Category Archives: certification

Announcing the Availability of an AI Governance Textbook

Seattle, WA – January 21, 2026 – Author Peter H. Gregory has announced that his latest book, “AIGP Artificial Intelligence Governance Professional Study Guide,” has been released. Available in e-book and trade paperback formats, the AIGP Study Guide has been published by Wiley Publishing under the Sybex brand.

The book is available from the publisher here: https://www.wiley.com/en-us/IAPP+AIGP+Artificial+Intelligence+Governance+Professional+Study+Guide-p-9781394363957

AI is being adopted by organizations worldwide, often without governance or executive management oversight. “Shadow AI” is a significant concern, as employees in numerous organizations circumvent AI embargoes and utilize personal AI accounts, often inadvertently leaking sensitive corporate data and relying on AI-powered guidance in the process.

“The AIGP certification is a step in the right direction, serving as a guide to organizations that need to quickly put guardrails in place without hampering innovation,” cites Gregory. “Without governance in place, organizations are at risk of their AI systems introducing more problems than they are solving.”

Companion training course

Gregory has also created the training course, “Artificial Intelligence Governance Professional (AIGP) Certification: Your Guide to Building a Management and Governance System to Ensure Responsible and Ethical AI.” The course is available online at O’Reilly Media, an organization renowned for its training content and programs.

The course URL is https://www.oreilly.com/videos/artificial-intelligence-governance/0642572035624/.

About the AIGP certification

The AIGP certification was launched in 2024 by the International Association of Privacy Professionals (IAPP), a professional organization renowned for its privacy certifications. The release of the AIGP certification affirms its continuing leadership role.

About Peter H Gregory

Peter H Gregory is a career information security, privacy, and technology professional and a former executive advisor and virtual CISO. Peter H Gregory is a well-known author of best-selling tech books, including certification study guides for the world’s leading professional certifications in information security and privacy. He has authored over fifty books in the past twenty-five years, including “Solaris Security,” “CISA Study Guide,” “CISM All-In-One Exam Guide,” “Chromebook For Dummies,” and “The Art of Writing Technical Books.” Visit him at peterhgregory.com.

For interviews with Peter H Gregory, please contact him at: https://peterhgregory.wordpress.com/contact/

# # #

You are free to disseminate this news story. We request that you reference Peter H Gregory and include our web address, www.peterhgregory.com

Announcing CISSP For Dummies, 8th edition

1 Reply

The best-selling certification study guide, CISSP For Dummies, will be published in its eighth edition in mid-2024. Authors Lawrence Miller and Peter H. Gregory have been the authors of CISSP For Dummies since its first edition was published in 2002, marking a 23-year collaboration.

CISSP itself is celebrating its 30th anniversary in 2024. Established in 1994, CISSP has been the gold standard for cybersecurity certification since its beginning. Over 150,000 security professionals worldwide have earned the Certified Information Systems Security Professional (CISSP), and many have launched great careers as a result.

CISSP For Dummies contains all of the information that CISSP exam candidates are responsible for. CISSP For Dummies is written in the classic “For Dummies” tone, which is described as friendly and confident, as though imparted by your cool, helpful friend. The book goes beyond just the core examination material and includes sections on study plans, learning styles, maintaining one’s certification once earned, and the numerous ways in which CISSP certification holders can make the cybersecurity world a better place. Authors Miller and Gregory are passionate about this aspect of “giving back” to a profession that is critical in today’s world.

CISSP For Dummies, 8th edition, is available now for pre-order from Amazon, Barnes & Noble, Walmart, Target, and others.

About the Authors

Lawrence C. Miller, CISSP, has worked in information security and technology management for over 20 years. He received his MBA from Indiana University and has earned numerous technical certifications throughout his career. He has previously worked in Vice President and Director level positions at several small to mid-sized companies in various industries. He served as a chief petty officer in the U.S. Navy in various roles and is a veteran of Operations Desert Shield/Storm. He is the author of more than 130 other For Dummies Custom Edition books.

Peter H. Gregory, CISSP, CISM, CISA, CRISC, CIPM, CDPSE, CCSK, DRCE, A/CCRF, is the author of more than 50 books on security and technology, including Solaris Security (Prentice Hall), IT Disaster Recovery Planning For Dummies (John Wiley & Sons, Inc.), The Art of Writing Technical Books (Waterside), and CISA Certified Information Systems Auditor All-In-One Study Guide (McGraw-Hill). Peter is a career technologist and a security executive at a regional telecommunications provider. Prior to this, he held strategic security positions at Optiv Security (www.optiv.com) and Concur Technologies (www.concur.com). Peter is an advisory board member for the University of Washington for continuing education programs in cybersecurity. He is a member of the Forbes Technology Council, CyberEdBoard, InfraGard, and a graduate of the FBI Citizens’ Academy.

