Tag Archives: certification

Peter H Gregory’s Study Guides Available For 2023 Top-Rated Certifications

Gregory’s best-selling books cover five of the top ten certifications ranked by salary

January 23, 2023

SEATTLE, Washington – Peter H Gregory’s best-selling certification study guides cover several of the highest-ranked certifications in the 2023 Salary Survey 75 list, including the #1 and #3 spots. Gregory’s books cover five of the top ten paying IT certifications, according to Certification Magazine, which just released its 2023 Salary Survey 75, the top 75 IT certifications ranked by U.S. salaries. The survey covered over 1,200 vendor and non-vendor certifications in IT, IT Security, and privacy.

The top certifications in the survey with best-selling study guides written by Peter H Gregory include:

#1: CRISC (Certified in Risk and Information Systems Control) from ISACA. U.S. salary $156,390. Study guide: CRISC Certified in Risk and Information Systems Control All-In-One Exam Guide, 2^nd edition, co-authored with Bobby Rogers and Dawn Dunkerley.
#3: CISM (Certified Information Security Manager) from ISACA. U.S. salary $148,680. Study guides: CISM Certified Information Security Manager All-In-One Exam Guide, 2nd edition, CISM Certified Information Security Manager Practice Exams, 2nd edition, and CISM Certified Information Security Manager Bundle, 2nd edition.
#6: CISA (Certified Information Systems Auditor) from ISACA. U.S. salary $145,240. Study guide: CISA Certified Information Systems Auditor All-In-One Exam Guide, 4th edition.
#7: CDPSE (Certified Data Privacy Solutions Engineer) from ISACA. U.S. salary $144,910. Study guide: CDPSE Certified Data Privacy Solutions Engineer All-In-One Exam Guide.
#9: CISSP (Certified Information Systems Security Professional) from (ISC)². U.S. salary $140,230. Study guides: CISSP For Dummies, 7th edition, co-authored with Lawrence Miller; CISSP Guide to Security Essentials, 2nd edition.
#54: CIPM (Certified Information Privacy Manager) from IAPP. U.S. salary $96,093. Study guide: CIPM Certified Information Privacy Manager All-In-One Exam Guide.

“I am pleased that these certifications have made such a strong showing,” says Peter H Gregory, who has published over fifty books since 2000. “This success would not be possible, however, without strong support from McGraw-Hill Professional over the past thirteen years with the publication of the first edition of the CISA Certified Information Systems Auditor All-In-One Exam Guide.”

Gregory has written a total of sixteen titles for McGraw-Hill Professional since 2009, including CRISC Certified in Risk and Information Systems Control All-In-One Exam Guide, second edition, co-authored with Bobby Rogers and Dawn Dunkerley. Gregory’s other notable books include CISSP For Dummies (first published in 2002, now in its 7th edition), CISSP Guide to Security Essentials, second edition, The Art of Writing Technical Books, Chromebook For Dummies, and Solaris Security. “All of my published books have fueled my passion for helping IT professionals successfully pursue IT security and privacy careers,” Gregory adds. “The skills that my readers learn enable them to better understand how to protect their organizations’ sensitive information and critical systems.”

About Peter H Gregory

Peter H Gregory is a career information security and privacy leader. He is the author of over fifty books on information security and emerging technology. Visit him at peterhgregory.com.

For interviews with Peter H Gregory, please contact: peter.gregory [at] gmail.com

# # #

You are free to disseminate this news story. We request that you reference Peter H Gregory and include his web address, www.peterhgregory.com.

CISSP For Dummies 7th edition Published

Leave a reply

The latest edition of CISSP For Dummies, the 7th edition, is now available from Amazon, Barnes & Noble, Walmart, Target, and other booksellers.

Co-author Lawrence Miller and I completed this latest revision early in 2022. This revision covers the new CISSP Common Body of Knowledge that was updated in 2021. In addition to updates reflecting changes in the CBK, numerous other changes were made, reflecting advances and changes in cybersecurity practices, risks, threats, and regulations.

The publication of this 7th edition is a celebration of TWENTY YEARS of CISSP For Dummies. Larry and I wrote the first edition of CISSP For Dummies in 2002.

