Category Archives: career

Cybersecurity Pros: Be Sure To Stay Relevant

The tech sector is experiencing layoffs in significant numbers – tens of thousands, perhaps even hundreds of thousands by now. I’m old enough to remember several recessions – this is all a normal part of the boom-bust business cycle.


Several tech industry articles (here, here, and here) cite that cybersecurity professionals are still in high demand.

If you are a cybersecurity professional, I caution you to avoid thinking you are layoff-proof: many cybersecurity professionals are losing their jobs. Instead, take an inventory of your skills and certifications, and identify any gaps that might make you a weak candidate if you find yourself in the job market. Even in our business, applicants are quite competitive, so I’d advise you to honestly appraise the effectiveness and visual appeal of your resume. Hire a resume coach if you need to. I don’t want to see you unprepared if you are caught in a layoff.

To help identify skills gaps, look at cybersecurity job listings on LinkedIn, Indeed, or whatever platform you prefer. Understand what skills and experience companies are looking for, and how you compare. There is no better time to be honest with yourself.

I’m speaking from experience: I’ve been laid off twice in my career. It hurts a lot, and it can be hard at times to keep a positive attitude. I’ve been through all of it. Don’t blame yourself if you are targeted for a reduction in force.

High-Tech Careers and Imposter Syndrome

While mentoring a colleague today, I pulled two independent concepts into the same thought: how many in high-tech careers feel the tug of imposter syndrome.

While the term imposter syndrome has been around for quite a while, somehow I had never heard it myself until a couple of years ago. A different colleague of mine was apparently feeling a bit overwhelmed by their job responsibilities and the experience they brought to the job. Wikipedia defines imposter syndrome as “a psychological occurrence in which an individual doubts their skills, talents, or accomplishments and has a persistent internalized fear of being exposed as a fraud.”

I will now wind the clock back twenty-five years or so, when I worked at a skunkworks project at AT&T Wireless known as Project Angel. There, we were hiring a dozen or so engineers every week, including electrical, power, mechanical, RF, software, electrical, and others. We were bringing in a dozen or more new hires each week. My job was building IT infrastructure (desktops, servers, storage, security network, Internet) to support the growing workforce. After an interview debrief, where we discussed a candidate who met some of the job requirements but fell short of others, I asked the VP of engineering why we were going to go ahead and hire that engineer anyway. The VP replied, “Peter, in high-tech, people want to keep learning and growing. Usually, a candidate will only apply for a job for which they are only partly qualified, so that they can grow into the bigger role. Persons are not likely to apply for jobs in which they are fully qualified – where would the challenge be for them?” So, as a result, we had hundreds of engineers in the organization, few of whom were completely qualified to do the jobs for which they were hired (me included), but they counted on learning and growing into those jobs.

(image courtesy Aardman Animations)

It would make sense, then, that those engineers with a realistic awareness of their own capabilities and shortcomings, would feel afflicted with imposter syndrome, particularly on those days when the skills deficit feels large.

This seems to be the way of high-tech professionals: we are driven to learn, grow, and stay current with the innovations in our fields of specialty. And often, because we feel that those shoes we are attempting to fill feel so large, imposter syndrome creeps in.

I’ve embraced the mindset of growing into one’s job from then onward, and found myself in such a state more often than not. For me, the secret to hiring the right people is to find those who are self-aware of their strengths and weaknesses, have a hunger for learning new things, and the initiative to do so without being asked.

Cross-Country Road Trip

I’d thought of a cross-country road trip all of my adult life, but never thought I’d have the opportunity or take the time to do it.

That all changed in June, 2022, when we purchased a moderately rare vehicle from a private party in Rhode Island and drove it home to Washington State.

a brief road stop at Painted Canyon, North Dakota

The journey was moderately stressful, as this was a new-to-us 17-year-old complex machine, and a couple of minor things didn’t work right. And the trip was a bit of a dash. I would have preferred to do the trip in two weeks instead of one, and take the time to see some of the sights.

Still, we saw a ton of farmland, and from our vantage point, realize again that America has vast agricultural resources that could feed the entire world. We live in the middle of farmland back home, so it was familiar to us, but there was so much of it to see along the little strip of land that was our journey’s path.

