Cybertactix's Enterprise InfoSec Blog

June 16, 2013

Are You Paying Attention To Your Personal Growth?

Filed under: Certification,Education,Management — cybertactix @ 10:32 PM

Part of my weekly routine is to regularly visit LinkedIn and review the titles of the “Influencer” posts.  Influencer posts are something LinkedIn started late last year, getting both widely known (Richard Branson, Jack Welch) and not so widely known personalities to post short blogs on a either a variety of topics of their own choosing or themes suggested by LinkedIn.  I scan the title of these posts for things that look interesting to me and then use Pocket to mark them for future reading.  On the weekends I will visit the my local Panera (I use a solo trip to Panera as my reading occasion) and run through as many of the posts as I can, usually noting a couple of ideas for follow up or for recommendation to others.

One of the posts that caught my attention this week was “Three Ways To Make Personal Growth Your Top Priority” by Ram Charam.  If you have had a conversation with me about your job it’s likely that the topic of self improvement has come up, one of the things I continually try to hammer home is that companies are no longer engaged in managing your career unless you are one of a select few.  These days it’s difficult for them to justify too big an investment in YOUR career, it is highly likely that you will take that investment to another company in the future.  That means that you are now responsible for managing your own career and a key part of that is ensuring that YOU make sure that your skills and knowledge are continually growing.  If you cannot regularly sit down at the end of the week and list at least one new thing you have learned then you should (IMHO) take a look at your whether you are in a job that is contributing to your career.  In most companies it is no longer enough for you to be able to do the same job, at the same performance level, that you did it last year.  In this economy in order to maintain their bottom line companies need to be either bringing profitable new ideas/products/services into the market place or be more efficient in delivering existing products/services.

The way to stay ahead of the game, and therefore gainfully employed, is to be regularly increasing your contribution to the company’s bottom line or to be of enough value to another company for them to hire you into a similar role, preferably at the same or better overall compensation.  And since your current employer isn’t focused on increasing your value beyond what they need today that means YOU need to take responsibility for your personal growth.    That can mean either a formal program leading to a degree or certification relevant to your field of employment, or an informal program that increases your relevant knowledge and abilities.

Formal programs are the easiest to find but expensive and in recent years many companies have been cutting back on the funds they make available to an individual employee for education.  Free or cheap materials are easy to come by but don’t directly lead to a diploma or certificate but that doesn’t mean you should rule them out.  The lack of a framed piece of paper to hang on your office wall can often be offset by being able to directly demonstrate specific knowledge or learned skills in the workplace.

For manager’s looking to upgrade their ability to work in a corporate environment you would be wise to look at (actually listen to) the Manager Tools podcast series available from  The number of podcasts available can be daunting when you first visit the site but you can use the drop down category selector to hone in on the podcasts specific to your needs.   In addition to the Manager Tools podcast they also produce a podcast Career Tools, also available on the site, to assist you with personal growth related to your career development.  In terms of general self development take a listen to the original podcast on Self Development (November 11, 2005),  and the podcast on how to Create A Development Plan For Yourself (November 18, 2010)

If you are not the type of person who learns well on their own and prefers to learn as part of a group you may want to check out Peeragogy, a site that stems from the thoughts of Howard Rheingold’s Regents Lecture titled Social Media and Peer Learning: From Mediated Pedagogy to PeeragogyThe site is dedicated to the concept of peer based learning and focuses on how to create a learning construct you can use to learn in conjunction with others who share a common learning interest in order to increase your knowledge and abilities.

If you would like to gain the knowledge associated with an MBA without the expense of an MBA take a look at the personal MBA reading list, a list of 99 books  which cover the core areas of business associated with an MBA.  Even if you aren’t interested in an MBA many of these books should be in the library of business professionals and this can be done inexpensively thanks to the ability to buy used books via Amazon.

If you plan to pursue an MBA but don’t have the finances and/or the time to complete one following either the traditional program or the executive program consider a university that will allow you to gain credits for the experience you already have via Learning Counts.  Learning Counts allows you to create portfolios based on your work/life experience  which are submitted to an outside evaluator, who will decide on whether they are worthy of credit towards an academic course. 

Given the abundance of tools available for personal development today there is no reason why anyone should not be able to continually grow their knowledge and abilities either personally or professionally, and if you aren’t growing then you should not be expecting your compensation to.  If you aren’t already, it’s time to start thinking about your personal growth and doing something about it.


January 9, 2011

Personal InfoSec Certification: Which 1st?

