue to build unsecure systems).

My IT career started here in Reno, with on-campus jobs in computing (operations and software development), and later in local government, banking, and casino gaming. Each job built on the last, and I gained positions with greater responsibility, creativity, and rewards of various sorts.

ImageI buried my young son in Reno – it seems like many lifetimes ago. He was my first stop. Time is a great healer – you’ll have to trust me on this one, if you have recently suffered a big loss.

I looked up a couple of long-time friends, but waited until the last minute. They’re probably busy with their own lives today.

Done with my coffee stop and time to check in to my hotel. My talk is tonight, and then I’m back on the road tomorrow with other stops in the Pacific Northwest.

Insights into CRISC certification quality

ICRISC.h2 spent the previous Friday+weekend at ISACA HQ in Chicago at a workshop. The objective: to examine about 360 candidate exam questions for the CRISC (Certified in Risk and Information Systems Control) certification.

There were about 30 of us that worked in three independent groups that consisted of a facilitator (Richard Norman, a security manager in the UK), a scribe (Kim Cohen, the Certification Exam Development Manager at ISACA), and 8 risk management experts from many different organizations including Bank of America, Caterpillar, Premera Blue Cross, and Verizon Business.

We had our work cut out for us. Each group had about 120 exam questions to examine, discuss, edit, and ultimately determine whether it’s a good question based on many different quantitative and qualitative measurements. Oftentimes our discussion of the question became a discussion about how a security or risk management practices (including what companies should be doing and what they are actually doing). Richard, our facilitator, and Kim, our scribe, kept us on task and on pace.

The hard work began long before the three day weekend. Going back to May 2013, we each began our training on writing certification exam questions for ISACA, and over a four or five week period we each wrote a total of twenty exam questions.  Anyone who thinks this is an easy task does not understand the rules and the discipline required for the task. It is quite difficult.

I’ve been trained by two other certification organizations in exam question writing, but ISACA has really upped the game.  The rigor and quality that ISACA puts into certification exam question development is impressive. There are several levels of review, by different teams, on each question, by vetted subject matter experts, before it sees the light of day. And the analysis does not stop after the exam question has been finalized and approved. Analysis on how test takers answer the question continue throughout the life of the exam question.  It is no wonder that CRISC won the Certification of the Year Award from SC Magazine.

ISACA has been in the certification business longer than just about anyone in information technology. ISACA itself started in the 1960s, and the CISA certification began in the 1980s; tens of thousands of security and IS audit professionals have earned the CISA certification, and it remains one of the top IT security certifications today.

The Disintermediation of Corporate IT

switchboardInformation Technology is the department in many organizations that has, historically, taken on the challenging tasks of systems engineering, network engineering, database management, and software development – all in support of business applications that support (and, in some cases, make possible) key business processes.

In recent years, cloud computing and all of the AAS’s (software as a service, infrastructure as a service, storage as a service) have taken some pressure off of corporate IT with regards to all of the resources required to host, install, and manage key applications. IT departments have seen this as a good thing, but a longer view of this trend should be considered a bellwether of change: IT departments are going to shrink in size considerably, since those skills will no longer be needed in many organizations.

Think about it. Today, it’s possible for an organization to farm out all of its business applications to external service providers: from e-mail to intranet sites, many companies can get away with virtually no servers in its environment. Instead, all will be accessible via the Internet.

Same goes for the networks supporting so-called “desktop” environments. With a few WiFi access points, network wiring out to employees’ desks are a think of the past. In many cases, an organization’s business network can be a few WiFi access points, and one of those all-in-one boxes for Internet connectivity.

Remote access also becomes a has-been. With nothing in the corporate network to access, users access virtually all corporate resources via the Internet with no special access required.

In terms of the IT labor force, this does reflect a trend whereby corporations consuming IT services will require fewer IT workers, while IT service providers will require more. However, those service providers will require only a fraction of the personnel displaced by their services.  As a result, a typical IT department of the future may consist of a CIO, some business analysts and project managers, and little else.

