Category Archives: CISA

Checkbox CPEs

Those of us with security certifications like CISSP, CISA, CISM, and others are acutely aware of the need to get those CPE hours completed each year. Typically, we’re required to accumulate 40 hours per year and that we keep accurate records of learning events, along with evidence that we did indeed attend those events. 

I was audited once, over a decade ago, and came up a bit short on my evidence. Since then, I’ve been meticulous in my recordkeeping and maintaining proof of attendance. But this piece is not about recordkeeping.

Are you finding your CPE events to check the box? Or are you pursuing new knowledge and skills?

I’ll tell you a secret: the certification organizations don’t know whether you are doing the minimum to check the box or pursue knowledge with enthusiasm.  They don’t ask, and they don’t care.

You should care, however, and the difference will show. If you are just checking the CPE box, you will not be learning much, and you’ll be a weaker contestant in the employment market. By not making a real effort to grow professionally, you’ll slowly fall behind.  While you may be able to fake it for a while, your learning negligence will catch up to you, and it will take considerable time and effort to dig yourself out of the hole you slid into. Not only will you have to spend considerable time catching up on security topics, but you’ll also have to undo the habit of doing the minimum to slide by.

Control Self-Assessment Advantages and Disadvantages

In my book, CISA Certified Information Systems Auditor All-In-One Exam Guide, control self-assessment is defined as follows:

“A methodology used by an organization to review key business objectives, risks, and controls. Control self-assessment is a self-regulation activity.”

Control self-assessment (CSA) is a tool used by internal audit, information security, and privacy professionals to better learn how internal controls are being operated. As the name implies, CSA consists of a directive sent to a control owner to ask him or her to answer specific questions about a particular control, and provide particular artifacts about the control to substantiate the answers to some of those questions.

While CSA can be conducted via e-mail, it is often a part of an integrated risk management (IRM) system, formerly known as a governance, risk, and compliance (GRC) system. An IRM can be used to collect information about controls and even score the results electronically.

Appropriately managed, CSA can extend the reach and visibility of internal audit activities, but it is not a silver bullet. I list some of the advantages and disadvantages of CSA here.

Advantages:

  • Saves time. More controls can be assessed in a given period, versus traditional walkthrough sessions that consume meeting time and may be difficult to schedule.
  • Extends visibility. Information about more controls can be obtained than through walkthrough sessions only.
  • Reinforces control ownership responsibility. By having control owners answer questions and provide artifacts on their own, CSA supports the concept that control owners are responsible for the effectiveness of their controls.
  • Digital record. Because CSA is usually performed electronically, it is not necessary to transcribe meeting notes.

Disadvantages:

  • Integrity. Because a control owner is answering questions and providing artifacts away from internal audit personnel, there may at times be a question of whether it was the control owner who answered the questions, and whether they altered any of the provided evidence.
  • Exploration. In a typical walkthrough, an internal auditor will ask follow-up questions based on responses to earlier questions. It can be exceedingly difficult to anticipate all possible responses to questions in a CSA questionnaire.
  • Body language. In an in-person walkthrough, an internal auditor will observe the body language of the control owner as a part of the overall assessment. Body language provides additional information that may help an internal auditor better understand where control weaknesses might exist.
  • Overburdening control owners. In an IRM (integrated risk management), it can be easy to “load up the CSA gun” and fire off numerous CSA assignments to control owners. Unlike in-person walkthroughs, which require a more equal time commitment between auditors and auditees, CSA’s require little up-front time for internal audit. Internal auditors need to be cognizant that the effort to complete a CSA is asymmetrical: the control owner may have to spend considerable time answering questions and gathering artifacts.
  • Problem controls. A CSA should not be used alone for controls known to have problems. Controls with problems require deeper scrutiny in conversations that are difficult to script in a questionnaire.
  • Relationship. In-person control assessments help to establish and deepen relationships between internal auditors and control owners. Since they are purely digital, CSAs do little in this regard. As a corporate function, Internal Audit (and information security and privacy) need to be established as collaborative relationships. Establishing a relationship based on the assignment of digital tasks may hinder this effort.