Tracking CPE Records

1 Reply

Those of us in cybersecurity and related professions have our professional certifications, many of which require annual CPE (continuing professional education) hours. Most of my certifications require 120 hours each three-year period, or 40 hours per year on average.

I recommend you develop and maintain an offline workbook where you track your eligible CPE activities, and use the workbook to track when you enter your CPE hours for each applicable certification you hold. Accompanying the workbook, I further suggest you create a file folder hierarchy where you will store your required CPE evidence in the event you are audited.

I’ve been audited twice in the past twenty years. The first time was in the early 2000s by ISACA, who requested I provide the records for all of my claimed CPE hours.

I came up short in the ISACA audit, as I lacked evidence for some of my claims. ISACA passed and permitted my claimed CPE hours, but the lesson was learned: I only record CPE hours for activities in which I possess digital evidence of the activity. Examples of the evidence I capture include: a PDF of the “thank you for attending our event” email, a certificate of attendance (when issued), or some other artifact that reasonably proves my attendance.

I was audited again last week, this time by ISC2, who randomly selected one of my CPE activities (a 13-hour course on the CCSP certification by Cybrary). When claiming the CPE, I attached the certificate that Cybrary issued to me upon completion of the course. A few days later, ISC2 informed me that I had successfully passed my audit, when a human examined my evidence and called it sufficient.

If you have waited until now to enter your CPE hours for the year, good luck! It can be challenging to mine one’s records for CPE events. If this is you, I strongly suggest you start a workbook today and be more diligent in your CPE recordkeeping for 2024 and beyond.

Cybersecurity Pros: Be Sure To Stay Relevant

Leave a reply

The tech sector is experiencing layoffs in significant numbers – tens of thousands, perhaps even hundreds of thousands by now. I’m old enough to remember several recessions – this is all a normal part of the boom-bust business cycle.

Several tech industry articles (here, here, and here) cite that cybersecurity professionals are still in high demand.

If you are a cybersecurity professional, I caution you to avoid thinking you are layoff-proof: many cybersecurity professionals are losing their jobs. Instead, take an inventory of your skills and certifications, and identify any gaps that might make you a weak candidate if you find yourself in the job market. Even in our business, applicants are quite competitive, so I’d advise you to honestly appraise the effectiveness and visual appeal of your resume. Hire a resume coach if you need to. I don’t want to see you unprepared if you are caught in a layoff.

To help identify skills gaps, look at cybersecurity job listings on LinkedIn, Indeed, or whatever platform you prefer. Understand what skills and experience companies are looking for, and how you compare. There is no better time to be honest with yourself.

I’m speaking from experience: I’ve been laid off twice in my career. It hurts a lot, and it can be hard at times to keep a positive attitude. I’ve been through all of it. Don’t blame yourself if you are targeted for a reduction in force.

Peter H Gregory’s Study Guides Available For Top-Rated Certifications

Leave a reply

January 4, 2022

SEATTLE, Washington – Peter H Gregory’s top-selling certification study guides cover several of the highest-ranked certifications in the Salary Survey 75 list, including the #1 and #2 spots. Certification Magazine has just released its Salary Survey 75, the top 75 IT certifications ranked by U.S. salaries. The survey covered over 900 vendor and non-vendor certifications in IT, IT Security, and privacy. The survey also includes a “Simmering Salaries” list of certifications where certification holders’ salaries increased at least 7% in 2021.

Top-selling study guides written by Peter H Gregory include:

