By Dr. Chris Veltsos, CISSP, member of (ISC)² Advisory Council of North America
After many years of developing expertise in several technical domains, you’ve decided that this year you will invest more diligently into Group B CPE professional development activities. But how should you go about it? The official (ISC)² CPE handbook provides guidelines about the many options that will count towards Group B CPEs — and how much they will count — but figuring out how to prioritize the vast array of choices can be a challenge. After all, the field of possibilities is wide open, leaving us wondering which road to take. Here are four “B” keys to designing your own professional development blueprint.
One BRICK at a Time
The CPE handbook describes Group B activities as enhancing your “overall professional skills, education, knowledge, or competency outside of the domains associated with the respective certifications.” A key difference between Group A (aka domain expertise) and Group B (general professional development) activities is that it can be much harder to see the immediate value of a single activity in Group B as compared to an activity in Group A. And that’s exactly why I chose the metaphor of a brick.
Bricks are basic building blocks. By themselves, bricks are nothing fancy — especially when compared to the more enticing and timely concepts related to domain expertise (e.g. cloud security, containers, incident response, IoT). Bricks can have different shapes, different colors, can be made of different materials, in other words come in a variety of options. But the most amazing part of working with bricks is what happens when they are laid down side by side or stacked one of top of the other according to a well-designed blueprint. You’ve now built homes, buildings, entire cities and other amazing structures.
What do bricks have to do with Group B professional development? When looked at individually, it can be challenging to see how these basic units can amount to something greater. Yet, when assembled as part of a coherent plan, both can result in a significant achievement. So invest in yourself, one brick at time, but don’t forget to design your Group B blueprint first.
A BUSINESS Focus
What general professional development activity should be part of your blueprint? Well, a business focus of course, but not necessarily in the narrow sense of the word. Yes, investing in your knowledge of business concepts (management, finance, accounting, balance sheets) would provide value, but consider the broader sense of the word business as well, at a macro level. What powers your organization? What is your organization doing to stay competitive? How are decisions made, by whom, after what kind of deliberations? How are risks taken into account in the decision-making process, and does this happen throughout the organization, or just at the very top levels? How tightly integrated are strategy, business objectives, and risks? The tenets of good governance and enterprise risk management can greatly benefit your team. Two great primers in this respect are ISO 38500:2015 Governance of IT for the Organization as well as the executive summary of the COSO Enterprise Risk Management — Integrated Framework (aka COSO ERM).
For example, psychology adds to our understanding of human behaviors, while marketing helps organizations figure out new ways to convince us to empty our wallets, but it might not be immediately clear what either one has to do with your organization or its cybersecurity function. When combined, however, these two domains can help your organization improve the way it engages staff on the issue of security awareness, by helping lower our resistance to change and by improving the long-term change in behaviors.
Explore the Full BREADTH of Possibilities
As you consider which Group B activities to add to your professional development blueprint, cast a wide net to consider the full breadth of options. As noted in a previous article, growth occurs when we step out of our comfort zone, when we try new things, or navigate new areas. While it may be tempting to decide to explore more deeply an area that you’re already familiar with, challenge yourself to take the leap into something new. As one HBR article puts it, exploring a new area can result in “personal growth — greater emotional agility, empathy, and creativity.” Speaking of empathy, improving our ability to listen to others and offer the right kind of help in the right way helps us build bridges across the organization.
Become a BRIDGE Across Worlds
An exciting way to explore Group B options is to look at things in a new light, to bridge different worlds. In a seminal article, Deloitte analyzed the role of CISOs and determined the “four faces of the CISO.” CISOs complained about being stuck in “guardian” and “technologist” roles and reported instead to aspiring to be seen as “strategists” and “advisors” to the business. As the security function evolves from a technology issue into a whole-of-business issue, it is critical for security professionals to practice seeing and understanding things from multiple viewpoints, to break down silos, and to see the whole picture.
To become a bridge, start purposefully growing your network, both inside and outside your organization. This broader network will help you get connected to people who see the world differently than you — that’s a good thing. Bridges connect people with others, so the next time you talk to someone who could use some assistance, think about who in your network could lend a hand. If you do this long enough, you’ll notice a change in how you look at things and ways you can help and be more strategic. Conversely, people around you will start seeing you in a new light, as a problem solver, a friend of the business, and someone they can trust to be heard and understood.
Be in It for The Long Run
Brick by brick, you can extend your knowledge and understanding to new areas. Brick by brick you can expand your network and broaden your perspectives. Yes, at first it may be uncomfortable to engage with people outside of your domains of expertise. And yes, initially it might not be clear how your Group B professional activities will pay off, or even whether you’ll see a change in weeks or months. But as Steve Jobs said at a 2005 Stanford graduation speech, “You can't connect the dots looking forward; you can only connect them looking backwards. So you have to trust that the dots will somehow connect in your future.”
The cyberattacks facing organizations today are multi-faceted, with some coming at us simultaneously from multiple domains — not just the technology domain. We owe it to ourselves and our organizations to be as well rounded as possible to connect the dots, to bridge the divide between IT, security, and the business, to help our organizations be as cyber resilient as they can be.