Planned properly, control self-assessments can extend the reach and visibility of internal audit, information security, and privacy functions. However, because relationships with auditees are vital to the long-term success of these programs, CSA needs to be applied thoughtfully.

My CISSP Journey, Part 7: Mentoring Others

In this series, I’ve described my experience with the CISSP, including studying for the exam, writing exam questions and books, and earning CPEs. In this final part, I describe my work in helping others learn about information security and earn the CISSP certification.

There are too few of us in the information security field. While I’m not going to argue the reasons or the size of the shortfall, each of us in the profession can do our part to ease the situation.

If you have the CISSP today, you are a role model to others who aspire to earn it someday independently. As a role model, others will see how you behave and conduct yourself according to the (ISC)² code of ethics. As I’ve said in my books, those of us in more senior positions in information security lead by example.

Image courtesy overlap (dot) net

We can help aspiring security professionals advance in many ways. Besides leading by example, we can take someone under our wing and mentor them as they try to discern their career direction and figure out how to achieve their goals.  We can organize or support a CISSP study group (something I’m doing at my place of employment today). We can teach a course on information security to those who want to pivot their career from IT into information security. We can help others study for the CISSP and help them understand the required concepts.

Over twenty years ago, my colleague Bob Maynard loaned me his personal notes for months (I did gratefully return them), and others answered questions on topics I was still learning.  Go and do so likewise: as one or more persons helped you earn your CISSP, make it a point to help others do the same.

Series recap:

Part 1: studying for and taking the exam

Part 2: writing CISSP exam questions.

Part 3: proctoring CISSP exams.

Part 4: writing a CISSP study guide.

Part 5: earning the CISA and other certifications.

Part 6: continuous education and CPE recordkeeping.

Part 7: mentoring others.

My CISSP Journey, Part 5: Earning the CISA

In the first four parts of this series, I describe my preparation for the CISSP exam, writing exam questions, proctoring exams, and writing study guides for two different publishers. My CISSP journey took a second, parallel path when I had the opportunity to earn another examination.

I don’t remember now where I first heard of the CISA certification, but it had to be in 2001, early in the purely-security part of my career. CISA, or Certified Information Systems Auditor, is a certification from ISACA (then known as the Information Systems Audit and Control Association, but now simply known as ISACA). CISA was established in 1978, whereas CISSP is much younger, established in 1994.

My distinct impression in 2001 was that possessing the CISSP and CISA certifications together was a Golden Ticket in the information security industry. I was young and aspired to more significant roles in the business, so I pursued the CISA with vigor.

I am grateful that my employer purchased CISA study materials for me, which consisted of a large question bank, and extensive study materials.  While there is considerable overlap between the CISSP and CISA certifications in terms of the domains of required knowledge, I soon learned that the vocabulary of information security was far more extensive than portrayed by CISSP. I especially struggled with the terminology and practices of IS audit, having been audited but not having been an auditor. Still, I was determined to succeed.

I registered for and sat for the CISA exam in June 2002. The exam itself was every bit as difficult as the CISSP examination and was Scantron-based as well. It’s incredible how you can get a cramp in your hand filling in little bubbles, although I think this is in combination with the mental stress that accompanies it.

Like the CISSP exam, I thought I had failed, as the exam questions were tough. However, a month or so later, a letter came in the mail from ISACA that told me that I had passed!  I was over the moon and wore the twin monikers CISSP and CISA proudly.

A year later, ISACA released the new Certified Information Security Manager (CISM) certification, and I had an opportunity to earn it through ISACA’s grandfathering process. I thought to myself: I have the CISSP and CISA certifications; why do I need any more?  I did not pursue the CISM grandfathering opportunity, a decision I would later regret for almost a decade. I did, eventually, sit for and pass the CISM exam, by the way.

In later years, I would earn more certifications in other topics such as disaster recovery planning, cloud security, privacy, and cardholder security – some grandfathered, some with arduous study and exams.

In Part 6: continuous education and CPE recordkeeping.

In Part 7: paying it forward.

CISM vs CISSP

A reader recently asked me about the CISM versus the CISSP. Specifically, he asked, “How hard is the CISM for someone who passed the CISSP?”

Having earned both certs (and a few more besides), and having written study guides for both, I felt qualified to help this individual. My answer follows.

