Category Archives: career

My CISSP Journey, Part 6: Earning and Recording CPEs

Like many professional certifications and designations, CISSP requires that certification holders complete a minimum number of continuous professional education (CPE) hours each year. This requirement makes sense to me, as the information security profession is still changing at a high rate. Were it not for this continuing education requirement, many who earn the CISSP and other certifications would quickly fall behind, and those who had earned the certifications would become irrelevant.

Today, (ISC)² requires CISSP holders to earn 120 CPEs in each three-year cycle and no fewer than 20 CPEs in any individual year. So this is an average of 40 CPEs, or forty hours of training, annually.

Many of us are fortunate enough to attend one or two conferences each year, and alone this would effectively satisfy the 40-hour requirement. But not all of us are so lucky: the rest of us have to earn our CPEs an hour at a time.

In earlier years (before 2005, in my estimation), this was a challenge, but no more. Today, each year, there are scores of opportunities to attend vendor product demos and free instructional sessions from (ISC)², ISACA, and other associations.  There are so many that you can pick and choose those that are of greatest interest to you.

The dark side to CPEs, if there is one, is that we are required to keep precise records of our CPEs. I suggest you create a spreadsheet that lists, line by line, each CPE event that you attend. More than that: (ISC)², ISACA, and others require that you retain evidence of your training. Some events will email you a certificate of completion, and others will provide a certificate download capability at the conclusion of an event. Some do not provide anything at all, so I make it a point to take a few screenshots of the event.

Sample CPE Listing

(ISC)², ISACA, and other associations will randomly audit members’ CPE records to see whether they are truthful in their claims. I was audited by ISACA many years ago, and while I had a good listing of events that I attended, I did a poor job of retaining evidence. Still, I passed the audit because I did have evidence for at least some of the events I attended. The audit put the fear of God in me, and ever since that time, I meticulously obtain and retain evidence for every event I attend. As the published author of several security and privacy-related exam guides in which I stress the importance of good CPE recordkeeping, I doubt that (ISC)², ISACA, or any other organization would cut me any slack at all. And so it should be.

In Part 7: paying it forward.

My CISSP Journey, Part 5: Earning the CISA

In the first four parts of this series, I describe my preparation for the CISSP exam, writing exam questions, proctoring exams, and writing study guides for two different publishers. My CISSP journey took a second, parallel path when I had the opportunity to earn another examination.

I don’t remember now where I first heard of the CISA certification, but it had to be in 2001, early in the purely-security part of my career. CISA, or Certified Information Systems Auditor, is a certification from ISACA (then known as the Information Systems Audit and Control Association, but now simply known as ISACA). CISA was established in 1978, whereas CISSP is much younger, established in 1994.

My distinct impression in 2001 was that possessing the CISSP and CISA certifications together was a Golden Ticket in the information security industry. I was young and aspired to more significant roles in the business, so I pursued the CISA with vigor.

I am grateful that my employer purchased CISA study materials for me, which consisted of a large question bank, and extensive study materials.  While there is considerable overlap between the CISSP and CISA certifications in terms of the domains of required knowledge, I soon learned that the vocabulary of information security was far more extensive than portrayed by CISSP. I especially struggled with the terminology and practices of IS audit, having been audited but not having been an auditor. Still, I was determined to succeed.

I registered for and sat for the CISA exam in June 2002. The exam itself was every bit as difficult as the CISSP examination and was Scantron-based as well. It’s incredible how you can get a cramp in your hand filling in little bubbles, although I think this is in combination with the mental stress that accompanies it.

Like the CISSP exam, I thought I had failed, as the exam questions were tough. However, a month or so later, a letter came in the mail from ISACA that told me that I had passed!  I was over the moon and wore the twin monikers CISSP and CISA proudly.

A year later, ISACA released the new Certified Information Security Manager (CISM) certification, and I had an opportunity to earn it through ISACA’s grandfathering process. I thought to myself: I have the CISSP and CISA certifications; why do I need any more?  I did not pursue the CISM grandfathering opportunity, a decision I would later regret for almost a decade. I did, eventually, sit for and pass the CISM exam, by the way.

In later years, I would earn more certifications in other topics such as disaster recovery planning, cloud security, privacy, and cardholder security – some grandfathered, some with arduous study and exams.

In Part 6: continuous education and CPE recordkeeping.

In Part 7: paying it forward.

