Kantoku: Project Shutdown and Future Comeback

Kantoku logoKantoku is a self-hosted application for companies to manage their IT governance, risk management and compliance (GRC). As mentioned in a previous post, I developed this application during the first part of 2016. At first, it was a Software-as-a-Service (SaaS) solution with a really nice high availability infrastructure on AWS. However, I had to put aside the infrastructure behind the SaaS solution. Back then, it was mostly a question of priorities. To keep the project alive, one alternative was to offer Kantoku as a self-hosted application. In that case, companies would still be able to buy a licence and to install the application on their own servers.

Shutdown

I mainly developed this application to help small and medium enterprises (SME) to manage more efficiently their IT GRC. Even SME have compliance obligations. I thought it was a niche market where it could have been possible to offer something different than the existing solutions. An application that would be simpler and more affordable for everyone. It was also an interesting complement to consulting services. However, I did not account for these two situations:

Small and Medium Enterprises

SME are fortunate enough if they have someone who is aware of the main IT GRC concepts. They will probably have a consultant who will help them with their compliance obligations. It could be cheaper for them than having a full-time employee. However, their GRC needs are often not complex enough to justify the implementation a dedicated application. They will prefer to work with many documents such as spreadsheets and emails than to learn a new application workflow. SME don’t necessarily see the value in monitoring their GRC and I understand them. They want to concentrate on their core business where they will be able to generate a direct income.

I also have to admit that one of my weaknesses is the selling side of a business. I really need to be convinced that my product and/or service will be beneficial for the client. Otherwise, I don’t want to sell anything since I care about my clients. This was not always the case with Kantoku and SME. Most enterprises need help on their IT GRC strategies and I obviously see the value for them having a consultant to help them. Not an application that they will barely know how to use. If I have to push too much in my explanation about a solution’s features, maybe it is not the right solution for the client.

Larger Organizations

For larger organizations, they often have the budget to acquire a well-known solution with all advance functionalities such as RSA Archer, Resolver, MetricStream, Reciprocity, etc. It is really hard to compete with solutions that cost more than just a few thousands. Furthermore, these organizations will not make the differences. They are expecting the same features which is understandable.

Future Comeback

As I said before, even if I am really proud of this IT GRC application, Kantoku will be shut down. One other reason is also that my professional life and other projects all evolve around the IT GRC fields. I need a project that will be in a completely different field. It is also important for me to stay neutral when it is time to provide consulting services in IT GRC. I can’t provide a solution in IT GRC and be impartial with other existing solutions. There is also an open source solution that I really like, Eramba. It could be an interesting alternative for many SME with an interest in their IT GRC. I exchanged a few emails with the founder and I would prefer to work with them in the future.

Why a future comeback? I am already working on something else, but I don’t want to mention too much about it, yet. It will be an application that it is not at all in a niche market. So many applications like that one already exists. However, I am still not satisfied with current offers. But, being not in a niche market, it should be easier for me to sell since all organizations will understand how it works. They all need a solution like that one. This time, it will be a SaaS solution and I will probably reuse the domain name kantoku.io.

CISSP: Passed, and One More Milestone Completed

CISSP By (ISC)² [Public domain], via Wikimedia Commons

Done. The 6-hour exam with its 250 questions is finally in the past. Yes, I am talking about the famous CISSP or the “Certified Information Systems Security Professional” exam from ISC2. This is the certification that most information security professionals will try to obtain at one point in their career. Why? For most recruiters and companies that are looking for a professional in information security, the CISSP is now the golden ticket for employment in this field.

Studying

I would say that it all started in 2015. Back then, I decided to pursue the SSCP or the “System Security Certified Practitioner” from the same organization. This was a shorter exam, which is a little more technical, but not deeply technical either. It helped me have a first experience with an ISC2 exam before pursuing the CISSP. Both exams share some similar domains, but not necessarily at the same level.

For studying, I only bought the official study guide, the CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, which I think is really well written. Knowing that I perform much better when I have the occasion to practice beforehand, I used the official practice tests, the CISSP Official (ISC)2 Practice Tests and even the mobile application, which is really great to use during daily transit. There are many resources available with thousands of questions.