#1: CRISC (Certified in Risk and Information Systems Control) from ISACA. U.S. salary $154,870. Study guide: CRISC Certified in Risk and Information Systems Control All-In-One Exam Guide, 2^nd edition, co-authored with Bobby Rogers and Dawn Dunkerley, available for pre-order at Amazon and released in March 2022.
#2: CDPSE (Certified Data Privacy Solutions Engineer) from ISACA. U.S. salary $150,230. Study guide: CDPSE Certified Data Privacy Solutions Engineer All-In-One Exam Guide, published in 2021.
#4: CISM (Certified Information Security Manager) from ISACA. U.S. salary $150,040. Study guide: CISM Certified Information Security Manager All-In-One Exam Guide, published in 2018. Practice questions: CISM Certified Information Security Manager Practice Exams, published in 2019. Both of these books are available together as a bundle.
#10: CISA (Certified Information Systems Auditor) from ISACA. U.S. salary $135,760. Study guide: CISA Certified Information Systems Auditor All-In-One Exam Guide, 4^th edition, published in 2019. Practice questions: CISA Certified Information Systems Auditor Practice Exams, published in 2020. Both of these books are available together as a bundle.
#11: CISSP (Certified Information Systems Security Professional) from (ISC)². U.S. salary $135,560. Study guide: CISSP For Dummies, 6^th edition, published in 2018. CISSP For Dummies, 7^th edition, available for pre-order and released in March 2022. CISSP Guide to Security Essentials, 2^nd edition, targets higher education institutions.
“Heating Up” – CIPM (Certified Information Privacy Manager) from IAPP. U.S. salary $104,110. Study guide: CIPM Certified Information Privacy Manager All-In-One Exam Guide, published in 2021.

“I am pleased that my titles’ certifications have made such a strong showing,” says Peter H Gregory, who has published over forty books since 2000. “This success would not be possible, however, without strong support from McGraw-Hill Professional over the past thirteen years with the publication of the first edition of the CISA Certified Information Systems Auditor All-In-One Exam Guide.”

Gregory has written a total of twelve titles for McGraw-Hill Professional since 2009, including CRISC Certified in Risk and Information Systems Control All-In-One Exam Guide, second edition, co-authored with Bobby Rogers and Dawn Dunkerley, available for pre-order and expected to be available in late March 2022. Gregory’s other notable books include CISSP For Dummies (first published in 2002, now in its 7th edition), CISSP Guide to Security Essentials, second edition, Chromebook For Dummies, and Solaris Security. “All of my published books have fueled my passion for helping IT professionals successfully pursue IT security and privacy careers,” Gregory adds. “The skills that my readers learn enable them to better understand how to protect their organizations’ sensitive information and critical systems.”

About Peter H Gregory

Peter H Gregory is a career information security and privacy leader. He is the author of over forty books on information security and emerging technology. Visit him at peterhgregory.com.

For interviews with Peter H Gregory, please contact: peter.gregory [at] gmail.com

# # #

You are free to disseminate this news story. We request that you reference Peter H Gregory and include his web address, www.peterhgregory.com.

The Certification Conundrum

Leave a reply

The world of certifications opened up to me in 1999, when one of my colleagues, a security manager, earned his CISSP. That is my earliest knowledge of IT professional certifications to the best of my recollection. This was when I made my pivot from IT engineering to security engineering and, soon after, later security management.

Immersed in IT security over several years, I already had the background and the experience, and passed my CISSP exam in November 2000 on the first attempt. Two years later, I studied for and earned my CISA. At the time, I thought that these two certs would be all that I would ever need. Funny how plans can go awry.

EC-Council released its CCISO (Certified Chief Information Security Officer) certification in 2011-2012 and offered me an opportunity to earn it through grandfathering. As is typical for security-related certifications, earning a certification through grandfathering involves a good deal of paperwork, documenting one’s experience in one or more domains, and having one’s current and former supervisors attesting in writing that the experience is genuine.

My reasons for obtaining the CCISO certification were two-fold: first, I wanted to show that I had the chops to be a security leader – a CISO. Second, I wanted to someday have a job where that was my job title, and I believed that having the cert would demonstrate that I had the background for such a job.

Four years later, I reached that goal, as the CISO for a Los Angeles-based public company, on a contracting basis, for two and one-half years. Mission accomplished.

A couple of years later, during certification renewal season, I re-evaluated all of my certifications and decided, for each, whether to renew them or not. For only the second time, I decided not to renew a certification, and I let my CCISO certification lapse.

Here was my thought process: I had had CISO in my job title for over two years, a testament that I had not only the desire, but the experience, of being a CISO. The CCISO cert felt like a proxy that was no longer necessary, since I had the real thing. For me, getting CISO after my name involved either the certification or the job title, and having both did not seem to add value.

I want to be clear on one thing: EC-Council is a fine organization, and my experience with them has been nothing but positive. This article is not a hit-piece on the organization or the certification, and I can understand that other security professionals may have different reasons for choosing to earn and retain the CCISO.

Checkbox CPEs

Leave a reply

Those of us with security certifications like CISSP, CISA, CISM, and others are acutely aware of the need to get those CPE hours completed each year. Typically, we’re required to accumulate 40 hours per year and that we keep accurate records of learning events, along with evidence that we did indeed attend those events.

