The tech sector is experiencing layoffs in significant numbers – tens of thousands, perhaps even hundreds of thousands by now. I’m old enough to remember several recessions – this is all a normal part of the boom-bust business cycle.
Several tech industry articles (here, here, and here) cite that cybersecurity professionals are still in high demand.
If you are a cybersecurity professional, I caution you to avoid thinking you are layoff-proof: many cybersecurity professionals are losing their jobs. Instead, take an inventory of your skills and certifications, and identify any gaps that might make you a weak candidate if you find yourself in the job market. Even in our business, applicants are quite competitive, so I’d advise you to honestly appraise the effectiveness and visual appeal of your resume. Hire a resume coach if you need to. I don’t want to see you unprepared if you are caught in a layoff.
To help identify skills gaps, look at cybersecurity job listings on LinkedIn, Indeed, or whatever platform you prefer. Understand what skills and experience companies are looking for, and how you compare. There is no better time to be honest with yourself.
I’m speaking from experience: I’ve been laid off twice in my career. It hurts a lot, and it can be hard at times to keep a positive attitude. I’ve been through all of it. Don’t blame yourself if you are targeted for a reduction in force.
SEATTLE, Washington – Peter H Gregory’s top-selling certification study guides cover several of the highest-ranked certifications in the Salary Survey 75 list, including the #1 and #2 spots. Certification Magazine has just released its Salary Survey 75, the top 75 IT certifications ranked by U.S. salaries. The survey covered over 900 vendor and non-vendor certifications in IT, IT Security, and privacy. The survey also includes a “Simmering Salaries” list of certifications where certification holders’ salaries increased at least 7% in 2021.
Top-selling study guides written by Peter H Gregory include:
“I am pleased that my titles’ certifications have made such a strong showing,” says Peter H Gregory, who has published over forty books since 2000. “This success would not be possible, however, without strong support from McGraw-Hill Professional over the past thirteen years with the publication of the first edition of the CISA Certified Information Systems Auditor All-In-One Exam Guide.”
Gregory has written a total of twelve titles for McGraw-Hill Professional since 2009, including CRISC Certified in Risk and Information Systems Control All-In-One Exam Guide, second edition, co-authored with Bobby Rogers and Dawn Dunkerley, available for pre-order and expected to be available in late March 2022. Gregory’s other notable books include CISSP For Dummies (first published in 2002, now in its 7th edition), CISSP Guide to Security Essentials, second edition, Chromebook For Dummies, and Solaris Security. “All of my published books have fueled my passion for helping IT professionals successfully pursue IT security and privacy careers,” Gregory adds. “The skills that my readers learn enable them to better understand how to protect their organizations’ sensitive information and critical systems.”
About Peter H Gregory
Peter H Gregory is a career information security and privacy leader. He is the author of over forty books on information security and emerging technology. Visit him at peterhgregory.com.
For interviews with Peter H Gregory, please contact: peter.gregory [at] gmail.com
# # #
You are free to disseminate this news story. We request that you reference Peter H Gregory and include his web address, www.peterhgregory.com.
The world of certifications opened up to me in 1999, when one of my colleagues, a security manager, earned his CISSP. That is my earliest knowledge of IT professional certifications to the best of my recollection. This was when I made my pivot from IT engineering to security engineering and, soon after, later security management.
Immersed in IT security over several years, I already had the background and the experience, and passed my CISSP exam in November 2000 on the first attempt. Two years later, I studied for and earned my CISA. At the time, I thought that these two certs would be all that I would ever need. Funny how plans can go awry.
EC-Council released its CCISO (Certified Chief Information Security Officer) certification in 2011-2012 and offered me an opportunity to earn it through grandfathering. As is typical for security-related certifications, earning a certification through grandfathering involves a good deal of paperwork, documenting one’s experience in one or more domains, and having one’s current and former supervisors attesting in writing that the experience is genuine.
My reasons for obtaining the CCISO certification were two-fold: first, I wanted to show that I had the chops to be a security leader – a CISO. Second, I wanted to someday have a job where that was my job title, and I believed that having the cert would demonstrate that I had the background for such a job.
Four years later, I reached that goal, as the CISO for a Los Angeles-based public company, on a contracting basis, for two and one-half years. Mission accomplished.
A couple of years later, during certification renewal season, I re-evaluated all of my certifications and decided, for each, whether to renew them or not. For only the second time, I decided not to renew a certification, and I let my CCISO certification lapse.