The exam itself is as with any exam, just longer and more expensive. What about the duration? In about 4 hours, I was able to answer the questions and review a few trickier ones.

Criticisms

There are some criticisms on this certification among professionals in information security. There seems to be a misconception about the knowledge and experience obtained with this certification. These days, a company will look first for a candidate with a CISSP for any kind of role related to the world of information security. It could be from the typical information security analyst to any technical role such as penetration testers, security architect, encryption specialists, security cloud specialists, etc. This is the biggest mistake.

In my opinion, this certificate is a management level certification giving better insight into policies and standards. The CISSP will be able to guide and manage the information security objectives of an organization. However, the person in this role will be supported by people with technical know-how. It is not a technical certification. Obviously, it depends on the person’s professional background since it is possible to have a CISSP holder with a deep understanding of the technical concepts.

Certification

Well, it is now the waiting period. I will hopefully obtain the CISSP certification some time in 2019 after I have completed the required experience. Every holder must have 4 to 5 years of direct information security experience in at least 2 of the 8 domains. However, I must admit that this is a great advantage for this certification. There is a one year waiver possible depending on previous academic experience and other certifications. I also had a similar situation with the CISA where there is a 2 to 5 year requirement.

What’s next after the CISSP?

I am still unsure about the next step. I think I have completed the majority of relevant certifications. On the other hand, I am always curious in privacy matters and I would like to be more proficient in questions related to privacy law. There is indeed a certification that piqued my interest from the International Association of Privacy Professionals but it will be for a different post…

Why did I do the OSCP certification?

I am more an IT auditor, and on the business side of information security (at least, in theory, I still like doing many technical projects). However, it was still important for me to pursue the Offensive Security Certified Professional (OSCP) certification. At first, I was maybe interested in a career as a penetration tester (pentester) and it was indeed a good way to confirm, or not, my interest.

The OSCP certification is unique among other IT certifications. Students don’t have to “simply” learn theories and pass a multiple choices exam. To obtain the certification, students have 24 hours to gain privilege accesses to 5 servers. After that, a second 24 hours to write a report. Basically, it is a simulation of a client engagement to perform a penetration testing.

Students will learn by studying the Penetration Testing with Kali (PWK) which will introduce different methods on how to compromise servers. There is an electronic book and also really good videos. The material with allows students to have an overview of each concept. Kali is the Linux distribution maintained by Offensive-Security, previously known as BackTrack. In any case, the most important part is definitely having access to the virtual lab, Offensive Security Penetration Testing Labs. The lab is where students can exploit many machines with different types of attack. It is almost impossible to be able to pass the final exam without an impressive amount of time in the lab.

I must admit that I thought at first that it would have been easier to get through that intensive training. If you are interested in this certification, and the field of penetration testing, this is an amazing experience. However, you will need a lot of determination. You will get frustrated many times, and be stuck on many servers in the lab. Not just an hour or two, but probably for many days. It is possible to get through all servers, well, most of them… The solution is often kind of simple enough when the attack vector is discovered. After the first few servers, it is more and more an addiction to find out a way to get into a new machine.

You can always ask for help on their IRC channel, but they will never give out the solution or simply respond to… “Try Harder!”. And, yes, they are serious about it. I was not sure to really understand the meaning of those two words at first. I never really ask questions in class since I prefer to figure out things on my own. Most of the time, it is simpler and resources are available online. With the OSCP, it was not the case at all. They will be happy to guide you, but their responses are still vague, even if you have solved part of the problem. You will need to be ready to learn by yourself. The PWK will not give you the solution, it is just some tools to help you after in the lab.

I did the exam in January 2016, more than 1 year ago, and I still remember the exam. Probably more difficult than most exams during my university or other certifications. When I see someone with a certification from Offensive-Security, I know that they have gone through a lot. I don’t think that I would become a pentester in my professional life. However, it is definitely an important asset to anyone working in information security. I would recommend it without hesitation.

Past 3 years, and a new beginning

It has been a little more than 3 years since I graduated from my bachelor degree. I must admit, it has not been always simple to figure out what I wanted to do. It could have been easier, but overall, I understand now why those different experiences were required for me.