I was audited once, over a decade ago, and came up a bit short on my evidence. Since then, I’ve been meticulous in my recordkeeping and maintaining proof of attendance. But this piece is not about recordkeeping.

Are you finding your CPE events to check the box? Or are you pursuing new knowledge and skills?

I’ll tell you a secret: the certification organizations don’t know whether you are doing the minimum to check the box or pursue knowledge with enthusiasm. They don’t ask, and they don’t care.

You should care, however, and the difference will show. If you are just checking the CPE box, you will not be learning much, and you’ll be a weaker contestant in the employment market. By not making a real effort to grow professionally, you’ll slowly fall behind. While you may be able to fake it for a while, your learning negligence will catch up to you, and it will take considerable time and effort to dig yourself out of the hole you slid into. Not only will you have to spend considerable time catching up on security topics, but you’ll also have to undo the habit of doing the minimum to slide by.

My CISSP Journey, Part 5: Earning the CISA

1 Reply

In the first four parts of this series, I describe my preparation for the CISSP exam, writing exam questions, proctoring exams, and writing study guides for two different publishers. My CISSP journey took a second, parallel path when I had the opportunity to earn another examination.

I don’t remember now where I first heard of the CISA certification, but it had to be in 2001, early in the purely-security part of my career. CISA, or Certified Information Systems Auditor, is a certification from ISACA (then known as the Information Systems Audit and Control Association, but now simply known as ISACA). CISA was established in 1978, whereas CISSP is much younger, established in 1994.

My distinct impression in 2001 was that possessing the CISSP and CISA certifications together was a Golden Ticket in the information security industry. I was young and aspired to more significant roles in the business, so I pursued the CISA with vigor.

I am grateful that my employer purchased CISA study materials for me, which consisted of a large question bank, and extensive study materials. While there is considerable overlap between the CISSP and CISA certifications in terms of the domains of required knowledge, I soon learned that the vocabulary of information security was far more extensive than portrayed by CISSP. I especially struggled with the terminology and practices of IS audit, having been audited but not having been an auditor. Still, I was determined to succeed.

I registered for and sat for the CISA exam in June 2002. The exam itself was every bit as difficult as the CISSP examination and was Scantron-based as well. It’s incredible how you can get a cramp in your hand filling in little bubbles, although I think this is in combination with the mental stress that accompanies it.

Like the CISSP exam, I thought I had failed, as the exam questions were tough. However, a month or so later, a letter came in the mail from ISACA that told me that I had passed! I was over the moon and wore the twin monikers CISSP and CISA proudly.

A year later, ISACA released the new Certified Information Security Manager (CISM) certification, and I had an opportunity to earn it through ISACA’s grandfathering process. I thought to myself: I have the CISSP and CISA certifications; why do I need any more? I did not pursue the CISM grandfathering opportunity, a decision I would later regret for almost a decade. I did, eventually, sit for and pass the CISM exam, by the way.

In later years, I would earn more certifications in other topics such as disaster recovery planning, cloud security, privacy, and cardholder security – some grandfathered, some with arduous study and exams.

In Part 6: continuous education and CPE recordkeeping.

In Part 7: paying it forward.

My CISSP Journey, Part 1: The CISSP Exam

4 Replies

In the 1990s, my IT engineering and management career was thriving. I led a team of about 15 seasoned professionals and worked in a business unit where information security was a key objective. We rose to the challenge and brought several key capabilities into our work environment, including multi-factor authentication, encrypted remote access (via modem), firewalls, and hardened servers and workstations. My part of the enterprise fared quite well in penetration tests conducted by an outside firm.

Before this time, I had spent years in computer operations and more years in Unix and C-based software engineering, so my IT background was quite broad. This experience proved later to be a solid foundation for my pivot into security.

In 1998, I was looking for a good book on Solaris security but could find nothing at all. I called one of my publisher connections at Sun Microsystems Press and secured a book deal to write the book, Solaris Security. Writing this book proved to be a great learning opportunity to shore up my knowledge in various areas.

In 1999, I met a colleague, Bob Maynard, who had his CISSP certification. Before knowing Bob, I had not met anyone with this certification, and it intrigued me. I looked at the (ISC)² website and decided that I would pursue this certification.

There were no books in print in 1999 or 2000 on the CISSP certification. The only available training was directly from (ISC)², and it was expensive even then. But my colleague Bob had his giant three-ring binder from the course that he had taken the year before, and he agreed to let me borrow it for a few months. He said apologetically that he had written numerous notes on the pages, which I told him would add more value.