CISM is much heavier on security management and risk management than CISSP. You’ll have to study these topics, and the business side of information security.  To paint with a broad brush, you could say that CISM is for CISO’s while CISSP is for security engineers. That, in essence, is the distinction.

Oh and there’s a great study guide out for the CISM: https://www.amazon.com/Certified-Information-Security-Manager-Guide-ebook/dp/B079Z1J87M

I passed my CISSP almost 20 years ago while I was still a hands-on technologist.  I studied for my CISA two years later. I learned through my ISACA CISA study materials (provided by my employer) that ISACA has a vastly different vocabulary for infosec than does (ISC)2.  Think of it as a business perspective versus an engineering perspective.  Both are right, both are valid, both are highly valued in the employment market.  But they are different.  Master both, and you’ll be a rare treasure.


Study guides for CISSP:

CISSP For Dummies

CISSP Guide to Security Essentials

Study guides for CISM:

CISM All-In-One Exam Guide

 

 

Hard copy vs online verification

Today, in an online forum, someone asked why ISACA still uses paper based certification applications instead of moving to online verification. The person argued that other organizations had gone to an online verification system.

My response:

I can understand why this is still a paper-based process. Moving it online would provide many opportunities for fraud. While I believe that 99.9% of CISA/CRISC/CISM applicants are honest, a purely online system would provide an easier opportunity for someone lacking the necessary background or experience to fabricate it – including verifiers. How could you prove that the verifiers are genuine?

Maybe, someday, if we ever get to a reliable online identity system that provides a solid tie between a real person and an online identity, I think that ISACA should stick with the paper model.

I am sure that ISACA has had this discussion, and will continue to have it from time to time.

Which security certification should you earn next?

A reader who recently received his CISA certification asked, “Which certification should I earn next: CEH or CRISC?”

I see this question a lot, so I’d like to answer this in two different ways.

Sometimes when someone asks which certification they should earn next, sometimes I wonder if that person is asking others to choose their career direction for them.

In this case, the person wants to know whether CRISC or CEH is the right direction. If this person were asking me personally, I would respond with these questions: what aspects of information security interest you? For which aspects do you have good aptitude? What kind of information security job do you want to be doing in five years?

In the case of CEH and CRISC, these two certifications could not be more different from each other. One is a hands-on certification that has to do with breaking into systems (and helping to prevent adversaries from doing same), and the other has to do with risk management, which is decidedly hands-off.

Now for my second answer: you choose. Both are well respected certifications. Which one aligns with your career aspirations?

Another thing – for anyone who is just trying to figure out the next cert to add after their name – stop asking that question and do some other things first.

1. Assess your experience.
2. Figure out where your experience can help you go next.
3. Determine your aptitudes. Meaning: what are your talents.
4. Decide what you want to be doing in five years, ten years.
5. Only after you have answered 1-4 can you then think about certifications. They should reflect your knowledge and experience.

Knowledge and experience come first. Certifications are a reflection of your knowledge and experience, not a forecast of future events.

– from my posting to the CISA Forum

Classification of data center reliability

The Telecommunications Industry Association (TIA) released the TIA-942 Telecommunications Infrastructure Standards for Data Centers standard in 2005. The standard describes various aspects of data center design, including reliability. The standard describes four levels of reliability:

  • Tier I – Basic ReliabilityPower and cooling distribution are in a single path. There may or may not be a raised floor, UPS, or generator. All maintenance requires downtime.
  • Tier II – Redundant ComponentsPower is in a single path; there may be redundant components for cooling. Includes raised floor, UPS, and generator. Most maintenance requires downtime.
  • Tier III – Concurrently MaintainableIncludes multiple power and cooling paths, but with only one path active. Includes sufficient capacity to carry power and cooling load on one path while performing maintenance on the other path. Includes raised floor, UPS, and generator.
  • Tier IV – Fault TolerantIncludes multiple active power and cooling distribution paths. Includes redundant components, including UPS and generator. Includes raised floor.
Excerpt from CISA All-In-One Study Guide, 2nd edition

Compliance risk, the risk management trump card

Bookmark This (opens in new window)

Organizations that perform risk management are generally aware of the laws, regulations, and standards they are required to follow. For instance, U.S. based banks, brokerages, and insurance companies are required to comply with GLBA (the Gramm Leach Bliley Act), and organizations that store, process, or transmit credit card numbers are required to comply with PCI-DSS (Payment Card Industry Data Security Standard).