The entire trip – flying to Boston and driving back home, was nearly two weeks. It’s the longest stretch of vacation away from work I’ve had in decades. Unplugging from work was hugely valuable to me. As a type-A, I need to take more breaks, and am grateful for the opportunity to have done so.

My Favorite Interview Question

I’ve hired dozens of analysts and engineers in my career, and have always enjoyed the interview process to get to know prospective team members. And I have been interviewed plenty of times myself, so I’m familiar with the pressure we’re under to be hyper-focused on interviewers’ questions and comments, what is said, what is not said, and body language. Being interviewed is a welcome challenge and an exhilarating experience – although terrifying at times.

image courtesy techpreview dot com

I have realized that, when being interviewed, my hyper-focus may not be revealing the real me. So when I interview candidates, I have a favorite question that I like to ask near the end of the interview. For instance, if the candidate’s name is Charles, I would ask,

“Charles, in this meeting, we’ve seen a lot of what I like to call ‘interview Charles,’ who is highly focused on the conversation and exerting a lot of mental energy to be sure the conversation goes well. What I’d like to know is this: how is everyday Charles different from interview Charles?”

Over the years, I’ve seen a wide range of responses. This question has stumped a few candidates, meaning they may lack self-awareness. Or, they might feel like I’m trying to pierce a sacred veil, to go beyond the persona on display to the real person beneath. But this is precisely the point: interviewees are often nervous, and nervousness shows itself in various ways: they talk too much, too little, or they guard what they may feel are personality flaws so that I see only the highly professional, analytical thinker.

In an interview, we strive to show only our best side. As a result, we verbally redact a great deal about our personality – the human side of us. But that human side is exactly who we want to find and know. After all, there is a real prospect of working with this person every day for perhaps many years. We want to be sure we know who we are hiring and whether we will like working with them.

Ralph Pratt, My Career-Changing Mentor

My first professional job was in the M.I.S. (Management Information Systems – what they used to call IT) department at Washoe County, Nevada. I had a variety of responsibilities, including mainframe computer operations, backup tape librarian, programmer, and creator of training materials. I had developed software to track the hundreds of 9” magtape reels in the backup tape library in a language called MAPPER.

MAPPER was a bit like Excel and a bit like MS-Access. One could develop a variety of “lists” and even mimick some of the characteristics of a relational database management system. Also, various input forms, query forms, and reports could be developed. I maintained some MAPPER-based applications and wrote the tape library system to track the inventory of backup tapes, some of which were on long-term retention, as long as seven years.

I was one of the first MAPPER programmers at Washoe County, and was asked to teach a course on MAPPER programming to the other programmers in the department (about ten in all). The course was a two-day, all-day course in the M.I.S. training room. I took the programmers through all of the basics, and had them develop their own little application to get some hands-on practice. Two such courses were completed, and they went pretty well.

My boss’s boss, Ralph Pratt, was the operations manager at Washoe County M.I.S. Being in my mid-twenties, I considered him an old, crusty dude who was grumpy most of the time, and I considered him mostly unapproachable. I was not much of a relationship builder in those days. Anyway, Ralph called me into his office one day. He told me that he would like me to teach a modified version of the MAPPER course to the Washoe County Commissioners, the elected officials who oversee all county operations. The prospect of teaching this course to the commissioners was exciting and terrifying to me.

Ralph asked me to shut the door to his office. He told me that we would practice what it would be like to teach the course to the commissioners, who were all very non-technical. This was the time before the IBM PC, so the commissioners had little keyboard experience.

Ralph instructed me to begin the first course segment in his office in a role-playing exercise. I began to speak, and in my first or second sentence, Ralph barked, “Stop. You used a technical term – they won’t understand it. Start over.”

I started again, got a bit further, and then, “Stop.” Same reason.



We discussed for a moment. Leave all technical terms behind, Ralph told me.

I tried again and got a bit further.

Ralph stopped me half a dozen times or more. Our session lasted thirty or forty minutes.

In retrospect, this was the most valuable thirty minutes of my entire career.

This was the beginning of what I now call being “bilingual,” in an unconventional sense. When I use the term “bilingual,” I’m referring to the ability to speak to technologists in technical terms, and to speak to businesspeople in non-technical terms. Over many years, I would hone this skill in training and public speaking events, eventually writing numerous books on technology. I needed to explain complex technical concepts in easily-understood terms. I’ve gained the reputation of doing this well.

It all goes back to Ralph Pratt. Thanks, Ralph, and may you rest in peace.

Peter H Gregory’s Study Guides Available For Top-Rated Certifications

January 4, 2022

SEATTLE, Washington – Peter H Gregory’s top-selling certification study guides cover several of the highest-ranked certifications in the Salary Survey 75 list, including the #1 and #2 spots. Certification Magazine has just released its Salary Survey 75, the top 75 IT certifications ranked by U.S. salaries. The survey covered over 900 vendor and non-vendor certifications in IT, IT Security, and privacy. The survey also includes a “Simmering Salaries” list of certifications where certification holders’ salaries increased at least 7% in 2021.

Top-selling study guides written by Peter H Gregory include:

“I am pleased that my titles’ certifications have made such a strong showing,” says Peter H Gregory, who has published over forty books since 2000. “This success would not be possible, however, without strong support from McGraw-Hill Professional over the past thirteen years with the publication of the first edition of the CISA Certified Information Systems Auditor All-In-One Exam Guide.”

Gregory has written a total of twelve titles for McGraw-Hill Professional since 2009, including CRISC Certified in Risk and Information Systems Control All-In-One Exam Guide, second edition, co-authored with Bobby Rogers and Dawn Dunkerley, available for pre-order and expected to be available in late March 2022. Gregory’s other notable books include CISSP For Dummies (first published in 2002, now in its 7th edition), CISSP Guide to Security Essentials, second edition, Chromebook For Dummies, and Solaris Security. “All of my published books have fueled my passion for helping IT professionals successfully pursue IT security and privacy careers,” Gregory adds. “The skills that my readers learn enable them to better understand how to protect their organizations’ sensitive information and critical systems.”

About Peter H Gregory

Peter H Gregory is a career information security and privacy leader. He is the author of over forty books on information security and emerging technology. Visit him at

For interviews with Peter H Gregory, please contact: peter.gregory [at]

# # #

You are free to disseminate this news story. We request that you reference Peter H Gregory and include his web address,

My CISSP Journey, Part 6: Earning and Recording CPEs

Like many professional certifications and designations, CISSP requires that certification holders complete a minimum number of continuous professional education (CPE) hours each year. This requirement makes sense to me, as the information security profession is still changing at a high rate. Were it not for this continuing education requirement, many who earn the CISSP and other certifications would quickly fall behind, and those who had earned the certifications would become irrelevant.

Today, (ISC)² requires CISSP holders to earn 120 CPEs in each three-year cycle and no fewer than 20 CPEs in any individual year. So this is an average of 40 CPEs, or forty hours of training, annually.

Many of us are fortunate enough to attend one or two conferences each year, and alone this would effectively satisfy the 40-hour requirement. But not all of us are so lucky: the rest of us have to earn our CPEs an hour at a time.

In earlier years (before 2005, in my estimation), this was a challenge, but no more. Today, each year, there are scores of opportunities to attend vendor product demos and free instructional sessions from (ISC)², ISACA, and other associations.  There are so many that you can pick and choose those that are of greatest interest to you.

The dark side to CPEs, if there is one, is that we are required to keep precise records of our CPEs. I suggest you create a spreadsheet that lists, line by line, each CPE event that you attend. More than that: (ISC)², ISACA, and others require that you retain evidence of your training. Some events will email you a certificate of completion, and others will provide a certificate download capability at the conclusion of an event. Some do not provide anything at all, so I make it a point to take a few screenshots of the event.

Sample CPE Listing

(ISC)², ISACA, and other associations will randomly audit members’ CPE records to see whether they are truthful in their claims. I was audited by ISACA many years ago, and while I had a good listing of events that I attended, I did a poor job of retaining evidence. Still, I passed the audit because I did have evidence for at least some of the events I attended. The audit put the fear of God in me, and ever since that time, I meticulously obtain and retain evidence for every event I attend. As the published author of several security and privacy-related exam guides in which I stress the importance of good CPE recordkeeping, I doubt that (ISC)², ISACA, or any other organization would cut me any slack at all. And so it should be.

In Part 7: paying it forward.