My CISSP Journey, Part 4: Writing a Study Guide

In the earlier parts of this series, I describe my experience preparing for and taking the CISSP exam, and later when I had an opportunity to write exam questions and proctor exams. In this part, I tell the story of my chance to write certification study materials.

In part 1 of this series, I mentioned that there were no available books for self-study for the CISSP exam, but instead, I borrowed a colleague’s binder from his in-classroom training a few years before, in the late 1990s.

As today’s story begins, at this time, I had written three books: Solaris Security, Sun Certified System Administrator for Solaris 8 Study Guide, and Enterprise Information Security. In another part of the country, Wiley Publishing and an author were working on the first edition of CISSP For Dummies, a user-friendly study guide for the CISSP exam. The project was apparently behind schedule, and the acquisitions editor at the publishing company called me on the phone one day and asked if I’d be willing to help out.  We negotiated an agreement that survives to this day, in which I am co-author of CISSP For Dummies. Over the last nineteen years, we have published six editions of the book and will soon be working on the seventh edition.

The book covers all of the knowledge domains that a CISSP candidate is expected to know to pass the exam. I especially like the For Dummies style, as we write in a friendly, more casual style while still imparting the knowledge required.

Starting with the 5th edition published in 2016, CISSP For Dummies is the only CISSP study guide approved by (ISC)², and it says so prominently on the cover. This is an endorsement that is not included in any other CISSP study guide.

I genuinely felt like my writing career was going to be sustained, as I had by this time written major titles for three different publishers on two continents. Feeling like I was not writing up to my true potential, I hired a literary agent in 2006, who found more publishing opportunities for me. One of the first such opportunities was to write an academic study guide for the CISSP exam by a publisher that sells direct to colleges, universities, and vo-tech schools. In 2009, the first edition of CISSP Guide to Security Essentials was published. The instructor edition includes the book and explanations for the study questions in the book, along with a complete set of PowerPoint slides to be used for classroom or virtual classroom instruction.  CISSP Guide to Security Essentials was published in a second edition in 2015.

In Part 5: earning the CISA and other certifications.

In Part 6: continuous education and CPE recordkeeping.

In Part 7: paying it forward.

My CISSP Journey, Part 1: The CISSP Exam

In the 1990s, my IT engineering and management career was thriving. I led a team of about 15 seasoned professionals and worked in a business unit where information security was a key objective. We rose to the challenge and brought several key capabilities into our work environment, including multi-factor authentication, encrypted remote access (via modem), firewalls, and hardened servers and workstations. My part of the enterprise fared quite well in penetration tests conducted by an outside firm.

Before this time, I had spent years in computer operations and more years in Unix and C-based software engineering, so my IT background was quite broad. This experience proved later to be a solid foundation for my pivot into security.

In 1998, I was looking for a good book on Solaris security but could find nothing at all. I called one of my publisher connections at Sun Microsystems Press and secured a book deal to write the book, Solaris Security. Writing this book proved to be a great learning opportunity to shore up my knowledge in various areas.

In 1999, I met a colleague, Bob Maynard, who had his CISSP certification. Before knowing Bob, I had not met anyone with this certification, and it intrigued me. I looked at the (ISC)² website and decided that I would pursue this certification.

There were no books in print in 1999 or 2000 on the CISSP certification. The only available training was directly from (ISC)², and it was expensive even then. But my colleague Bob had his giant three-ring binder from the course that he had taken the year before, and he agreed to let me borrow it for a few months. He said apologetically that he had written numerous notes on the pages, which I told him would add more value.

In 2000, the CISSP exam was offered only once per year in Seattle, and I had just missed it. I found an exam in November in Colorado Springs, and booked an air trip, and registered for the exam.

I pored over Bob’s CISSP course binder studiously for months, right up to the night before the exam. There were no practice exams of any kind, so I was unsure of whether I would pass.

The exam itself was arduous – and that’s about as nice as I can describe it. At that time, the proctor in the room would pass out the exam books, which were sealed and serial numbered, and we were instructed to make no mark of any kind in them. Next, the scantron sheets were handed to us, and we were directed to fill in our names and other information. As you may know, Scantron involves the use of a pencil and filling in little bubbles that are machine scanned. Your hand will become sore after filling in more than three hundred of these bubbles, but that’s not the worst of it.

Typical Scantron answer sheet

The exam questions are brutal. Rather than black-and-white, they explore shades of grey and challenge your intimate knowledge of the subject matter, which ranges from the desired height of security fences to hashing algorithms.  The CISSP test at that time consisted of 250 questions, with a six-hour time limit to answer them all. I used nearly all of the six hours, double-checking several of my answers. I turned in my exam sheet, not at all confident of my prospects for passing.

I drove back to the airport, turned in my rental car, and boarded my flight back to Seattle. I fell asleep on the plane before they shut the door, and the flight attendant had to rouse me in Seattle, where I was the last passenger to disembark the aircraft. I usually don’t sleep on airplanes; for me, this was an outward sign of my mental exhaustion after taking the exam.

In Part 2: writing CISSP exam questions.

In Part 3: proctoring CISSP exams.

In Part 4: writing a CISSP study guide.

In Part 5: earning the CISA and other certifications.

In Part 6: continuous education and CPE recordkeeping.

In Part 7: paying it forward.

Where Are You Going?

While hiking in the hills near our mountain cabin one day, I realized that I was looking down at each step. The terrain was unlevel, full of brush, rocks, critter holes, and other obstacles. In a moment of realization, I stopped and looked out in front of me. I realized that, for several minutes, I was not looking at where my walking was taking me.

Our jobs and our careers are like a hike on uneven ground. We make small and large decisions, interact with people, often only in the moment, without pausing to look up to see where these daily activities are taking our careers. When working only in the moment, we are surrendering control of our careers to others and to chance, rather than taking the reins and going where we want.

Like walking or hiking, it’s essential to make good in the moment decisions, but we must occasionally stop to see where our steps are taking us, and change direction when needed.

Also, remember to stop and enjoy the view.

CISM vs CISSP

A reader recently asked me about the CISM versus the CISSP. Specifically, he asked, “How hard is the CISM for someone who passed the CISSP?”

Having earned both certs (and a few more besides), and having written study guides for both, I felt qualified to help this individual. My answer follows.

CISM is much heavier on security management and risk management than CISSP. You’ll have to study these topics, and the business side of information security.  To paint with a broad brush, you could say that CISM is for CISO’s while CISSP is for security engineers. That, in essence, is the distinction.

Oh and there’s a great study guide out for the CISM: https://www.amazon.com/Certified-Information-Security-Manager-Guide-ebook/dp/B079Z1J87M

I passed my CISSP almost 20 years ago while I was still a hands-on technologist.  I studied for my CISA two years later. I learned through my ISACA CISA study materials (provided by my employer) that ISACA has a vastly different vocabulary for infosec than does (ISC)2.  Think of it as a business perspective versus an engineering perspective.  Both are right, both are valid, both are highly valued in the employment market.  But they are different.  Master both, and you’ll be a rare treasure.


Study guides for CISSP:

CISSP For Dummies

CISSP Guide to Security Essentials

Study guides for CISM:

CISM All-In-One Exam Guide

 

 

State University Gives Copies of Security Career Books to Students

Earlier this year, Georgia State University asked me to speak at an information session for students in its Masters of Science in Information Systems (MSIS). Students needed to choose their study concentration; my job was to describe the information security profession to them so that they could choose whether to elect the security concentration, or one of two other concentrations. 
The university gave to all of its MSIS students a copy of one of my recent books, Getting an Information Security Job For Dummies. University officials recognized that the book accurately describes the profession, how professionals can learn more about the profession, career choices within the profession, and steps someone can take to get into the profession.

After my talk, university officials informed me that twenty-five students elected to pursue the information security concentration. This was greater than they expected, and they were pleased with the outcome. They expressed their gratitude to me for the time I took to describe the profession to them and answer their questions.

Padding Your Resume

It’s a popular notion that everyone embellishes their resume to some extent. Yes, there is probably some truth to that statement. Now and then we hear a news story about people “padding their resumes”, and once in a while we hear a story about some industry or civic leader who is compelled to resign their position because they don’t have that diploma they claimed to have on their resume.

Your resume needs to be truthful. In the information security profession, the nature of our responsibility and our codes of ethics require a high standard of professional integrity. More than in many other professions, we should not ever stretch the truth on our resume, or in any other written statements about ourselves. Not even a little bit. Those “little white lies” will haunt us relentlessly, and the cost could be even higher if we are found out.

– first draft excerpt from Getting An Information Security Job For Dummies

Understanding success in an information security job

There is a basic truth of information security jobs that can be intensely frustrating to some people but represent an exciting challenge to others: your guidance on improving security and reducing risk will often be ignored.