This disintermediation has been seen in IT in the past.  Decades ago, most organizations wrote custom applications for many of their key business processes, because there were few, if any, common off-the-shelf (COTS) applications available. There were large numbers of software developers and other personnel dedicated to the development and ongoing maintenance of these applications. But over time, fewer custom applications were needed since there were many good products that IT departments could purchase, install on company servers, and operate. This trend is simply continuing, where even the hosting of these applications is moving from client organizations to cloud service providers. Soon there won’t be a need for data centers, or even wiring closets, in most organizations. This should be seen as a natural progression of innovation and improving efficiencies.

Even the department name Information Technology may give way to Information Management. After all, there will be little or no visible technology, since it will be hosted by service providers. Instead, companies will be managing information located elsewhere, and hosted, stored, and processed on their behalf by other organizations.

While the outlook for talented IT personnel may be good today, I believe the trend of disintermediation will, slowly at first, reduce demand for IT talent in many organizations. The shortage of IT personnel today may be a glut in a few years.

How to make 2013 your breakout year

SEATTLE. January 1, 2013, 12:01am

A person or organization has a breakout year when their skills and accomplishments help them ascend to a higher level of responsibility, visibility, and achievement. Often, someone has a breakout year when they are involved in situations where they excel and produce great results that are widely recognized. Often that leads to those persons or teams being rewarded with even greater responsibility, and more opportunity for achievement and greatness.

We can’t all be a Chris Christie, Andrew McCutchen, or Dan Straily, but we can excel and advance nonetheless. We can “bloom where we’re planted” and improve our lot and that of others.

Set Your Sights High

It is often said that high achievers get that way by setting big goals. Do not be afraid to set a “big hairy audacious” goal for yourself, and then do what you can to achieve it.

Don’t Be Discouraged by Failure

The world’s great achievers (including Edison, Tesla, Curie, and Churchill) did not become famous overnight, nor were they born with superhuman qualities. Instead, they had only fierce determination and a drive to keep trying despite repeated failures and setbacks. Every time they met failure, they got up, dusted themselves off, and set their eyes back on their goals and tried again.

Remember that every great achiever failed numerous times before they succeeded. Learn from your setbacks and try again!

Adopt a Servant’s Attitude

Ronald Reagan once said, “There is no limit to what you can accomplish if you don’t care who gets the credit.” So many people are distracted by posturing, politicking, and looking good – that’s all energy they could be putting into their effort instead. An individual or a team that is focused on meeting goals instead of looking good is far more likely to accomplish what it has set out to do.

I invite you to adopt a new ethic in your work. Rather than dedicate yourself to service to yourself, make it your life’s purpose to serve others. You’ll be surprised at the results, and the rewards you will receive by putting others first.

Adversity May Be Your Path

A breakout year may not mean fame, glory, and riches. Instead, you may find yourself going through difficulties that may be causing you to ask, “Why me?” However, this may be the path that takes you to your own breakout year.

Years ago, I faced adversity in my personal life that shook me to the core. Those who know me understand when I call that time my “dark year(s).” But it was in the face of that adversity that my circumstances changed in miraculous ways, leading to a breakout year in both my personal and professional life. In many ways I’ve been riding the crest of that wave from then until now.

Don’t Take Yourself Too Seriously

I know plenty of people who are obsessed with what they are doing every minute of the day, and how they appear to others. To that I would say, “relax!” Allow yourself to make mistakes, and even take a moment (perhaps later on) to laugh a little bit at the memory of some of your blunders.

Your most powerful response to everything that your career and your life has to offer you is your response to those things that happen to you, for better or worse. Keep your chin up and remember that you will be here another day – a day of potential triumph.

* * *

Make this your breakout year. After all, you deserve it – you really do.  This will be my breakout year, and there’s plenty enough for the both of us.