My CISSP Journey, Part 5: Earning the CISA

In the first four parts of this series, I describe my preparation for the CISSP exam, writing exam questions, proctoring exams, and writing study guides for two different publishers. My CISSP journey took a second, parallel path when I had the opportunity to earn another examination.

I don’t remember now where I first heard of the CISA certification, but it had to be in 2001, early in the purely-security part of my career. CISA, or Certified Information Systems Auditor, is a certification from ISACA (then known as the Information Systems Audit and Control Association, but now simply known as ISACA). CISA was established in 1978, whereas CISSP is much younger, established in 1994.

My distinct impression in 2001 was that possessing the CISSP and CISA certifications together was a Golden Ticket in the information security industry. I was young and aspired to more significant roles in the business, so I pursued the CISA with vigor.

I am grateful that my employer purchased CISA study materials for me, which consisted of a large question bank, and extensive study materials.  While there is considerable overlap between the CISSP and CISA certifications in terms of the domains of required knowledge, I soon learned that the vocabulary of information security was far more extensive than portrayed by CISSP. I especially struggled with the terminology and practices of IS audit, having been audited but not having been an auditor. Still, I was determined to succeed.

I registered for and sat for the CISA exam in June 2002. The exam itself was every bit as difficult as the CISSP examination and was Scantron-based as well. It’s incredible how you can get a cramp in your hand filling in little bubbles, although I think this is in combination with the mental stress that accompanies it.

Like the CISSP exam, I thought I had failed, as the exam questions were tough. However, a month or so later, a letter came in the mail from ISACA that told me that I had passed!  I was over the moon and wore the twin monikers CISSP and CISA proudly.

A year later, ISACA released the new Certified Information Security Manager (CISM) certification, and I had an opportunity to earn it through ISACA’s grandfathering process. I thought to myself: I have the CISSP and CISA certifications; why do I need any more?  I did not pursue the CISM grandfathering opportunity, a decision I would later regret for almost a decade. I did, eventually, sit for and pass the CISM exam, by the way.

In later years, I would earn more certifications in other topics such as disaster recovery planning, cloud security, privacy, and cardholder security – some grandfathered, some with arduous study and exams.

In Part 6: continuous education and CPE recordkeeping.

In Part 7: paying it forward.

My CISSP Journey, Part 4: Writing a Study Guide

In the earlier parts of this series, I describe my experience preparing for and taking the CISSP exam, and later when I had an opportunity to write exam questions and proctor exams. In this part, I tell the story of my chance to write certification study materials.

In part 1 of this series, I mentioned that there were no available books for self-study for the CISSP exam, but instead, I borrowed a colleague’s binder from his in-classroom training a few years before, in the late 1990s.

As today’s story begins, at this time, I had written three books: Solaris Security, Sun Certified System Administrator for Solaris 8 Study Guide, and Enterprise Information Security. In another part of the country, Wiley Publishing and an author were working on the first edition of CISSP For Dummies, a user-friendly study guide for the CISSP exam. The project was apparently behind schedule, and the acquisitions editor at the publishing company called me on the phone one day and asked if I’d be willing to help out.  We negotiated an agreement that survives to this day, in which I am co-author of CISSP For Dummies. Over the last nineteen years, we have published six editions of the book and will soon be working on the seventh edition.

The book covers all of the knowledge domains that a CISSP candidate is expected to know to pass the exam. I especially like the For Dummies style, as we write in a friendly, more casual style while still imparting the knowledge required.

Starting with the 5th edition published in 2016, CISSP For Dummies is the only CISSP study guide approved by (ISC)², and it says so prominently on the cover. This is an endorsement that is not included in any other CISSP study guide.

I genuinely felt like my writing career was going to be sustained, as I had by this time written major titles for three different publishers on two continents. Feeling like I was not writing up to my true potential, I hired a literary agent in 2006, who found more publishing opportunities for me. One of the first such opportunities was to write an academic study guide for the CISSP exam by a publisher that sells direct to colleges, universities, and vo-tech schools. In 2009, the first edition of CISSP Guide to Security Essentials was published. The instructor edition includes the book and explanations for the study questions in the book, along with a complete set of PowerPoint slides to be used for classroom or virtual classroom instruction.  CISSP Guide to Security Essentials was published in a second edition in 2015.