Many security professionals have a difficult time with the feeling of being ineffective. You can spend considerable time on a project that includes recommendations on improving security, and many of those recommendations might be disregarded. A track record of such events can make most professionals feel like a failure.

A security professional needs to understand that they are a change agent. Because information security practices are often not intuitive to others, your job will often involve working with others so that they will embrace small or large changes and do their part in improving security in the organization. To be an effective change agent, you need the skills of negotiation and persuading others to understand and embrace your point of view and why it’s important to the organization.

You need to realize, however, that even if you are a skilled negotiator, you still won’t get your way sometimes. This should not be considered a failure, and here’s why: it’s our job to make sure that decision makers make informed decisions, considering a variety of factors including security issues. As long as decision makers make informed decisions (meaning, we have informed them of the risks associated with their choices), we have done our job, and we need to be comfortable knowing that sometimes decisions are made that we don’t agree with.

– Excerpt from Getting An Information Security Job For Dummies, to be published in 2015

Reno, Nevada

I am visiting Reno, Nevada after quite a long absence. I’m here to speak at a professional event on the topic of human factors and data security (in other words, why we continue to build unsecure systems).

My IT career started here in Reno, with on-campus jobs in computing (operations and software development), and later in local government, banking, and casino gaming. Each job built on the last, and I gained positions with greater responsibility, creativity, and rewards of various sorts.

ImageI buried my young son in Reno – it seems like many lifetimes ago. He was my first stop. Time is a great healer – you’ll have to trust me on this one, if you have recently suffered a big loss.

I looked up a couple of long-time friends, but waited until the last minute. They’re probably busy with their own lives today.

Done with my coffee stop and time to check in to my hotel. My talk is tonight, and then I’m back on the road tomorrow with other stops in the Pacific Northwest.

Insights into CRISC certification quality

ICRISC.h2 spent the previous Friday+weekend at ISACA HQ in Chicago at a workshop. The objective: to examine about 360 candidate exam questions for the CRISC (Certified in Risk and Information Systems Control) certification.

There were about 30 of us that worked in three independent groups that consisted of a facilitator (Richard Norman, a security manager in the UK), a scribe (Kim Cohen, the Certification Exam Development Manager at ISACA), and 8 risk management experts from many different organizations including Bank of America, Caterpillar, Premera Blue Cross, and Verizon Business.

We had our work cut out for us. Each group had about 120 exam questions to examine, discuss, edit, and ultimately determine whether it’s a good question based on many different quantitative and qualitative measurements. Oftentimes our discussion of the question became a discussion about how a security or risk management practices (including what companies should be doing and what they are actually doing). Richard, our facilitator, and Kim, our scribe, kept us on task and on pace.

The hard work began long before the three day weekend. Going back to May 2013, we each began our training on writing certification exam questions for ISACA, and over a four or five week period we each wrote a total of twenty exam questions.  Anyone who thinks this is an easy task does not understand the rules and the discipline required for the task. It is quite difficult.

I’ve been trained by two other certification organizations in exam question writing, but ISACA has really upped the game.  The rigor and quality that ISACA puts into certification exam question development is impressive. There are several levels of review, by different teams, on each question, by vetted subject matter experts, before it sees the light of day. And the analysis does not stop after the exam question has been finalized and approved. Analysis on how test takers answer the question continue throughout the life of the exam question.  It is no wonder that CRISC won the Certification of the Year Award from SC Magazine.

ISACA has been in the certification business longer than just about anyone in information technology. ISACA itself started in the 1960s, and the CISA certification began in the 1980s; tens of thousands of security and IS audit professionals have earned the CISA certification, and it remains one of the top IT security certifications today.

The Disintermediation of Corporate IT

switchboardInformation Technology is the department in many organizations that has, historically, taken on the challenging tasks of systems engineering, network engineering, database management, and software development – all in support of business applications that support (and, in some cases, make possible) key business processes.

In recent years, cloud computing and all of the AAS’s (software as a service, infrastructure as a service, storage as a service) have taken some pressure off of corporate IT with regards to all of the resources required to host, install, and manage key applications. IT departments have seen this as a good thing, but a longer view of this trend should be considered a bellwether of change: IT departments are going to shrink in size considerably, since those skills will no longer be needed in many organizations.

