Personal Thoughts

CISSP Certified and the Next Steps

CISSP Certified and the Next Steps 768 432 Jean-Philippe Rivard Lauzier

I finally obtained the Certified Information Systems Security Professional (CISSP) certification. It is definitely the most well-known certification in the information security industry and the one recommended for any professionals in this field.

What is the CISSP?

It is not necessarily the most technical or specialized certification. It would seem that information security is one unique specific area but it’s quite the opposite when there are so many possible domains. The CISSP is the ideal certification that allows someone to know a little bit of everything on all these specializations. It is more oriented toward people who work at the management and/or governance level. It is also a great certification for anyone who does consulting. I published a post back in 2017 when I passed the exam.


The main advantage for the CISSP holder is to be able to easily attest a minimum of 4-5 years of information security experience. This is a basic requirement by the ISC2 organization before to award the designation. It is not all CISSP holders with the same kind of experience. I am still surprised by many people with the designation who are clueless on many technical aspects of information security. However, CISSP holders often know most of the concepts.

And, let’s be honest… It is also the first thing that someone will validate when it’s time to hire someone for a security position or to grant a new consulting mandate. That’s the real worth of the certification.

To obtain that certification, it was my first objective when I decided to lead my career toward the information security field. It was already back in 2012. To celebrate this important milestone, I decided to release a new website with updated information.

Next Steps

There is always a possibility to… well… publish more. However, I will pursue my master degree throughout 2019. It is finally the year where I should complete the essay. I would also like to do a comeback with a simpler version of my previous GRC application. But, yet, nothing really defined.

Kantoku: Project Shutdown and Future Comeback

Kantoku: Project Shutdown and Future Comeback 150 150 Jean-Philippe Rivard Lauzier

Kantoku logoKantoku is a self-hosted application for companies to manage their IT governance, risk management and compliance (GRC). As mentioned in a previous post, I developed this application during the first part of 2016. At first, it was a Software-as-a-Service (SaaS) solution with a really nice high availability infrastructure on AWS. However, I had to put aside the infrastructure behind the SaaS solution. Back then, it was mostly a question of priorities. To keep the project alive, one alternative was to offer Kantoku as a self-hosted application. In that case, companies would still be able to buy a licence and to install the application on their own servers.


I mainly developed this application to help small and medium enterprises (SME) to manage more efficiently their IT GRC. Even SME have compliance obligations. I thought it was a niche market where it could have been possible to offer something different than the existing solutions. An application that would be simpler and more affordable for everyone. It was also an interesting complement to consulting services. However, I did not account for these two situations:

Small and Medium Enterprises

SME are fortunate enough if they have someone who is aware of the main IT GRC concepts. They will probably have a consultant who will help them with their compliance obligations. It could be cheaper for them than having a full-time employee. However, their GRC needs are often not complex enough to justify the implementation a dedicated application. They will prefer to work with many documents such as spreadsheets and emails than to learn a new application workflow. SME don’t necessarily see the value in monitoring their GRC and I understand them. They want to concentrate on their core business where they will be able to generate a direct income.

I also have to admit that one of my weaknesses is the selling side of a business. I really need to be convinced that my product and/or service will be beneficial for the client. Otherwise, I don’t want to sell anything since I care about my clients. This was not always the case with Kantoku and SME. Most enterprises need help on their IT GRC strategies and I obviously see the value for them having a consultant to help them. Not an application that they will barely know how to use. If I have to push too much in my explanation about a solution’s features, maybe it is not the right solution for the client.

Larger Organizations

For larger organizations, they often have the budget to acquire a well-known solution with all advance functionalities such as RSA Archer, Resolver, MetricStream, Reciprocity, etc. It is really hard to compete with solutions that cost more than just a few thousands. Furthermore, these organizations will not make the differences. They are expecting the same features which is understandable.

Future Comeback

As I said before, even if I am really proud of this IT GRC application, Kantoku will be shut down. One other reason is also that my professional life and other projects all evolve around the IT GRC fields. I need a project that will be in a completely different field. It is also important for me to stay neutral when it is time to provide consulting services in IT GRC. I can’t provide a solution in IT GRC and be impartial with other existing solutions. There is also an open source solution that I really like, Eramba. It could be an interesting alternative for many SME with an interest in their IT GRC. I exchanged a few emails with the founder and I would prefer to work with them in the future.

Why a future comeback? I am already working on something else, but I don’t want to mention too much about it, yet. It will be an application that it is not in a niche market since there are many other applications like this one. However, I am still not satisfied with current offers. This time, it will be a SaaS solution and I will probably reuse the domain name

Kantoku: Fin du projet et retour possible

Kantoku: Fin du projet et retour possible 150 150 Jean-Philippe Rivard Lauzier

This post was published when this blog was also in French. This post is available in English.

Kantoku logoKantoku était une application autohébergée pour les entreprises afin de pouvoir gérer facilement leur gouvernance, risque et conformité TI (GRC). Comme mentionné dans une publication précédente, j’ai développé cette application pendant les premiers mois de 2016. Au début du projet, c’était une solution Software-as-a-Service (SaaS) avec une infrastructure en haute disponibilité sur AWS. Toutefois, j’avais rapidement décidé de retirer cette infrastructure en arrière de la solution SaaS. Principalement une question de priorités dans mes projets. Dans le but de garder le projet actif, une alternative était de toujours offrir Kantoku, mais en tant qu’application autohébergée. Dans ce cas, il était possible pour les entreprises de faire l’acquisition d’une licence et d’installer l’application sur ses propres serveurs.

Fin du projet

J’ai principalement développé cette application pour aider les petites et moyennes entreprises (PME) à gérer plus efficacement leur GRC TI. Même les PME ont des exigences de conformité à respecter. Ma stratégie était de pouvoir cibler un marché très spécifique afin d’offrir une alternative aux autres solutions pour les grandes entreprises. Une application plus simple et abordable pour tous. C’était aussi un complément intéressant de mes services-conseils. Toutefois, j’ai oublié de considérer les deux situations suivantes:

Petites et Moyennes Entreprises

Les PME sont déjà chanceux s’ils ont une personne à l’interne qui est conscient des principaux concepts de la GRC TI. Ils ont possiblement un consultant qui s’occupe de mettre en place les éléments de la GRC. C’est probablement plus rentable pour les entreprises qu’avoir un employé à temps plein. Leurs besoins de GRC ne sont donc souvent pas suffisamment complexes pour justifier l’implémentation d’une application dédiée. Ils préfèrent travailler avec plusieurs documents et ne pas perdre trop de temps à apprendre une nouvelle application. Les PME ne voient pas nécessairement les bénéfices à surveiller leur GRC et je peux très bien comprendre. Ils doivent se concentrer sur les principaux besoins de leurs organisations où il sera possible de générer de nouveau revenu.

Je dois aussi admettre que la vente n’est pas nécessairement une de mes forces. Je dois vraiment être convaincu que mon produit et/ou service sera bénéfique pour le client. Sinon, je ne veux pas vendre n’importe quoi à mes clients et ce n’était malheureusement pas le cas avec Kantoku. La plupart des entreprises ont principalement un besoin en services-conseils sur leurs stratégies de GRC. Évidemment, je vois un avantage pour eux d’avoir un consultant externe pour les guider dans cet univers. Pas une application qu’ils vont à peine savoir utiliser. Si je dois insister trop dans mes explications à propos des fonctionnalités d’une solution, peut-être que ce n’est pas la bonne solution pour le client.

Grandes Organisations

Pour les grandes organisations, ils ont souvent le budget pour acquérir une solution bien connue avec toutes les fonctionnalités avancées tel que RSA Archer, Resolver, MetricStream, Reciprocity, etc. C’est vraiment difficile de compétitionner avec des solutions qui coutent plus que juste quelques milliers. De plus, ces organisations ne vont pas faire la différence entre les solutions. Ils recherchent les mêmes fonctionnalités, peu importe la solution, et c’est compréhensible.

Retour possible

Tel que mentionné précédemment, même si je suis vraiment fier de cette application de GRC TI, Kantoku ne sera plus offert. Une autre raison est aussi que mes projets en lien avec la vie professionnelle sont tous autour de la GRC TI et j’ai simplement besoin d’un projet dans un domaine différent afin de me diversifier un peu. C’est aussi important pour moi de rester indépendant lorsque c’est le temps d’offrir mes services en consultation. Je ne peux pas offrir une solution et être impartial avec les autres solutions existantes. Il y a aussi une solution alternative “open source” bien intéressante, Eramba. Ça pourrait définitivement être une alternative pour plusieurs PME avec un intérêt envers leur GRC TI. J’ai eu l’occasion d’échanger quelques courriels avec le fondateur et j’aurais une préférence de collaborer avec eux dans le futur.

Pourquoi un retour possible? Je travaille déjà sur un autre projet, mais je ne veux pas en mentionner trop pour le moment. Ça ne sera pas une application dans un marché précis, tout simplement parce qu’il existe déjà plusieurs autres applications similaires. Toutefois, je ne suis toujours pas satisfait des solutions existantes. Cette fois, ça sera une solution SaaS et je vais probablement utiliser de nouveau le nom de domaine “”.

Past 3 years, and a new beginning

Past 3 years, and a new beginning 150 150 Jean-Philippe Rivard Lauzier

It has been a little more than 3 years since I graduated from my bachelor degree. I must admit, it has not been always simple to figure out what I wanted to do. It could have been easier, but overall, I understand now why those different experiences were required for me.


In 2014, I got my first full-time job related to my bachelor, and it took me almost a year after graduation to finally receive an offer. It was not an offer from the smallest organization, but for one of the largest professional services firm. I will always be grateful to Deloitte that gave me an opportunity. However, after a year there, in 2015, I was kind of lost, and I left. I must say that I have worked mostly as an independent consultant between 2003 to 2014. To work for a firm, it was a huge change, and I was definitely not ready for that commitment as a recent graduate. I was also not sure about the kind of work I wanted to do.

During that year working for the firm, I was always asking myself so many questions. What would it have been to do something else? I was not sure about the path that I wanted to take. More technical or business? I was not even sure if I wanted to pursue my own projects. Before, I have to say that I was doing mostly technical mandates related to web development and infrastructure maintenance.


After Deloitte, I had the possibility to work with a startup, Nukern, developing a SaaS application related to hosting automation and billing. I was only there maybe for 8 months, but it has been a great experience. I also had to manage a small team for the first time. Again, I was probably not at the right place, at the right time. I was honestly probably not ready to invest as much time in a startup that I was not a co-founder.


More recently, I developed Kantoku, an IT GRC application that allows organizations to manage their assets, risks, controls, documents, compliance requirements and audits. I am really proud of this application, and it was also the beginning for my own company. Throughout the years, I did so many projects on the web. However, Kantoku is really different in a way that it is directly related to my professional field. Nonetheless, I am not quite ready to be working full-time on Kantoku. More about that in a further post. I also did a few consulting mandates during that time.


Anyhow, I was looking to go back full-time as an employee after finishing Kantoku development. I am really proud to say that I got an amazing offer from PwC as a senior associate for their Montreal office. I am definitely looking forward to this new opportunity, and I consider myself lucky to have that second chance in a Big 4.

With this post, I wanted to point out that it is not always as straightforward after university. I had a well-defined plan in my head during my bachelor, but it did not work out exactly how I was expecting it. But, I am sure that it was for the best, and I would probably do the same choices. Now, time for a new beginning.