In Part 5: earning the CISA and other certifications.

In Part 6: continuous education and CPE recordkeeping.

In Part 7: paying it forward.

My CISSP Journey, Part 1: The CISSP Exam

In the 1990s, my IT engineering and management career was thriving. I led a team of about 15 seasoned professionals and worked in a business unit where information security was a key objective. We rose to the challenge and brought several key capabilities into our work environment, including multi-factor authentication, encrypted remote access (via modem), firewalls, and hardened servers and workstations. My part of the enterprise fared quite well in penetration tests conducted by an outside firm.

Before this time, I had spent years in computer operations and more years in Unix and C-based software engineering, so my IT background was quite broad. This experience proved later to be a solid foundation for my pivot into security.

In 1998, I was looking for a good book on Solaris security but could find nothing at all. I called one of my publisher connections at Sun Microsystems Press and secured a book deal to write the book, Solaris Security. Writing this book proved to be a great learning opportunity to shore up my knowledge in various areas.

In 1999, I met a colleague, Bob Maynard, who had his CISSP certification. Before knowing Bob, I had not met anyone with this certification, and it intrigued me. I looked at the (ISC)² website and decided that I would pursue this certification.

There were no books in print in 1999 or 2000 on the CISSP certification. The only available training was directly from (ISC)², and it was expensive even then. But my colleague Bob had his giant three-ring binder from the course that he had taken the year before, and he agreed to let me borrow it for a few months. He said apologetically that he had written numerous notes on the pages, which I told him would add more value.

In 2000, the CISSP exam was offered only once per year in Seattle, and I had just missed it. I found an exam in November in Colorado Springs, and booked an air trip, and registered for the exam.

I pored over Bob’s CISSP course binder studiously for months, right up to the night before the exam. There were no practice exams of any kind, so I was unsure of whether I would pass.

The exam itself was arduous – and that’s about as nice as I can describe it. At that time, the proctor in the room would pass out the exam books, which were sealed and serial numbered, and we were instructed to make no mark of any kind in them. Next, the scantron sheets were handed to us, and we were directed to fill in our names and other information. As you may know, Scantron involves the use of a pencil and filling in little bubbles that are machine scanned. Your hand will become sore after filling in more than three hundred of these bubbles, but that’s not the worst of it.

Typical Scantron answer sheet

The exam questions are brutal. Rather than black-and-white, they explore shades of grey and challenge your intimate knowledge of the subject matter, which ranges from the desired height of security fences to hashing algorithms.  The CISSP test at that time consisted of 250 questions, with a six-hour time limit to answer them all. I used nearly all of the six hours, double-checking several of my answers. I turned in my exam sheet, not at all confident of my prospects for passing.

I drove back to the airport, turned in my rental car, and boarded my flight back to Seattle. I fell asleep on the plane before they shut the door, and the flight attendant had to rouse me in Seattle, where I was the last passenger to disembark the aircraft. I usually don’t sleep on airplanes; for me, this was an outward sign of my mental exhaustion after taking the exam.

In Part 2: writing CISSP exam questions.

In Part 3: proctoring CISSP exams.

In Part 4: writing a CISSP study guide.

In Part 5: earning the CISA and other certifications.

In Part 6: continuous education and CPE recordkeeping.

In Part 7: paying it forward.

Where Are You Going?

While hiking in the hills near our mountain cabin one day, I realized that I was looking down at each step. The terrain was unlevel, full of brush, rocks, critter holes, and other obstacles. In a moment of realization, I stopped and looked out in front of me. I realized that, for several minutes, I was not looking at where my walking was taking me.

Our jobs and our careers are like a hike on uneven ground. We make small and large decisions, interact with people, often only in the moment, without pausing to look up to see where these daily activities are taking our careers. When working only in the moment, we are surrendering control of our careers to others and to chance, rather than taking the reins and going where we want.

Like walking or hiking, it’s essential to make good in the moment decisions, but we must occasionally stop to see where our steps are taking us, and change direction when needed.

Also, remember to stop and enjoy the view.


A reader recently asked me about the CISM versus the CISSP. Specifically, he asked, “How hard is the CISM for someone who passed the CISSP?”

Having earned both certs (and a few more besides), and having written study guides for both, I felt qualified to help this individual. My answer follows.