Think about it. Today, it’s possible for an organization to farm out all of its business applications to external service providers: from e-mail to intranet sites, many companies can get away with virtually no servers in its environment. Instead, all will be accessible via the Internet.

Same goes for the networks supporting so-called “desktop” environments. With a few WiFi access points, network wiring out to employees’ desks are a think of the past. In many cases, an organization’s business network can be a few WiFi access points, and one of those all-in-one boxes for Internet connectivity.

Remote access also becomes a has-been. With nothing in the corporate network to access, users access virtually all corporate resources via the Internet with no special access required.

In terms of the IT labor force, this does reflect a trend whereby corporations consuming IT services will require fewer IT workers, while IT service providers will require more. However, those service providers will require only a fraction of the personnel displaced by their services.  As a result, a typical IT department of the future may consist of a CIO, some business analysts and project managers, and little else.

This disintermediation has been seen in IT in the past.  Decades ago, most organizations wrote custom applications for many of their key business processes, because there were few, if any, common off-the-shelf (COTS) applications available. There were large numbers of software developers and other personnel dedicated to the development and ongoing maintenance of these applications. But over time, fewer custom applications were needed since there were many good products that IT departments could purchase, install on company servers, and operate. This trend is simply continuing, where even the hosting of these applications is moving from client organizations to cloud service providers. Soon there won’t be a need for data centers, or even wiring closets, in most organizations. This should be seen as a natural progression of innovation and improving efficiencies.

Even the department name Information Technology may give way to Information Management. After all, there will be little or no visible technology, since it will be hosted by service providers. Instead, companies will be managing information located elsewhere, and hosted, stored, and processed on their behalf by other organizations.

While the outlook for talented IT personnel may be good today, I believe the trend of disintermediation will, slowly at first, reduce demand for IT talent in many organizations. The shortage of IT personnel today may be a glut in a few years.

How to make 2013 your breakout year

SEATTLE. January 1, 2013, 12:01am

A person or organization has a breakout year when their skills and accomplishments help them ascend to a higher level of responsibility, visibility, and achievement. Often, someone has a breakout year when they are involved in situations where they excel and produce great results that are widely recognized. Often that leads to those persons or teams being rewarded with even greater responsibility, and more opportunity for achievement and greatness.

We can’t all be a Chris Christie, Andrew McCutchen, or Dan Straily, but we can excel and advance nonetheless. We can “bloom where we’re planted” and improve our lot and that of others.

Set Your Sights High

It is often said that high achievers get that way by setting big goals. Do not be afraid to set a “big hairy audacious” goal for yourself, and then do what you can to achieve it.

Don’t Be Discouraged by Failure

The world’s great achievers (including Edison, Tesla, Curie, and Churchill) did not become famous overnight, nor were they born with superhuman qualities. Instead, they had only fierce determination and a drive to keep trying despite repeated failures and setbacks. Every time they met failure, they got up, dusted themselves off, and set their eyes back on their goals and tried again.

Remember that every great achiever failed numerous times before they succeeded. Learn from your setbacks and try again!

Adopt a Servant’s Attitude

Ronald Reagan once said, “There is no limit to what you can accomplish if you don’t care who gets the credit.” So many people are distracted by posturing, politicking, and looking good – that’s all energy they could be putting into their effort instead. An individual or a team that is focused on meeting goals instead of looking good is far more likely to accomplish what it has set out to do.

I invite you to adopt a new ethic in your work. Rather than dedicate yourself to service to yourself, make it your life’s purpose to serve others. You’ll be surprised at the results, and the rewards you will receive by putting others first.

Adversity May Be Your Path

A breakout year may not mean fame, glory, and riches. Instead, you may find yourself going through difficulties that may be causing you to ask, “Why me?” However, this may be the path that takes you to your own breakout year.

Years ago, I faced adversity in my personal life that shook me to the core. Those who know me understand when I call that time my “dark year(s).” But it was in the face of that adversity that my circumstances changed in miraculous ways, leading to a breakout year in both my personal and professional life. In many ways I’ve been riding the crest of that wave from then until now.

Don’t Take Yourself Too Seriously

I know plenty of people who are obsessed with what they are doing every minute of the day, and how they appear to others. To that I would say, “relax!” Allow yourself to make mistakes, and even take a moment (perhaps later on) to laugh a little bit at the memory of some of your blunders.

Your most powerful response to everything that your career and your life has to offer you is your response to those things that happen to you, for better or worse. Keep your chin up and remember that you will be here another day – a day of potential triumph.