Filed under: Career Skills,Certification,CGEIT,CISA,CISM,CISSP — cybertactix @ 4:38 PM

One of the questions I often see on the groups I am part of on LinkedIn, and a question I am also asked by fellow InfoSec professionals and auditors is “which certification is easier to pass, CISSP, CISM or CISA?”

BLUF (Bottom Line Up Front): It depends… on what your professional background and experience, and or in some cases your lack of experience, are.

My back ground is technical, I provided support for a number of years to banking trading floors, not the open outcry trading pits of the commodities exchanges or the NYSE, rather row upon row of traders with a phone in their hand bent over screens that are constantly flickering as the commodities or stocks they follow change prices and their own “books” (records of the financial positions they hold) are updated to show current value.  In order to keep all of this running (downtime can quickly result in large losses) I had to become a jack of all trades in technology (voice, market data, personal computers and desktop workstations, servers of all types, mainframe communications, and multiple network medias and protocols).  Much of my knowledge was picked up on-the-fly from rubbing shoulders with people, usually vendors or consultants, who specialized in each of these areas interspersed with occasional whirlwind classroom training sessions.

As things got more complicated more staff were needed to keep all of this running and because of my breadth of knowledge I found myself “managing” the help desk for a large trading floor.  Due to an audit finding I was suddenly “promoted” to Information Security Officer and in charge of re-building an InfoSec program that had been un-monitored for several years.  As a result I got a crash course in information security which was an eye opening experience.  Once the program was on track I turned over BAU to an unwilling associate (her words of “I don’t know anything about information security” were met with a “Steve will teach you” response from management) when the Continuity of Business expert was stricken with a sudden (and ultimately fatal) illness.  When management decided that we needed to have certified staff to show the regulators that we took InfoSec seriously, this experience combined with my technical knowledge gave me the necessary background to be able to pass the Certified Information Security Systems Professional (CISSP) exam.  Over a year prior to taking the exam I took a one week (40 hour course) CISSP exam prep course to help me focus on the elements the exam was likely to cover but seeing as this was the first exam I had written in quite a few years I was hesitant to take the exam.  

As part of changes being put in place to meet greater demands from regulators and the marketplace I became more involved in developing compliance monitoring processes and ultimately in helping to develop risk based models for governance.  Moving from a model of “OMG there’s a vulnerability, we have to fix it” we began to focus on “what is the risk and what will it cost to fix it/should we fix it/what are the compensating controls?”.  This is the essence of risk management, and this along with a corporate focus on becoming partners with the businesses we supported and understanding/working to meet their requirements gave me the basis of the knowledge I needed to pass the Certified Information Security Manager (CISM) exam.  Two months prior to taking the exam I took a one week (40 hour course) CISM exam prep course to help me focus on the elements the exam was likely to cover.

As a result of all this experience I qualified to be grandfathered into my CGEIT (Certified in the Governance of Enterprise Infrastructure Technology).  The Grandfathering process didn’t require me to take an exam but it did require that I provide ISACA with an essay on my significant experience across the various areas covered by the CGEIT knowledge base.

In December of 2009 I took my Certified Information Systems Auditor (CISA) exam. In preparation for this, starting two months before the exam, I took a 40 hour (5 weekends) course with my local ISACA chapter.  In addition to the course I called on my experience as an Information Security Officer, a role in which I had to detect, assess, report and provide guidance on remediating broken/ineffective processes and technology, then start all over once the remediation action was taken, in essence auditing without calling it an audit.  Because of my experiences it wasn’t difficult for me to master the material, although it did require me to stop and change my mindset somewhat to see all the questions from the point of view of an auditor.

While all of my experience in technology and InfoSec was a huge benefit in taking these exams it was also a hindrance.  All of my experience was colored by the corporate environment in which I work, by our policies, our standards and our culture.  These were all things which the certifying body can’t take into account when scoring my answers.  The thing to remember when taking any of these exams is that no matter what you think the answer is, the only one that counts is what the certifying body says it is.  During my preparation for the CISA exam I was in a a class with a number of seasoned and experienced auditors, some of whom had taken the exam previously but not achieved the passing score.  One told the story of how, when her company mandated that staff take training and attempt the exam, several interns still in college with no audit experience, decided to study for and take the exam.  The result, a number of the experienced auditors failed but the interns passed.  Why? Because the auditors answers were colored by their own experiences while the interns answers were straight out of the material provided by ISACA without the benefit of any practical, real world experiences.

So before you ask which certification is easiest, perhaps you should ask “which is most appropriate to my current or future role?”, chances are that is the certification that will be easiest for you.

WordPress Tags: InfoSec,Certification,CISSP,CISM,CISA,CGEIT,ISACA

music note While writing this, I was listening to "Michael Tozzi’s".

Create a free website or blog at