Who doesn’t want to learn from the masters? In this article, My Infosec Job shares what we learned from Peter H. Gregory, security guru and author of more than 20 books in the field including: CISSP for Dummies, CISA All-in-One Guide , among others. We asked pointed questions about his Information Security career as well for tips on our own careers. His thoughts are valuable to both newcomers and senior professionals alike, helping us to broaden our awareness about skills shortcomings, the value of certifications versus graduation, Information Security career challenges and much more.
So, let’s cut to the interesting part and I hope you enjoy his advices to become a better professional!
My Infosec Job: Dear Peter, can you please give us a brief description about yourself?
Peter: I am a technologist with thirty years of experience, with a lot of gas still in my tank. I’ve operated mainframes, programmed minicomputers, built Unix and Windows based IT environments, been a jet-setting software engineer, in government, banking, non-profit, wireless telecommunications, and financial services. My career made a hard shift into security in 1995 when I was responsible for protecting a secret high-tech business unit from industrial espionage. Security has been in my title or job description from that time forward.
I’m also an author, having published twenty two books on security and information technology for several publishers. These books, along with my public speaking and service in InfraGard, the Pacific CISO Forum and the FBI Citizens Academy Alumni Association align with my philosophy of the servant leader.
What’s your current job about?
I am responsible for virtually every aspect of information security, business security, and risk management at a financial services organization in the Seattle area. My job ranges from security policy development to penetration scanning to security awareness training and editing legal contracts. The variety is challenging and interesting, but the wide variation of activities rests firmly on the basic principles of information security: confidentiality of sensitive information, integrity of information and the business, and availability of services.
What made you lean towards IT Security?
Asset protection has always been interesting to me. I took great notice of physical and logical security controls since the mid 1970s when I first worked on CDC and DEC mainframes in government and institutes of higher education. In the mid-1980s I was a lead software engineer at a company that develops casino management applications that includes security and fraud controls. This really opened my eyes to the broad array of risks and controls facing larger (and smaller) organizations. My fascination for asset protection continued to grow.
In the 1990s I was a Unix systems architect for a large non-profit, and security became very important. Fortunately my manager knew this as well. In the mid 1990s, I was a consultant building IT infrastructure for startup organizations. A Sr VP I worked for was very conscious of industrial espionage and leakage of intellectual property, and he directed me to implement many security controls that were not common at that time (such as encrypted remote access and encrypted T-1 connections). This work really put me on the map, and over the next five years I founded and staffed the corporation’s enterprise security architecture department and became the company’s security strategist. From that time forward I had a strong reputation for being an accomplished and capable security expert in the community.
Today I am the business and technical security officer for a financial services organization. My security experience over the past twenty years helps me to be effective in this position.
What has been the biggest challenge you faced in your career?
The biggest challenge for me was making the transition from managing information systems (that is, computers, software, networks, and so on) to managing people. I supervised software engineers in the 1980s, and was an IT manager in the mid-1990s, but in both settings my focus was on using others to realize the vision of applications and IT environments. Those times were good training for my work today as a security manager, where the bulk of my work revolves around changing people’s behavior and understanding of the risks associated with the use of information systems. Now that I’ve been doing this for ten years, I have good perspective and really appreciate the difference between the relative simplicity of setting up information systems and changing people’s behavior. The former is far easier, while the latter is far more challenging. Information systems blindly and unemotionally obey our commands and do exactly what we tell them to, while people take a little more coaxing. I have a deep appreciation for the skill required to change how people think about systems.
What factor(s) has(ve) been the major contributor to your success?
I’ve had many mentors throughout my career, but two stand out as being pivotal in my career. The first is Ralph Pratt, an IT Operations Manager I worked for in the 1980s, who coached me as I developed a training program for a new Excel-like computer program that ran on Unisys mainframes. In Ralph’s office, we role-played – I was the instructor and he was the student. He helped to impress some important points to me in that thirty minutes that would otherwise have taken years to understand. In short, he helped me to understand how to teach non-technical people how to perform complex and often-abstract tasks using computers.
The second mentor was the Sr Vice President and Chief Scientist for McCaw Cellular Communications (which later became a part of AT&T), who impressed upon me the need for absolute secrecy for a large project we worked on. In this new business unit I was responsible for establishing and operating the business unit’s complete suite of information systems: servers, workstations, networks, and so on. We knew that we would be the target of industrial espionage and we took great lengths to protect our systems. For private industry we were years ahead of the curve.
Are you a certification or a graduation person?
I have always been a certification person. While I don’t have a long string of certificates behind my name, the three that I have represent a broad coverage of business and technical risk management regarding the use of information systems. Organizations need information workers with experience and commitment, and certifications are good indicators of that.
I am college educated, and recognize the great value that it brings in the shaping of the whole person. An advanced understanding of our language, the history of the world, and social sciences helps nearly everyone in their interaction with others and in their business decision-making at any level.
What’s your biggest weakness and what have you done to overcome it?
In my transition from managing information systems to managing people, I found myself often frustrated when people did not immediately “get it”. I had grown accustomed to information systems’ immediate and blind obedience to my commands, and the transition was often a painful one. I had to grow my people skills, which required me to develop intuition, insight, empathy, compassion, and patience. While I feel that I have successfully crossed the chasm, I still remind myself that I need to consider peoples’ response to whatever I say or do.
Pages: 1 2