Deloitte

In 2014, I got my first full-time job related to my bachelor, and it took me almost a year after graduation to finally receive an offer. It was not an offer from the smallest organization, but for one of the largest professional services firm. I will always be grateful to Deloitte that gave me an opportunity. However, after a year there, in 2015, I was kind of lost, and I left. I must say that I have worked mostly as an independent consultant between 2003 to 2014. To work for a firm, it was a huge change, and I was definitely not ready for that commitment as a recent graduate. I was also not sure about the kind of work I wanted to do.

During that year working for the firm, I was always asking myself so many questions. What would it have been to do something else? I was not sure about the path that I wanted to take. More technical or business? I was not even sure if I wanted to pursue my own projects. Before, I have to say that I was doing mostly technical mandates related to web development and infrastructure maintenance.

Nukern

After Deloitte, I had the possibility to work with a startup, Nukern, developing a SaaS application related to hosting automation and billing. I was only there maybe for 8 months, but it has been a great experience. I also had to manage a small team for the first time. Again, I was probably not at the right place, at the right time. I was honestly probably not ready to invest as much time in a startup that I was not a co-founder.

Kantoku

More recently, I developed Kantoku, an IT GRC application that allows organizations to manage their assets, risks, controls, documents, compliance requirements and audits. I am really proud of this application, and it was also the beginning for my own company. Throughout the years, I did so many projects on the web. However, Kantoku is really different in a way that it is directly related to my professional field. Nonetheless, I am not quite ready to be working full-time on Kantoku. More about that in a further post. I also did a few consulting mandates during that time.

Next

Anyhow, I was looking to go back full-time as an employee after finishing Kantoku development. I am really proud to say that I got an amazing offer from PwC as a senior associate for their Montreal office. I am definitely looking forward to this new opportunity, and I consider myself lucky to have that second chance in a Big 4.

With this post, I wanted to point out that it is not always as straightforward after university. I had a well-defined plan in my head during my bachelor, but it did not work out exactly how I was expecting it. But, I am sure that it was for the best, and I would probably do the same choices. Now, time for a new beginning.

CISA exam passed, now the required experience

CISA.H4cBack in the summer 2013, I was interested to pass the CISA exam even if could not obtain the certification without experience. This was a way for me to demonstrate my interest in IT audit to future potential employers. I thought that I could have done the exam in December 2013, but I wasn’t enough sure that I was ready to pass the exam and considering the cost, I preferred to wait until the next date. Furthermore, it is possible to sit for this exam only three times per year in June, September and December; this is the same exam everywhere in the world at the same time. On June 14 2014, this was finally the date and I sat for the CISA exam here in Montreal. I’m not sure how to explain yet this experience. I read a lot on Internet about other experiences and how I could prepare myself to this day. People have normally read many books to study for this exam. For me, I really tried to read the official manual from ISACA and to be honest, I was sleeping on it after only the first few pages. However, I have practiced many hours with the CISA Review Questions, Answers & Explanations Database which, in my opinion, is the best resource that someone could use to study for this exam. Even if I didn’t have any experience in IT audit nor have read a book related to the CISA, my past technical experience in IT was really useful, but also knowledge of my different degrees. This is certainly an exam that requests a really broad set of general IT knowledge. The true challenge with this exam is to learn how to think like ISACA and their kind of questions. Of course, an exam with answer choices seems really simple to pass, but the right answer is always the best answer according to ISACA. It is easily possible to eliminate two on four choices, but the last two choices are always confusing because some choices could be the right one from a technical point of view and not an IT audit perspective. This is not the hardest exam, but stupid mistakes could rapidly occur during a four hour exam with 200 questions.

Now that I have passed the exam, I have to fulfill the experience requirements to officially obtain the CISA certification. Five years are normally required with tasks related to the five CISA domains, but some waivers are possible as much as three years when a candidate has done prior educations, experiences or other certifications. In my case, my bachelor and graduate degrees with IT general work experiences will waive up to three years.

Jean-Philippe Rivard LauzierJean-Philippe Rivard Lauzier I offer consulting services in fields of information security, compliance and assurance. I am a certified CISA, SSCP, CCSK and OSCP, and I also hold a graduate degree in IT governance, audit and security. In addition, I am the founder of Kantoku, an IT GRC application.

Subscribe to receive content by email

Do you need an IT GRC application?

Learn more on Kantoku