Here was my thought process: I had had CISO in my job title for over two years, a testament that I had not only the desire, but the experience, of being a CISO. The CCISO cert felt like a proxy that was no longer necessary, since I had the real thing. For me, getting CISO after my name involved either the certification or the job title, and having both did not seem to add value.
I want to be clear on one thing: EC-Council is a fine organization, and my experience with them has been nothing but positive. This article is not a hit-piece on the organization or the certification, and I can understand that other security professionals may have different reasons for choosing to earn and retain the CCISO.
Those of us with security certifications like CISSP, CISA, CISM, and others are acutely aware of the need to get those CPE hours completed each year. Typically, we’re required to accumulate 40 hours per year and that we keep accurate records of learning events, along with evidence that we did indeed attend those events.
I was audited once, over a decade ago, and came up a bit short on my evidence. Since then, I’ve been meticulous in my recordkeeping and maintaining proof of attendance. But this piece is not about recordkeeping.
Are you finding your CPE events to check the box? Or are you pursuing new knowledge and skills?
I’ll tell you a secret: the certification organizations don’t know whether you are doing the minimum to check the box or pursue knowledge with enthusiasm. They don’t ask, and they don’t care.
You should care, however, and the difference will show. If you are just checking the CPE box, you will not be learning much, and you’ll be a weaker contestant in the employment market. By not making a real effort to grow professionally, you’ll slowly fall behind. While you may be able to fake it for a while, your learning negligence will catch up to you, and it will take considerable time and effort to dig yourself out of the hole you slid into. Not only will you have to spend considerable time catching up on security topics, but you’ll also have to undo the habit of doing the minimum to slide by.
In the first four parts of this series, I describe my preparation for the CISSP exam, writing exam questions, proctoring exams, and writing study guides for two different publishers. My CISSP journey took a second, parallel path when I had the opportunity to earn another examination.
I don’t remember now where I first heard of the CISA certification, but it had to be in 2001, early in the purely-security part of my career. CISA, or Certified Information Systems Auditor, is a certification from ISACA (then known as the Information Systems Audit and Control Association, but now simply known as ISACA). CISA was established in 1978, whereas CISSP is much younger, established in 1994.
My distinct impression in 2001 was that possessing the CISSP and CISA certifications together was a Golden Ticket in the information security industry. I was young and aspired to more significant roles in the business, so I pursued the CISA with vigor.
I am grateful that my employer purchased CISA study materials for me, which consisted of a large question bank, and extensive study materials. While there is considerable overlap between the CISSP and CISA certifications in terms of the domains of required knowledge, I soon learned that the vocabulary of information security was far more extensive than portrayed by CISSP. I especially struggled with the terminology and practices of IS audit, having been audited but not having been an auditor. Still, I was determined to succeed.
I registered for and sat for the CISA exam in June 2002. The exam itself was every bit as difficult as the CISSP examination and was Scantron-based as well. It’s incredible how you can get a cramp in your hand filling in little bubbles, although I think this is in combination with the mental stress that accompanies it.
Like the CISSP exam, I thought I had failed, as the exam questions were tough. However, a month or so later, a letter came in the mail from ISACA that told me that I had passed! I was over the moon and wore the twin monikers CISSP and CISA proudly.
A year later, ISACA released the new Certified Information Security Manager (CISM) certification, and I had an opportunity to earn it through ISACA’s grandfathering process. I thought to myself: I have the CISSP and CISA certifications; why do I need any more? I did not pursue the CISM grandfathering opportunity, a decision I would later regret for almost a decade. I did, eventually, sit for and pass the CISM exam, by the way.
In later years, I would earn more certifications in other topics such as disaster recovery planning, cloud security, privacy, and cardholder security – some grandfathered, some with arduous study and exams.
In Part 6: continuous education and CPE recordkeeping.
In the 1990s, my IT engineering and management career was thriving. I led a team of about 15 seasoned professionals and worked in a business unit where information security was a key objective. We rose to the challenge and brought several key capabilities into our work environment, including multi-factor authentication, encrypted remote access (via modem), firewalls, and hardened servers and workstations. My part of the enterprise fared quite well in penetration tests conducted by an outside firm.
Before this time, I had spent years in computer operations and more years in Unix and C-based software engineering, so my IT background was quite broad. This experience proved later to be a solid foundation for my pivot into security.