CISM is much heavier on security management and risk management than CISSP. You’ll have to study these topics, and the business side of information security.  To paint with a broad brush, you could say that CISM is for CISO’s while CISSP is for security engineers. That, in essence, is the distinction.

Oh and there’s a great study guide out for the CISM:

I passed my CISSP almost 20 years ago while I was still a hands-on technologist.  I studied for my CISA two years later. I learned through my ISACA CISA study materials (provided by my employer) that ISACA has a vastly different vocabulary for infosec than does (ISC)2.  Think of it as a business perspective versus an engineering perspective.  Both are right, both are valid, both are highly valued in the employment market.  But they are different.  Master both, and you’ll be a rare treasure.

Study guides for CISSP:

CISSP For Dummies

CISSP Guide to Security Essentials

Study guides for CISM:

CISM All-In-One Exam Guide



State University Gives Copies of Security Career Books to Students

Earlier this year, Georgia State University asked me to speak at an information session for students in its Masters of Science in Information Systems (MSIS). Students needed to choose their study concentration; my job was to describe the information security profession to them so that they could choose whether to elect the security concentration, or one of two other concentrations. 
The university gave to all of its MSIS students a copy of one of my recent books, Getting an Information Security Job For Dummies. University officials recognized that the book accurately describes the profession, how professionals can learn more about the profession, career choices within the profession, and steps someone can take to get into the profession.

After my talk, university officials informed me that twenty-five students elected to pursue the information security concentration. This was greater than they expected, and they were pleased with the outcome. They expressed their gratitude to me for the time I took to describe the profession to them and answer their questions.

Padding Your Resume

It’s a popular notion that everyone embellishes their resume to some extent. Yes, there is probably some truth to that statement. Now and then we hear a news story about people “padding their resumes”, and once in a while we hear a story about some industry or civic leader who is compelled to resign their position because they don’t have that diploma they claimed to have on their resume.

Your resume needs to be truthful. In the information security profession, the nature of our responsibility and our codes of ethics require a high standard of professional integrity. More than in many other professions, we should not ever stretch the truth on our resume, or in any other written statements about ourselves. Not even a little bit. Those “little white lies” will haunt us relentlessly, and the cost could be even higher if we are found out.

– first draft excerpt from Getting An Information Security Job For Dummies

Understanding success in an information security job

There is a basic truth of information security jobs that can be intensely frustrating to some people but represent an exciting challenge to others: your guidance on improving security and reducing risk will often be ignored.

Many security professionals have a difficult time with the feeling of being ineffective. You can spend considerable time on a project that includes recommendations on improving security, and many of those recommendations might be disregarded. A track record of such events can make most professionals feel like a failure.

A security professional needs to understand that they are a change agent. Because information security practices are often not intuitive to others, your job will often involve working with others so that they will embrace small or large changes and do their part in improving security in the organization. To be an effective change agent, you need the skills of negotiation and persuading others to understand and embrace your point of view and why it’s important to the organization.

You need to realize, however, that even if you are a skilled negotiator, you still won’t get your way sometimes. This should not be considered a failure, and here’s why: it’s our job to make sure that decision makers make informed decisions, considering a variety of factors including security issues. As long as decision makers make informed decisions (meaning, we have informed them of the risks associated with their choices), we have done our job, and we need to be comfortable knowing that sometimes decisions are made that we don’t agree with.

– Excerpt from Getting An Information Security Job For Dummies, to be published in 2015

Reno, Nevada

I am visiting Reno, Nevada after quite a long absence. I’m here to speak at a professional event on the topic of human factors and data security (in other words, why we continue to build unsecure systems).

My IT career started here in Reno, with on-campus jobs in computing (operations and software development), and later in local government, banking, and casino gaming. Each job built on the last, and I gained positions with greater responsibility, creativity, and rewards of various sorts.

ImageI buried my young son in Reno – it seems like many lifetimes ago. He was my first stop. Time is a great healer – you’ll have to trust me on this one, if you have recently suffered a big loss.

I looked up a couple of long-time friends, but waited until the last minute. They’re probably busy with their own lives today.

Done with my coffee stop and time to check in to my hotel. My talk is tonight, and then I’m back on the road tomorrow with other stops in the Pacific Northwest.