GLBA, PCI-DSS, and other regulations often state in specific terms what controls are required in an organization’s IT systems. This brings to light the matter of compliance risk. Sometimes, the risk associated with a specific control (or lack of a control) may be rated as a low risk, either because the probability of a risk event is low, or because the impact of the event is low. However, if a given law, regulation, or standard requires that the control be enacted anyway, then the organization must consider the compliance risk. The risk of non-compliance may result in fines or other sanctions against the organization, which may (or may not) have consequences greater than the actual risk.

The end result of this is that organizations often implement specific security controls because they are required by laws, regulations, or standards – not because their risk analysis would otherwise compel them to.

Excerpt from CISA All-In-One Study Guide, second edition

I’m back, after a year off

Bookmark This (opens in new window)

After teaching the UW Information Systems Security certification course for two years, completing CISSP For Dummies (3rd edition), CISA All-In-One Exam Guide and CISSP Guide to Security Essentials, I was burned out and needed a year off. I didn’t do any public speaking either, which means interrupting an eight year run speaking for SecureWorld Expo in Seattle and other cities. But, I needed time for my family and for me.

Earlier this year we purchased an RV and spent about 40 nights in it all over Washington State, including American River, Whidbey Island, Vasa Resort, Ames Lake, Alder Lake, Riffe Lake, and Kitsap Memorial State Park. We spent much of this time with good friends whose company we enjoy very much.

My wife and I went on several motorcycle rides, although none were overnight trips as I had hoped. Still, we were blessed with great weather and safe riding.

One one particularly nice weekend day, I took a very early morning ride up Mt. Rainier, arriving at Paradise Lodge at around 8am. There was practically no traffic on the way up the mountain – the entire two lane highway was mine.

After writing twenty-two books in ten years, my list of honey-do’s around the house was growing, and I got a lot of things done in this department.

We have also become parents – of four lovely society finches that are the offspring of a mating pair we purchased last year. We also have zebra finches, parakeets, quail, and an african weaver. None of these others have had chicks yet, but we’re still hopeful.

We also had an exchange student from the Czech Republic stay in our home for a year. She arrived in mid August 2009 and returned home in July 2010. This was a great experience for everyone. She was a member of our family and she participated in everything we all do together.

Today I completed the draft manuscript for a book on security technology that will be published in December or January. This was a short project that took just a few weeks.  Today I met with my literary agent to plan the next five years of my writing. My business manager and I are both quite excited about the next few years.

While I took the year off of bookwriting, I was still involved in some other things. I’m a member of the Cloud Security Alliance and contributed to its Security Guidance for Critical Areas of Focus in Cloud Computing V2.1, and am a member of the Cloud Security Alliance Certification Board. I also earned the CRISC (Certified in Risk, Information Security, and Control), a new certification offered by ISACA (Information Systems Audit and Control Association), which I’ve been a member of since 2002.

Certification and Experience: Putting the Cart Before the Horse

Bookmark This (opens in new window)

When I earned my CISSP in 2000, and my CISA in 2002, I desired to earn these certifications as a way of demonstrating the knowledge and experience that I had already accumulated. To me, these certifications are a visible symbol of my professional qualifications in the professional community.

In recent years, I have seen many people who do not have the knowledge or the experience, and they desire to earn these certifications so that they may be better qualified for positions where they can earn the knowledge and experience that these certifications require.

These people have it backwards. They are showing impatience: they want the positions that require experience, but they do not yet have it. They ask, now that I have my CISSP (or CISA or CISM), how can I now get security specialist, security manager, security auditor, or other positions? And they wonder why they have difficulty finding these jobs that require CISSP, CISA, or CISM certification.

What I believe they fail to understand is that they do not have the required experience.

The correct path for professional certification and experience is this: acquire the knowledge and the experience, and then earn the certification. This is the method expected by employers, professionals, and the organizations that develop and manage these certifications.