CISSP For Dummies is the only CISSP study guide approved by (ISC)², the organization that manages the CISSP certification worldwide. This is a testimony to the quality and completeness that only CISSP For Dummies provides to security professionals who aspire to earn this prestigious certification.

This announcement would be incomplete without a grateful shoutout to Clément Dupuis, founder of CCCure, the well-known training organization for technology professionals. Clément passed in 2021, but not before providing valuable research material to Larry and me as we created this edition of the book.

The Unexpected Burden of Multiple Certifications

Leave a reply

Those who have been in any information technology profession for a few years or more are witness to the practice of professional certifications. They function as a badge of achievement as well as a badge of access to further professional opportunities.

Many IT professional certifications have continuing education requirements. Organizations such as ISACA, (ISC)², IAPP, the PCI Security Standards Council, and others require certificate holders to adopt a continuous learning lifestyle through periodic training and other learning opportunities. These and other organizations require that certificate holders document their CPEs (continuing professional education) with the certification body; occasional audits of documented CPEs keep certification holders honest.

ISACA’s CPE policy requires that a certification holder complete 120 hours of training during a three-year certification cycle. This comes to 40 hours per year. ISACA requires a minimum of 20 hours per year, which encourages certification holders to maintain that learning lifestyle.

What may not be immediately clear is that this requirement is per certification.

I now hold four certifications from ISACA: CISA, CISM, CRISC, and CDPSE. Last week, as I was entering my 2020 CPEs into the ISACA system, the reality of one aspect of the CPE policy became exceedingly clear to me: when you have multiple certifications with a single entity like ISACA, each CPE hour is applied to only one certification. For me, this means that I must earn a minimum of 80 hours per year and 480 hours every three years for all four certifications. Keeping the CPE’s level every year means that I must earn a minimum of 160 CPEs, or one full month, of training annually, or over three hours of training every week. ISACA’s policy and its CPE portal do not permit the application of a CPE to more than one certification.

The result: I’m now laser-focused on all of the different training methods and opportunities, and on a weekly basis I identify those that help me to continue to advance my knowledge and skills.

I keep very crisp records of my CPEs. On my personal laptop computer, I have a worksheet that is open all the time where I enter every webinar, vendor demo, writing project, mentoring session, and other eligible activities. My records include the number of CPEs, as well as which certification each CPE will be credited to. I try hard to “front load” my learning each year in the event that life or work get in the way later in the year. And for those three-year certification cycles (which for me, thankfully, are spread out evenly), I try to front-load each certification with more than 40 hours for the first year of the three-year cycle, so that I don’t end up in a situation in the third year when I need to earn more than forty hours.

Fortunately, there is no shortage of online learning opportunities. I subscribe to email feeds from (ISC)², ISACA, Dark Reading, Brighttalk, TechTarget, and others, so my inbox always has opportunities for me to choose from every week.

I applaud you if you aspire to earn more certifications, whether they are a badge of honor or a means of opening doors for professional growth.

Update: apparently ISACA will permit CPE hours for an activity to be applied to more than one certification, provided the activity qualifies for each certification in question. Read more here. Full link here: https://isaca.force.com/support/s/article/Can-my-CPEs-be-applied-torwards-more-than-one-certification-1597877234103

CISM vs CISSP

2 Replies

A reader recently asked me about the CISM versus the CISSP. Specifically, he asked, “How hard is the CISM for someone who passed the CISSP?”

Having earned both certs (and a few more besides), and having written study guides for both, I felt qualified to help this individual. My answer follows.

CISM is much heavier on security management and risk management than CISSP. You’ll have to study these topics, and the business side of information security. To paint with a broad brush, you could say that CISM is for CISO’s while CISSP is for security engineers. That, in essence, is the distinction.

Oh and there’s a great study guide out for the CISM: https://www.amazon.com/Certified-Information-Security-Manager-Guide-ebook/dp/B079Z1J87M

I passed my CISSP almost 20 years ago while I was still a hands-on technologist. I studied for my CISA two years later. I learned through my ISACA CISA study materials (provided by my employer) that ISACA has a vastly different vocabulary for infosec than does (ISC)2. Think of it as a business perspective versus an engineering perspective. Both are right, both are valid, both are highly valued in the employment market. But they are different. Master both, and you’ll be a rare treasure.