* * *

Make this your breakout year. After all, you deserve it – you really do.  This will be my breakout year, and there’s plenty enough for the both of us.

LinkedIn skills endorsements adds buzz but not much value

I now view other users’ profiles with some skepticism and wonder whether they really possess those skills or not.

I’ve been a LinkedIn user for about eight years, and I’m highly appreciative of its business networking focus. LinkedIn has facilitate many fruitful business opportunities that might not have happened otherwise.

LinkedIn has been adding new features, and one of the newest is the Skills feature. A while after adding Skills, LinkedIn now provides a means for users to “endorse” the skills of their connections. Upon first glance, I thought this would be a useful feature that would help to add credibility to one’s claims of business and technical skills.  That is, until I started receiving endorsements from some of the people I am connected with.

LinkedIn endorsements

I’m grateful to my connections for endorsing my skills – make no mistake about it. However, I’ve received many skills endorsements from connections that do not actually know whether I have those skills or not. While their endorsements seem to strengthen my credibility, I now view other users’ profiles with some skepticism and wonder whether they really possess those skills or not. If people are endorsing my skills without actually knowing whether I have them, how do I know whether others have the skills they claim, even when endorsed?

LinkedIn is just another tool that people can use to embellish their resumes. While LinkedIn has great potential for helping people find each other based on their profession, location, skills, and other criteria, LinkedIn is no substitute for other methods for determining whether businesspeople actually possess the skills they claim.

Which security certification should you earn next?

A reader who recently received his CISA certification asked, “Which certification should I earn next: CEH or CRISC?”

I see this question a lot, so I’d like to answer this in two different ways.

Sometimes when someone asks which certification they should earn next, sometimes I wonder if that person is asking others to choose their career direction for them.

In this case, the person wants to know whether CRISC or CEH is the right direction. If this person were asking me personally, I would respond with these questions: what aspects of information security interest you? For which aspects do you have good aptitude? What kind of information security job do you want to be doing in five years?

In the case of CEH and CRISC, these two certifications could not be more different from each other. One is a hands-on certification that has to do with breaking into systems (and helping to prevent adversaries from doing same), and the other has to do with risk management, which is decidedly hands-off.

Now for my second answer: you choose. Both are well respected certifications. Which one aligns with your career aspirations?

Another thing – for anyone who is just trying to figure out the next cert to add after their name – stop asking that question and do some other things first.

1. Assess your experience.
2. Figure out where your experience can help you go next.
3. Determine your aptitudes. Meaning: what are your talents.
4. Decide what you want to be doing in five years, ten years.
5. Only after you have answered 1-4 can you then think about certifications. They should reflect your knowledge and experience.

Knowledge and experience come first. Certifications are a reflection of your knowledge and experience, not a forecast of future events.

– from my posting to the CISA Forum

Risk assessment the key to budgeting security resources

I have yet to meet a security professional who has all the time required to do everything that he or she needs to, to protect his or her organization. Instead, whenever I network with security professionals, I ask them, “How’s it going?” and can usually predict the answer: “crazy busy,” “way too much going on,” “many unfilled holes,” and so on.

This problem is not limited to security. Most other business functions usually feel short on the resources they require to do what they need (or want) to do.

The question, then, is how to decide what activities truly deserve our time.

The answer to the question is, perform a risk assessment across your entire organization (or within individual business units if your organization is large). If you perform this competently and faithfully, you will end up with a list of risks.  If you categorize those risks in terms of short-term impact, probability of occurrence, public visibility, cost of mitigation, and long-term impact, then you should be able to “slice and dice” your list to determine which risks truly demand your attention now, and which are lower priority.

The next task, then, is to present the findings of the risk assessment to senior management, so that they can make any adjustments to priorities and provide resources as they feel are needed.

Finally, explicitly or implicitly, you will need to document all untreated risks as “accepted” by senior management. Do it in writing, as formal (or informal) as the risk assessment yourself.

Having done all of these, you will have done your job: make senior management aware of business risks, and enable them to make informed decisions.

If you agree (more or less) with senior management’s resourcing decisions, then you are fortunate.  If you vehemently disagree, it may be time for you to find some mentors in the organization who can help you to better communicate with senior management.  Lacking this, you may need to consider moving on.