Insights into CRISC certification quality

ICRISC.h2 spent the previous Friday+weekend at ISACA HQ in Chicago at a workshop. The objective: to examine about 360 candidate exam questions for the CRISC (Certified in Risk and Information Systems Control) certification.

There were about 30 of us that worked in three independent groups that consisted of a facilitator (Richard Norman, a security manager in the UK), a scribe (Kim Cohen, the Certification Exam Development Manager at ISACA), and 8 risk management experts from many different organizations including Bank of America, Caterpillar, Premera Blue Cross, and Verizon Business.

We had our work cut out for us. Each group had about 120 exam questions to examine, discuss, edit, and ultimately determine whether it’s a good question based on many different quantitative and qualitative measurements. Oftentimes our discussion of the question became a discussion about how a security or risk management practices (including what companies should be doing and what they are actually doing). Richard, our facilitator, and Kim, our scribe, kept us on task and on pace.

The hard work began long before the three day weekend. Going back to May 2013, we each began our training on writing certification exam questions for ISACA, and over a four or five week period we each wrote a total of twenty exam questions.  Anyone who thinks this is an easy task does not understand the rules and the discipline required for the task. It is quite difficult.

I’ve been trained by two other certification organizations in exam question writing, but ISACA has really upped the game.  The rigor and quality that ISACA puts into certification exam question development is impressive. There are several levels of review, by different teams, on each question, by vetted subject matter experts, before it sees the light of day. And the analysis does not stop after the exam question has been finalized and approved. Analysis on how test takers answer the question continue throughout the life of the exam question.  It is no wonder that CRISC won the Certification of the Year Award from SC Magazine.

ISACA has been in the certification business longer than just about anyone in information technology. ISACA itself started in the 1960s, and the CISA certification began in the 1980s; tens of thousands of security and IS audit professionals have earned the CISA certification, and it remains one of the top IT security certifications today.

The Disintermediation of Corporate IT

switchboardInformation Technology is the department in many organizations that has, historically, taken on the challenging tasks of systems engineering, network engineering, database management, and software development – all in support of business applications that support (and, in some cases, make possible) key business processes.

In recent years, cloud computing and all of the AAS’s (software as a service, infrastructure as a service, storage as a service) have taken some pressure off of corporate IT with regards to all of the resources required to host, install, and manage key applications. IT departments have seen this as a good thing, but a longer view of this trend should be considered a bellwether of change: IT departments are going to shrink in size considerably, since those skills will no longer be needed in many organizations.

Think about it. Today, it’s possible for an organization to farm out all of its business applications to external service providers: from e-mail to intranet sites, many companies can get away with virtually no servers in its environment. Instead, all will be accessible via the Internet.

Same goes for the networks supporting so-called “desktop” environments. With a few WiFi access points, network wiring out to employees’ desks are a think of the past. In many cases, an organization’s business network can be a few WiFi access points, and one of those all-in-one boxes for Internet connectivity.

Remote access also becomes a has-been. With nothing in the corporate network to access, users access virtually all corporate resources via the Internet with no special access required.

In terms of the IT labor force, this does reflect a trend whereby corporations consuming IT services will require fewer IT workers, while IT service providers will require more. However, those service providers will require only a fraction of the personnel displaced by their services.  As a result, a typical IT department of the future may consist of a CIO, some data architects and scientists, some business analysts and project managers, and little else.

This disintermediation has been seen in IT in the past.  Decades ago, most organizations wrote custom applications for many of their key business processes, because there were few, if any, common off-the-shelf (COTS) applications available. There were large numbers of software developers and other personnel dedicated to the development and ongoing maintenance of these applications. But over time, fewer custom applications were needed since there were many good products that IT departments could purchase, install on company servers, and operate. This trend is simply continuing, where even the hosting of these applications is moving from client organizations to cloud service providers. Soon there won’t be a need for data centers, or even wiring closets, in most organizations. This should be seen as a natural progression of innovation and improving efficiencies.

Even the department name Information Technology may give way to Information Management. After all, there will be little or no visible technology, since it will be hosted by service providers. Instead, companies will be managing information located elsewhere, and hosted, stored, and processed on their behalf by other organizations.

While the outlook for talented IT personnel may be good today, I believe the trend of disintermediation will, slowly at first, reduce demand for IT talent in many organizations. The shortage of IT personnel today may be a glut in a few years.

How to make 2013 your breakout year

SEATTLE. January 1, 2013, 12:01am

A person or organization has a breakout year when their skills and accomplishments help them ascend to a higher level of responsibility, visibility, and achievement. Often, someone has a breakout year when they are involved in situations where they excel and produce great results that are widely recognized. Often that leads to those persons or teams being rewarded with even greater responsibility, and more opportunity for achievement and greatness.

We can’t all be a Chris Christie, Andrew McCutchen, or Dan Straily, but we can excel and advance nonetheless. We can “bloom where we’re planted” and improve our lot and that of others.

Set Your Sights High

It is often said that high achievers get that way by setting big goals. Do not be afraid to set a “big hairy audacious” goal for yourself, and then do what you can to achieve it.

Don’t Be Discouraged by Failure

The world’s great achievers (including Edison, Tesla, Curie, and Churchill) did not become famous overnight, nor were they born with superhuman qualities. Instead, they had only fierce determination and a drive to keep trying despite repeated failures and setbacks. Every time they met failure, they got up, dusted themselves off, and set their eyes back on their goals and tried again.

Remember that every great achiever failed numerous times before they succeeded. Learn from your setbacks and try again!

Adopt a Servant’s Attitude

Ronald Reagan once said, “There is no limit to what you can accomplish if you don’t care who gets the credit.” So many people are distracted by posturing, politicking, and looking good – that’s all energy they could be putting into their effort instead. An individual or a team that is focused on meeting goals instead of looking good is far more likely to accomplish what it has set out to do.

I invite you to adopt a new ethic in your work. Rather than dedicate yourself to service to yourself, make it your life’s purpose to serve others. You’ll be surprised at the results, and the rewards you will receive by putting others first.

Adversity May Be Your Path

A breakout year may not mean fame, glory, and riches. Instead, you may find yourself going through difficulties that may be causing you to ask, “Why me?” However, this may be the path that takes you to your own breakout year.

Years ago, I faced adversity in my personal life that shook me to the core. Those who know me understand when I call that time my “dark year(s).” But it was in the face of that adversity that my circumstances changed in miraculous ways, leading to a breakout year in both my personal and professional life. In many ways I’ve been riding the crest of that wave from then until now.

Don’t Take Yourself Too Seriously

I know plenty of people who are obsessed with what they are doing every minute of the day, and how they appear to others. To that I would say, “relax!” Allow yourself to make mistakes, and even take a moment (perhaps later on) to laugh a little bit at the memory of some of your blunders.

Your most powerful response to everything that your career and your life has to offer you is your response to those things that happen to you, for better or worse. Keep your chin up and remember that you will be here another day – a day of potential triumph.

* * *

Make this your breakout year. After all, you deserve it – you really do.  This will be my breakout year, and there’s plenty enough for the both of us.

LinkedIn skills endorsements adds buzz but not much value

I now view other users’ profiles with some skepticism and wonder whether they really possess those skills or not.

I’ve been a LinkedIn user for about eight years, and I’m highly appreciative of its business networking focus. LinkedIn has facilitate many fruitful business opportunities that might not have happened otherwise.

LinkedIn has been adding new features, and one of the newest is the Skills feature. A while after adding Skills, LinkedIn now provides a means for users to “endorse” the skills of their connections. Upon first glance, I thought this would be a useful feature that would help to add credibility to one’s claims of business and technical skills.  That is, until I started receiving endorsements from some of the people I am connected with.

LinkedIn endorsements

I’m grateful to my connections for endorsing my skills – make no mistake about it. However, I’ve received many skills endorsements from connections that do not actually know whether I have those skills or not. While their endorsements seem to strengthen my credibility, I now view other users’ profiles with some skepticism and wonder whether they really possess those skills or not. If people are endorsing my skills without actually knowing whether I have them, how do I know whether others have the skills they claim, even when endorsed?

LinkedIn is just another tool that people can use to embellish their resumes. While LinkedIn has great potential for helping people find each other based on their profession, location, skills, and other criteria, LinkedIn is no substitute for other methods for determining whether businesspeople actually possess the skills they claim.