Study guides for CISSP:

CISSP For Dummies

CISSP Guide to Security Essentials

Study guides for CISM:

CISM All-In-One Exam Guide

Insights into CRISC certification quality

Leave a reply

I CRISC.h2 spent the previous Friday+weekend at ISACA HQ in Chicago at a workshop. The objective: to examine about 360 candidate exam questions for the CRISC (Certified in Risk and Information Systems Control) certification.

There were about 30 of us that worked in three independent groups that consisted of a facilitator (Richard Norman, a security manager in the UK), a scribe (Kim Cohen, the Certification Exam Development Manager at ISACA), and 8 risk management experts from many different organizations including Bank of America, Caterpillar, Premera Blue Cross, and Verizon Business.

We had our work cut out for us. Each group had about 120 exam questions to examine, discuss, edit, and ultimately determine whether it’s a good question based on many different quantitative and qualitative measurements. Oftentimes our discussion of the question became a discussion about how a security or risk management practices (including what companies should be doing and what they are actually doing). Richard, our facilitator, and Kim, our scribe, kept us on task and on pace.

The hard work began long before the three day weekend. Going back to May 2013, we each began our training on writing certification exam questions for ISACA, and over a four or five week period we each wrote a total of twenty exam questions. Anyone who thinks this is an easy task does not understand the rules and the discipline required for the task. It is quite difficult.

I’ve been trained by two other certification organizations in exam question writing, but ISACA has really upped the game. The rigor and quality that ISACA puts into certification exam question development is impressive. There are several levels of review, by different teams, on each question, by vetted subject matter experts, before it sees the light of day. And the analysis does not stop after the exam question has been finalized and approved. Analysis on how test takers answer the question continue throughout the life of the exam question. It is no wonder that CRISC won the Certification of the Year Award from SC Magazine.

ISACA has been in the certification business longer than just about anyone in information technology. ISACA itself started in the 1960s, and the CISA certification began in the 1980s; tens of thousands of security and IS audit professionals have earned the CISA certification, and it remains one of the top IT security certifications today.

Certification and Experience: Putting the Cart Before the Horse

10 Replies

When I earned my CISSP in 2000, and my CISA in 2002, I desired to earn these certifications as a way of demonstrating the knowledge and experience that I had already accumulated. To me, these certifications are a visible symbol of my professional qualifications in the professional community.

In recent years, I have seen many people who do not have the knowledge or the experience, and they desire to earn these certifications so that they may be better qualified for positions where they can earn the knowledge and experience that these certifications require.

These people have it backwards. They are showing impatience: they want the positions that require experience, but they do not yet have it. They ask, now that I have my CISSP (or CISA or CISM), how can I now get security specialist, security manager, security auditor, or other positions? And they wonder why they have difficulty finding these jobs that require CISSP, CISA, or CISM certification.

What I believe they fail to understand is that they do not have the required experience.

The correct path for professional certification and experience is this: acquire the knowledge and the experience, and then earn the certification. This is the method expected by employers, professionals, and the organizations that develop and manage these certifications.

Would you go to a doctor who had his license to practice but did not yet have the required experience? Of course not, and likewise employers do not hire candidates based only on their certifications. Instead, employers hire based upon knowledge, experience, and particular skills.

I believe that many of these aspiring certification candidates are being led astray by training organizations who are implicitly (if not explicitly) fostering the expectation that one can earn a certification based on a short training course alone, as though it is a “shortcut” to positions with greater responsibility, expectations, and compensation.

To IT professionals who want to get ahead and earn certifications: good for you! I wish you well! However, do know that you need to accumulate years of work experience first – then earning those certifications will be relatively easy, and you will have greater satisfaction through knowing that you have rightfully earned your certification, not only because you were able to pass a certification exam, but also because you have the experience that goes with it.

Security+ Study Guides

Leave a reply

There are several books in print that the Security+ candidate can use as a study aid for the Security+ exam.

CompTIA Security+ Study Guide: Exam SY0-101 by Mike Pastore and Emmett Dulaney