Showcase your cloud security knowledge with a CCSK cert

There are risks associated with the use of any new technology. Moving applications and data to the cloud has its economic benefits, but there are potential risks that organizations need to be aware of. Security professionals need to do their part and identify any risks associated with an organization’s desired move to the cloud, and manage those risks through the usual risk treatment.

To be effective, security professionals need to be acutely aware of the technologies involved, so that they may effectively identify and manage risk. Like so many specialties, there is now a certification available, Certified in Cloud Security Knowledge, or CCSK.  This certification is offered by the Cloud Security Alliance, the same organization that published its seminal Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 (PDF download).

Candidates who wish to earn the CCSK must take a 50 question, one hour exam as a test of their knowledge about cloud security. More information on earning the certificate is available here.

CISSP Study Group Formed

Seattle (WA USA) Sept 8, 2009. Noted security expert Peter H. Gregory, CISA,
CISSP, DRCE who started CISA and CISM certification study groups in 2002, has
launched a CISSP certification study group. Like the CISA and CISM groups, the
new CISSP study group is hosted by Yahoo Groups.

This group is for technology and security professionals who are interested in
learning more about the CISSP certification, as well as for instructors who
teach courses on information security. People who are already certified are also
invited to join as “mentors” who can help those who are just starting out.

People who are interested in joining the group may go to the following URL:

http://groups.yahoo.com/group/CISSP-study/join

People who are already members may go to the group at this URL:

http://groups.yahoo.com/group/CISSP-study

The CISSP Study group will have the following features:

* Message archive
* Moderated messages (no spam)
* Files upload
* Links pages
* Surveys

Only active members of the group may access these features.

Information that will be discussed in the forum include:

* CISSP qualifications
* CISSP study tips
* CISSP study books and courses
* CISSP study questions
* Registering for the certification exam
* Test tips
* Questions on any topic of information and business security

How to study for the CISSP examination

Bookmark This (opens in new window)

Whitepaper by Ernie Hayden, a noted security expert, on studying for the CISSP exam.

Download here (PDF)

How to use FaceBook and keep (or get) your job

Bookmark This (opens in new window)

If you Google “facebook fired” you will find dozens of media articles with examples of workers who lost their jobs because of materials in their personal FaceBook pages. Google “facebook hire” and you’ll likewise find a lengthy list of articles that cite the growing number of employers who search for employment prospects’ FaceBook, LinkedIn, and MySpace pages to get a more complete picture on the character of the person they are recruiting.

The problem that employers have with personal FaceBook pages is that it permits widespread viewing on the true character of its employees. For example, an employer that is a bank does not want to discover that its personal bankers (tellers and loan officers) wear a suit and tie by day and drink, carouse, and use drugs by night. In the digital world, such discoveries are being made daily and threaten the perception of integrity of businesses and their choices in employees.

You might ask, what business is my private life to my employer? Answer: none, provided it does not impair your ability to perform your duties. But, when you place details of your private life on your FaceBook page, it is no longer private, but published to the world. You private life is only private if you keep it to yourself. But whatever you put on a blogsite, FaceBook, MySpace, or other online medium, you are essentially opening those details of your private life for public scrutiny.

Employers have a real problem with that. What is an employer to do when it discovers that a trusted employee has a private life that seriously compromises the employer’s otherwise untarnished image? Because the employer itself is not publishing this information, it cannot control what is published, or who has read it. In some cases an employer must fear the worst and assume that customers, executives, regulators, and others may have seen this information, which could result in a messy PR debacle.

My advice: examine FaceBook’s privacy settings. Make your postings, pictures, links, and so on visible only to your Friends (not your Friends of Friends, not your Networks, not Everyone). Limit who can write on your Wall to only your Friends. Limit or block Facebook Applications completely. Make sure that only you can see photos tagged of you.

Remember: any post, link, note, or photo on your Facebook – any of your Friends can share them with any outsider. Therefore, your central principle should be: do not post any status, link, note, photo, or anything else on Facebook that you might have to explain to your employer (or prospective employer) at any time in the future.

But more than this: scour your Facebook profile for any existing posts or photos. Delete anything that could cause embarrassment (or worse) in the future if your privacy settings were suddenly changed or if someone turns against you and discloses the contents of your Facebook.

View your Facebook profile from the perspective of one of your friends (you can do this in Privacy > Profile), to make sure it reveals no more than you wish.

There are a lot of reasons to lose your job: layoffs, reduction in force, going out of business. Don’t add a preventable indiscretion to the list.