Would you go to a doctor who had his license to practice but did not yet have the required experience? Of course not, and likewise employers do not hire candidates based only on their certifications. Instead, employers hire based upon knowledge, experience, and particular skills.

I believe that many of these aspiring certification candidates are being led astray by training organizations who are implicitly (if not explicitly) fostering the expectation that one can earn a certification based on a short training course alone, as though it is a “shortcut” to positions with greater responsibility, expectations, and compensation.

To IT professionals who want to get ahead and earn certifications: good for you! I wish you well! However, do know that you need to accumulate years of work experience first – then earning those certifications will be relatively easy, and you will have greater satisfaction through knowing that you have rightfully earned your certification, not only because you were able to pass a certification exam, but also because you have the experience that goes with it.

CISA study group

CISM study group

CISSP study group

CRISC study group

CISA All-In-One Exam Guide published

Bookmark This (opens in new window)

The CISA Certified Information Systems Auditor All-In-One Exam Guide, published by Osborne McGraw-Hill, is now available in bookstores and from online merchants.

CoverFront200xWritten by Peter H. Gregory, this book is largest and most complete study guide available for the CISA (Certified Information Systems Auditor) professional certification.  Prior to Osborne McGraw-Hill’s decision to publish this book, the other study guides that were available are shorter and contain less detail. This difference is key for IT professionals who are studying for the CISA certification, which places high demands on the exam taker to be able to recall many details and specifications about information technology, key business processes, and IT auditing.

Despite its title, CISA Certified Information Systems Audit All-In-One Exam Guide is structured and designed to also be a desk reference for early- and mid-career security auditors and security specialists who need a reliable, easily-consumed reference guide for key information technologies and IT auditing practices.  The book contains two chapters that go beyond the CISA study material and include lengthy discussions of professional IT auditing and security and governance frameworks.

“The availability of this study guide represents a big step forward for IT professionals who are studying for the CISA exam and those who have IT security and audit responsibilities,” states Peter H. Gregory. “The IT industry has waited a long time for an All-In-One guide for this popular certification,” he adds, citing the enormous popularity of the CISSP All-In-One Study Guide that is written by Shon Harris and considered the best CISSP guide available.

About Peter H. Gregory

Peter Gregory, CISA, CISSP, DRCE is the author of twenty books on security and technology and has been a technical editor for twenty additional books on security and technology. He has over 25 years of experience in virtually every role in Business IT departments, including work in government, banking, non-profit, telecommunications and on-demand financial software businesses.

Gregory is on the board of advisors and the lead instructor for the University of Washington certificate program in information security, and a lecturer at the NSA-certified University of Washington Certificate Program in Information Assurance & Cybersecurity. He is also on the Board of Directors for the Evergreen State Chapter of InfraGard, and the Executive Steering Board for the SecureWorld Expo Conference in Seattle. A founding member of the Pacific CISO Forum, Mr. Gregory is a graduate of the FBI Citizens’ Academy and active in the FBI Citizens’ Academy Alumni Association.

About ISACA®

With more than 86,000 constituents in more than 160 countries, ISACA® (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems assurance and security, enterprise governance of IT, and IT-related risk and compliance. Founded in 1969, ISACA sponsors international conferences, publishes the ISACA® Journal, and develops international information systems auditing and control standards. It also administers the globally respected Certified Information Systems Auditor™ (CISA®), Certified Information Security Manager® (CISM®) and Certified in the Governance of Enterprise IT® (CGEIT®) designations.

ISACA developed and continually updates the COBIT®, Val IT™ and Risk IT frameworks, which help IT professionals and enterprise leaders fulfill their IT governance responsibilities and deliver value to the business.

CISA Certified Information Systems Auditor All-In-One Study Guide by Peter H. Gregory; McGraw-Hill; October 2009; Hardback; $79.99; 10: 0071487557; 13: 978-0071487559

“All-in-One is All You Need.”

Auditors’ preferences for controls

Bookmark This (opens in new window)

Auditors and security professionals usually prefer preventive controls over detective controls because they actually block unwanted events and prefer detective controls to deterrent controls because detective controls record events while deterrent controls do not. However, there are often circumstances where cost, resource, or technical limitations force an organization to accept a detective control when it would prefer a preventive one. For example, there is no practical way to build a control that would prevent criminals from entering a bank, but a detective control (security cameras) would record anything they did.

Excerpt from CISA Certified Information Systems Auditor All-In-One Study Guide

Implementation of audit recommendations

The purpose of internal and external audits is to identify potential opportunities for making improvements in control objectives and control activities. The handoff point between the completion of the audit and the auditee’s assumption of control is in the portion of the audit report that contains findings and recommendations. These recommendations are the imperatives that the auditor recommends the auditee perform to improve the control environment.

Implementation of audit recommendations is the responsibility of the auditee. However, there is some sense of shared responsibility with the auditor, as the auditor seeks to understand the auditee’s business, so that the auditor can develop recommendations that can reasonably be undertaken and completed. In a productive auditor-auditee relationship, the auditor will develop recommendations using the fullest possible understanding of the auditee’s business environment, capabilities, and limitations, in essence saying, “here are my recommendations to you for reducing risk and improving controls.”  And the auditee, having worked with the auditor to understand his methodology and conclusions, and who has been understood by the auditor, will accept the recommendations and take full responsibility for them, in essence saying, “I accept your recommendations and will implement them.” This is the spirit and intent of the auditor-auditee partnership.

– from CISA Certified Information Systems Auditor All-In-One Study Guide – the last words written into the draft manuscript, completed a few hours after the last of the Fourth of July fireworks have burst in the night sky

Residual risk

Residual risk is like the dirt on the floor that cannot be picked up by the broom and dustpan. Rather than pursue residual risk down to the last iota, it is swept aside and will probably not be noticed.

– From CISA Certified Information Systems Auditor All-In-One Study Guide

CISA Forum surpasses 3,000 members

Bookmark This (opens in new window)

(Seattle, WA) The CISA Forum, founded in 2002 by Peter H. Gregory, CISA, CISSP, has now exceeded 3,000 members.  The Forum continues to grow, with new members being added almost every day.

Created to assist and encourage professionals to pursue a career in data security and IT auditing and to earn the CISA certification, the CISA Forum contains an extensive e-mail archive, as well as collections of useful files and links.  CISA stands for Certified Information Systems Auditor, one of the most sought-after professional certifications in the information security profession.

One of the most important features is the addition of the CISA FAQ, written by Dinesh Bareja.  Gregory announced his vision of the CISA FAQ to Forum members on December 29, 2006, and Bareja took the initiative to create it.  A link to the FAQ is found on the CISA Forum site.

The CISA Forum is located here: http://tech.groups.yahoo.com/group/CISAforum/ .

The CISA certification is owned and managed by the Information Systems Audit and Control Association.  ISACA does not endorse or sponsor the CISA Forum.  Read more about the CISA certification here.

About ISACA.   With more than 65,000 members in more than 140 countries, ISACA (www.isaca.org) is a recognized worldwide leader in IT governance, control, security and assurance. Founded in 1969, ISACA sponsors international conferences, publishes the Information Systems Control Journal, and develops international information systems auditing and control standards. It also administers the globally respected Certified Information Systems Auditor (CISA) designation, earned by more than 55,000 professionals since 1978; the Certified Information Security Manager (CISM) designation, earned by 7,000 professionals since 2002; and the new Certified in the Governance of Enterprise IT (CGEIT) designation.

CISA is a registered trademark of ISACA.

CISA FAQ published

Bookmark This (opens in new window)

Almost two years ago I had a vision, that a comprehensive FAQ would be developed for the CISA (Certified Information Systems Auditor) certification.  I had no time to develop this work on my own, and so I shared my vision with the members of the CISA Forum.

An esteemed member of the Forum stepped up and created the CISA FAQ, and today it has been made public.  It can be found here:

www.securians.com/wiki/FAQs

Categories in the FAQ include:

  • The path to CISA certification
  • About the certification exam
  • Professional qualifications
  • Fees and costs
  • Exam centers
  • Advice and tips

Career advice: how to begin a security career

Bookmark This (opens in new window)

Today a colleague from Melbourne wrote me and said,

Hi Peter,

Greetings from Melbourne, Australia.

