The need for an organization’s information security program to be business-aligned cannot be overstated. The lack of business alignment could be considered a program’s greatest failing if not corrected.
For the most part.
It is critical for an information security program to be aligned in terms of support of the organization’s overall goals, and to utilize existing mechanisms such as corporate governance and policy enforcement. However, if and where there is dysfunction in the organization in terms of culture (for instance, a casual attitude or checkbox approach towards security or privacy), the program may position itself deliberately out of phase with the organization to alter the culture and bring it to a better place. In another example, rather than be satisfied with what may be low organizational maturity, security program leaders may influence process maturity by example through the enactment of higher maturity processes and procedures.
As change agents, security leaders need to thoughtfully understand where alignment is beneficial and where influence is essential.
— excerpt from an upcoming book on information security management
Seattle, WA – April 26, 2022 – Author Peter H. Gregory has announced that his latest book, “The Art of Writing Technical Books,” has just been published. The book is available in paperback and electronic editions worldwide.
Peter H Gregory is a well-known author of tech books, including certification study guides for the world’s leading professional certifications in information security and privacy. He has authored over fifty books in the past twenty-three years, beginning with “Solaris Security.” He wrote this first book in 1998-1999 amid the dot-com boom when most servers on the Internet were powered by the Solaris operating system from Sun Microsystems and when internet security was just becoming a concern.
“I have wanted to write this book for many years,” cites Gregory. “I have mentored numerous aspiring authors and helped many get published. But until now, I only could converse with them and answer their questions. Everything I’ve helped others with is captured in this book.”
Gregory has long been passionate about helping aspiring writers break into the publishing profession. He has been instrumental in helping several accomplished professionals publish books for major publishing houses, including Sarah Perrot and Matthew Webster.
About Peter H Gregory
Peter H Gregory is a career information security, privacy, and technology professional and a former executive advisor and virtual CISO. He is the author of over fifty books on information security and emerging technology. Visit him at peterhgregory.com.
For decades, risk management frameworks have cited the same four risk treatment options: accept, mitigate, transfer, and avoid. There is, however, a fifth option that some organizations select: ignore the risk.
Ignoring a risk situation is a choice, although it is not considered a wise choice. Ignoring a risk means doing nothing about it, not even making a decision about it. It amounts to little more than pretending the risk does not exist. It’s off the books. It is not even added to a risk register for consideration, but it represents a risk situation nonetheless.
In some cases, such as for minimal risk items, this may be perfectly acceptable. A theft of a paperclip may simply be too small for consideration for a risk register. It would probably be wise to leave this off of a risk register unless there is a specific reason to add it. In some cases, listing minimal risk is very critical because compliance requirements dictate that specific risks be considered in risk evaluations. Developing the right level of detail for a risk register requires experience, listening to an organization’s culture, and striking the right balance.
Organizations without risk management programs may implicitly ignore all risks, or many of them at least. Organizations might also be practicing informal and maybe even reckless risk management—risk management by gut feel. Without a systematic framework for identifying risks, many are likely to go undiscovered. This practice could also be considered as ignoring risks through the implicit refusal to identify them and treat them properly.
Note that ignoring risk, particularly when governance requires that you manage it, is usually a violation of the principles of due diligence and due care. Many organizations can be legally charged with “willful negligence” if they have a duty to manage risk, and they simply don’t.
– excerpt from CRISC Certified in Risk and Information Systems Control All-In-One Exam Guide, to be published in early 2022
SEATTLE, Washington – Peter H Gregory’s top-selling certification study guides cover several of the highest-ranked certifications in the Salary Survey 75 list, including the #1 and #2 spots. Certification Magazine has just released its Salary Survey 75, the top 75 IT certifications ranked by U.S. salaries. The survey covered over 900 vendor and non-vendor certifications in IT, IT Security, and privacy. The survey also includes a “Simmering Salaries” list of certifications where certification holders’ salaries increased at least 7% in 2021.
Top-selling study guides written by Peter H Gregory include:
“I am pleased that my titles’ certifications have made such a strong showing,” says Peter H Gregory, who has published over forty books since 2000. “This success would not be possible, however, without strong support from McGraw-Hill Professional over the past thirteen years with the publication of the first edition of the CISA Certified Information Systems Auditor All-In-One Exam Guide.”
Gregory has written a total of twelve titles for McGraw-Hill Professional since 2009, including CRISC Certified in Risk and Information Systems Control All-In-One Exam Guide, second edition, co-authored with Bobby Rogers and Dawn Dunkerley, available for pre-order and expected to be available in late March 2022. Gregory’s other notable books include CISSP For Dummies (first published in 2002, now in its 7th edition), CISSP Guide to Security Essentials, second edition, Chromebook For Dummies, and Solaris Security. “All of my published books have fueled my passion for helping IT professionals successfully pursue IT security and privacy careers,” Gregory adds. “The skills that my readers learn enable them to better understand how to protect their organizations’ sensitive information and critical systems.”
About Peter H Gregory
Peter H Gregory is a career information security and privacy leader. He is the author of over forty books on information security and emerging technology. Visit him at peterhgregory.com.
For interviews with Peter H Gregory, please contact: peter.gregory [at] gmail.com
# # #
You are free to disseminate this news story. We request that you reference Peter H Gregory and include his web address, www.peterhgregory.com.
Brainstorming some concept or idea in front of a whiteboard with other colleagues is one of our favorite activities (and one that we miss—we write this during the COVID-19 pandemic in which most office workers are isolated in their homes). In a brainstorming session, participants each have whiteboard pens and write down ideas that come to mind on some specific topic. Alternatively, one person writes down ideas spoken by others in the room.
The rule of brainstorming is this: silly ideas are not to be rejected, because that silly idea could lead to a great idea. For example, office workers are brainstorming ideas on what color to paint the office. Let’s join the discussion.
Wait a minute. Plaid isn’t a color. But they write it down anyway. This prompts another to say, “Let’s paint it two colors: white on interior walls to reflect light, and light gray on other walls.
”Rejecting “plaid” might not have led the team to the solution they ultimately chose, which was a bit different from what they all expected: a single color.
Thought and discussions about risk are no different. Dare to think outside the box and consider other ideas, which could lead you to new discoveries.
Management may spend considerable time and energy making sure that personnel understand one thing when dealing with auditors: specifically answer the question that the auditor asked, not the question the auditor should have asked; and do not volunteer any information.
There is, however, a useful technique that management (and only management) sometimes uses when working with auditors. I prefer to call this seeding the audit results. Similar to the technique of cloud seeding, where rain clouds are seeded with substances to cause them to release rain, management can use audit seeding as a way of ensuring that auditors are aware of specific situations that they are willing to include in their audit report. The purpose of audit seeding is generally the creation of an audit issue that will permit management to prioritize an initiative to improve the business.
For example, external auditors are examining access controls, an area where a security manager has had difficulty obtaining funds to make key improvements. While in a discussion with auditors, the security manager may choose to illuminate particular actions, inactions, or other situations in access control processes or technology that the auditor might not have otherwise noticed.
Persons who are considering audit seeding must have a thorough understanding of the subject matter, the controls being tested, the procedures and technologies in play, the auditing methodology in use, and a bit of grit. Audit seeding may be considered a daring move that may have unforeseen results. Finally, persons considering audit seeding must not make auditors feel they are being manipulated, as this could have greater consequences. Instead, management is simply making auditors aware of an important aspect of a control they are auditing.
The need to protect your mission-critical communications system and business applications should be considered from the very start of our converged network planning. Is your converged voice, video and data network safe from threats, both internal and external? Download this E-Guide for best practices for converged network security.
Read this paper to learn more about:
* Best practices to secure your enterprise through a multi-layered security model
* Understanding the myriad of security approaches and technologies used to protect converged voice, video and data networks
* Extreme improvements for network security
Find out how to overcome the challenge with converged network security:
Disaster Recovery is not simply about Katrinas nor earthquakes nor 9/11 catastrophes. Sometimes, the focus on these monumental events could intimidate even the most committed IT manager from tackling Disaster Recovery Planning. Disaster Recovery is really about the ability to maintain business as usual – or as close to ‘as usual’ as is feasible and justifiable – whatever gets thrown at IT.
A security book just for Solaris® and UNIX® system administrators. Learn the specifics for making your system secure, whether it’s an organization-wide network or a standalone workstation. Expert author Peter Gregory has managed security for everything from top-secret corporate research facilities to casinos. Take advantage of his experience to build a secure, reliable system of your own.
Solaris Security™ looks at the physical, logical, and human factors that affect security, including:
PROMs, physical security, bootpaths, permissions, auditing tools, system logs, passwords, and more
Secure network interfaces and services for remote and Internet access, intrusion detection, access control, email, and printing
Enhanced security for NIS, NIS+, DNS, and NFS
A special section shows you how to plan for the inevitable disasters so you can recover your data quickly and accurately without compromising security. References to books, journals, and online resources will help you keep up with the latest innovations.
This weekend I have started another book. I took a two month writing break. I’ve been writing almost continuously since 1998, and a break is needed now and then.
I’m really excited about this project, as this is work with a new publisher, and a new type of work for me. The book – and related instructor materials – will be used in universities, community colleges, and vocational-technical schools.
I can’t talk about the book in any detail yet. I can say that it will be published in late 2008 and be available for Winter and Spring quarters in 2009.
Like many manuscripts, it’s starting out slow. I laid out all of my chapter files with their respective TOCs, set up my chapter status and image worksheets, and gathered my reference materials. Some of my references exceed 1,000 pages and I’m finding that I am in need of some leather bookweights. Right now I’m using my tape dispenser and stapler – poor substitutes indeed.
I’ve published eighteen books since 1999, or about two per year. Within the past few weeks, two new projects are in the pipeline:
A book on biometrics (~320 pp)
A security text book for community colleges and vocational / technical schools (~500 pp)
At least one of these books is with a publisher that I have not worked with before. I’m pretty excited about that. The biometrics book is going to be a lot of fun to write as well.
I’m writing one of these books on my own; I’ve brought in a professional colleague and friend to co-author the other.
2008 is going to be a busy but productive year. I’ll write more about these titles when they have been made public. After these two are done, I’ll have written and published twenty books. Ten years ago I would have never believed it.
I wrote a book in 2002 called Enterprise Information Security for the European market. In 2005 this book was translated into Romanian. It is available online here. The English language edition is available here.