In 1998, I was looking for a good book on Solaris security but could find nothing at all. I called one of my publisher connections at Sun Microsystems Press and secured a book deal to write the book, Solaris Security. Writing this book proved to be a great learning opportunity to shore up my knowledge in various areas.
In 1999, I met a colleague, Bob Maynard, who had his CISSP certification. Before knowing Bob, I had not met anyone with this certification, and it intrigued me. I looked at the (ISC)² website and decided that I would pursue this certification.
There were no books in print in 1999 or 2000 on the CISSP certification. The only available training was directly from (ISC)², and it was expensive even then. But my colleague Bob had his giant three-ring binder from the course that he had taken the year before, and he agreed to let me borrow it for a few months. He said apologetically that he had written numerous notes on the pages, which I told him would add more value.
In 2000, the CISSP exam was offered only once per year in Seattle, and I had just missed it. I found an exam in November in Colorado Springs, and booked an air trip, and registered for the exam.
I pored over Bob’s CISSP course binder studiously for months, right up to the night before the exam. There were no practice exams of any kind, so I was unsure of whether I would pass.
The exam itself was arduous – and that’s about as nice as I can describe it. At that time, the proctor in the room would pass out the exam books, which were sealed and serial numbered, and we were instructed to make no mark of any kind in them. Next, the scantron sheets were handed to us, and we were directed to fill in our names and other information. As you may know, Scantron involves the use of a pencil and filling in little bubbles that are machine scanned. Your hand will become sore after filling in more than three hundred of these bubbles, but that’s not the worst of it.
The exam questions are brutal. Rather than black-and-white, they explore shades of grey and challenge your intimate knowledge of the subject matter, which ranges from the desired height of security fences to hashing algorithms. The CISSP test at that time consisted of 250 questions, with a six-hour time limit to answer them all. I used nearly all of the six hours, double-checking several of my answers. I turned in my exam sheet, not at all confident of my prospects for passing.
I drove back to the airport, turned in my rental car, and boarded my flight back to Seattle. I fell asleep on the plane before they shut the door, and the flight attendant had to rouse me in Seattle, where I was the last passenger to disembark the aircraft. I usually don’t sleep on airplanes; for me, this was an outward sign of my mental exhaustion after taking the exam.
Earlier this year, Georgia State University asked me to speak at an information session for students in its Masters of Science in Information Systems (MSIS). Students needed to choose their study concentration; my job was to describe the information security profession to them so that they could choose whether to elect the security concentration, or one of two other concentrations.
The university gave to all of its MSIS students a copy of one of my recent books, Getting an Information Security Job For Dummies. University officials recognized that the book accurately describes the profession, how professionals can learn more about the profession, career choices within the profession, and steps someone can take to get into the profession.
After my talk, university officials informed me that twenty-five students elected to pursue the information security concentration. This was greater than they expected, and they were pleased with the outcome. They expressed their gratitude to me for the time I took to describe the profession to them and answer their questions.
There were about 30 of us that worked in three independent groups that consisted of a facilitator (Richard Norman, a security manager in the UK), a scribe (Kim Cohen, the Certification Exam Development Manager at ISACA), and 8 risk management experts from many different organizations including Bank of America, Caterpillar, Premera Blue Cross, and Verizon Business.
We had our work cut out for us. Each group had about 120 exam questions to examine, discuss, edit, and ultimately determine whether it’s a good question based on many different quantitative and qualitative measurements. Oftentimes our discussion of the question became a discussion about how a security or risk management practices (including what companies should be doing and what they are actually doing). Richard, our facilitator, and Kim, our scribe, kept us on task and on pace.
The hard work began long before the three day weekend. Going back to May 2013, we each began our training on writing certification exam questions for ISACA, and over a four or five week period we each wrote a total of twenty exam questions. Anyone who thinks this is an easy task does not understand the rules and the discipline required for the task. It is quite difficult.
I’ve been trained by two other certification organizations in exam question writing, but ISACA has really upped the game. The rigor and quality that ISACA puts into certification exam question development is impressive. There are several levels of review, by different teams, on each question, by vetted subject matter experts, before it sees the light of day. And the analysis does not stop after the exam question has been finalized and approved. Analysis on how test takers answer the question continue throughout the life of the exam question. It is no wonder that CRISC won the Certification of the Year Award from SC Magazine.
ISACA has been in the certification business longer than just about anyone in information technology. ISACA itself started in the 1960s, and the CISA certification began in the 1980s; tens of thousands of security and IS audit professionals have earned the CISA certification, and it remains one of the top IT security certifications today.