It was refreshing to read your site esp your Christian perspective on the profession.

I’m after some career guidance if you don’t mind –
I have a Business Analyst background and am currently working in IT consulting for a company that specialises in custom app development and systems integration. I have taken a keen interest in Info Security and will sit the CISSP exam at the end of this year with the intention to certify as an ISC2 associate (until such time as I possess the relevant experience to be a CISSP)…

In terms of specialising in the Information Security field are there any particular areas where demand will be highest? (application, network,governance etc.) Also, what blend of technical/personal abilities will the profession require of its practitioners going forward… any insight you can provide will be much appreciated. Thank you.

Cheers,

(name)

* * * * * * *

Hi (name),

Thank you for your message and your kind comments.

If you were in the U.S., I could give you more precise perspective on what’s in demand.  But I have an idea.

I suggest you find a local chapter of ISSA and/or ISACA (the ‘owner’ of the CISA and CISM certifications) and sign up.  This will give you many networking opportunities to meet and know others in the information security profession.  Through your contacts and communications with local members, you should soon get a good idea of what’s in demand.

But I stress this: the best people in information security are those who already have technology experience, and begin to build expertise on the risks in that technology.  So I see you are in an app dev and integration firm.  I’ll presume that this is a field where you have good expertise.  So what I would suggest is that you begin to build your security experience by beginning to understand the risks around “safe coding” principles and the processes to ensure that the entire SDLC (systems development life cycle) includes procedures to ensure that the proper measures are taken to ensure that changes to software do not introduce vulnerabilities at any level.  So if s/w dev is your thing, you might pick up a copy of Michael Howard’s book, Writing Secure Code (or something close to that – a huge best seller).

For me, my career was in computer operations, systems administration, software engineering, and network engineering.  Then, it became my job to secure systems and networks, so I began to read all I could and made systems and networks secure.  Then, I branched out from there to better understand other sources of risk, like unauthorized intruders and secure coding.

So my advice is, begin to build security expertise in the area of technology where you are most familiar, and branch out from there.  Networking with others will help to broaden your knowledge about risk overall.

Hope this helps,

Peter

Integrity and intellectual property

Bookmark This (opens in new window)

On some of my mailing lists I have seen messages recently that suggest that persons are willing to send and receive copyright materials.

Exercise extreme caution when offering or accepting study materials that are not in their *original* form. If you transmit or receive electronic (or paper) copies of copyright materials such as study guides or study questions, there is a good chance that both the sender and receiver are breaking international copyright laws, which is both a crime as well as a violation of the ISACA Code of Ethics.

Sending or accepting such materials also compromises your personal and professional integrity. This will make you ineffective as IT audit professionals and leaders. See these two articles for more information:

Personal integrity: the keystone in an infosec career

A call for character and integrity

The road of higher integrity is not always the easy road. Taking the path of high integrity requires sacrifice and it is often difficult. You will, however, be a better person for it, both personally and professionally. And your conscience will allow you to sleep at night!

IT auditing is more about people than technology

Bookmark This (opens in new window)

I was recently asked the following question in one of my forums:

“Some of the challenges I face pertain with the anxiety system administrator’s face before I come on-site. They are defensive from the time I walk in to the time I leave. They don’t take too well to people telling them a control may not have been properly implemented .”

IT auditing is not *really* about the technology at all, but about the *people* who design, build, and operate the technology. Servers don’t have feelings and egos, but people certainly do.

My advice is to do what I do – have a good “bedside manner” and put the patient at ease. Explain why you are there in a non-confrontational manner as possible. Say things like, “I’m here to help understand how things are done here and how I can help with these compliance needs.” Explain that the standards and audits have gotten a lot harder these days, which requires a lot of changes. Empathize with them, be there as a guide who is also learning.

I also suggest that you take the approach of your being there to learn what they do. Make yourself “less good” than them, in order to not be a threat to them. Say things like, “I’m here to learn about these systems that you built and manage,” not “I’m here to see what you’re doing wrong.”

Have a gentle touch. Be confident and friendly, but non-threatening.

I meet new colleagues all the time. This works, as long as your heart and your mind are in the same place. People can see through a facade and will distrust an auditor who is acting.