In 2000, the CISSP exam was offered only once per year in Seattle, and I had just missed it. I found an exam in November in Colorado Springs, and booked an air trip, and registered for the exam.

I pored over Bob’s CISSP course binder studiously for months, right up to the night before the exam. There were no practice exams of any kind, so I was unsure of whether I would pass.

The exam itself was arduous – and that’s about as nice as I can describe it. At that time, the proctor in the room would pass out the exam books, which were sealed and serial numbered, and we were instructed to make no mark of any kind in them. Next, the scantron sheets were handed to us, and we were directed to fill in our names and other information. As you may know, Scantron involves the use of a pencil and filling in little bubbles that are machine scanned. Your hand will become sore after filling in more than three hundred of these bubbles, but that’s not the worst of it.

The exam questions are brutal. Rather than black-and-white, they explore shades of grey and challenge your intimate knowledge of the subject matter, which ranges from the desired height of security fences to hashing algorithms. The CISSP test at that time consisted of 250 questions, with a six-hour time limit to answer them all. I used nearly all of the six hours, double-checking several of my answers. I turned in my exam sheet, not at all confident of my prospects for passing.

I drove back to the airport, turned in my rental car, and boarded my flight back to Seattle. I fell asleep on the plane before they shut the door, and the flight attendant had to rouse me in Seattle, where I was the last passenger to disembark the aircraft. I usually don’t sleep on airplanes; for me, this was an outward sign of my mental exhaustion after taking the exam.

In Part 2: writing CISSP exam questions.

In Part 3: proctoring CISSP exams.

In Part 4: writing a CISSP study guide.

In Part 5: earning the CISA and other certifications.

In Part 6: continuous education and CPE recordkeeping.

In Part 7: paying it forward.

State University Gives Copies of Security Career Books to Students

Leave a reply

Earlier this year, Georgia State University asked me to speak at an information session for students in its Masters of Science in Information Systems (MSIS). Students needed to choose their study concentration; my job was to describe the information security profession to them so that they could choose whether to elect the security concentration, or one of two other concentrations.
The university gave to all of its MSIS students a copy of one of my recent books, Getting an Information Security Job For Dummies. University officials recognized that the book accurately describes the profession, how professionals can learn more about the profession, career choices within the profession, and steps someone can take to get into the profession.

After my talk, university officials informed me that twenty-five students elected to pursue the information security concentration. This was greater than they expected, and they were pleased with the outcome. They expressed their gratitude to me for the time I took to describe the profession to them and answer their questions.

Insights into CRISC certification quality

Leave a reply

I CRISC.h2 spent the previous Friday+weekend at ISACA HQ in Chicago at a workshop. The objective: to examine about 360 candidate exam questions for the CRISC (Certified in Risk and Information Systems Control) certification.

There were about 30 of us that worked in three independent groups that consisted of a facilitator (Richard Norman, a security manager in the UK), a scribe (Kim Cohen, the Certification Exam Development Manager at ISACA), and 8 risk management experts from many different organizations including Bank of America, Caterpillar, Premera Blue Cross, and Verizon Business.

We had our work cut out for us. Each group had about 120 exam questions to examine, discuss, edit, and ultimately determine whether it’s a good question based on many different quantitative and qualitative measurements. Oftentimes our discussion of the question became a discussion about how a security or risk management practices (including what companies should be doing and what they are actually doing). Richard, our facilitator, and Kim, our scribe, kept us on task and on pace.

The hard work began long before the three day weekend. Going back to May 2013, we each began our training on writing certification exam questions for ISACA, and over a four or five week period we each wrote a total of twenty exam questions. Anyone who thinks this is an easy task does not understand the rules and the discipline required for the task. It is quite difficult.

I’ve been trained by two other certification organizations in exam question writing, but ISACA has really upped the game. The rigor and quality that ISACA puts into certification exam question development is impressive. There are several levels of review, by different teams, on each question, by vetted subject matter experts, before it sees the light of day. And the analysis does not stop after the exam question has been finalized and approved. Analysis on how test takers answer the question continue throughout the life of the exam question. It is no wonder that CRISC won the Certification of the Year Award from SC Magazine.

ISACA has been in the certification business longer than just about anyone in information technology. ISACA itself started in the 1960s, and the CISA certification began in the 1980s; tens of thousands of security and IS audit professionals have earned the CISA certification, and it remains one of the top IT security certifications today.

Share this with others:

Share this with others:

Share this with others:

Share this with others:

Share this with others:

Share this with others:

Share this with others:

Share this with others:

Share this with others:

Share this with others:

Share this with others: