Dr. Blake Curtis’s Background and Expertise
Dr. Blake Curtis’s trailblazing journey in cybersecurity encompasses multifaceted domains, including auditing, governance, risk, compliance (GRC), and privacy. His previous technical experience in systems and networking engineering and various cybersecurity roles give him a unique skill set and insight. This expertise led to the creation of multi-million-dollar cybersecurity, audit, and risk programs and strategies for renowned entities such as Deloitte, Cigna, and Vanderbilt University.
His insights extend into academia, where he shines as a research scientist and licensed skills consultant. However, he is better known as the scientist who conducted the groundbreaking study, The Next Generation Cybersecurity Auditor.
This study discovered a significant knowledge gap between IT auditors’ theoretical knowledge and their practical skills in firms like Deloitte, PwC, KPMG, and EY.
The study revealed that while IT auditors exhibited adequate theoretical knowledge in areas like Segregation of Duties (SoD), least privilege, and Role-Based Access Control (RBAC), they faced significant challenges in applying this knowledge practically to modern technologies in cloud computing, operating systems, firewalls, containerization, networking, and more. This shortfall in hands-on skills and procedural knowledge influences data breach likelihood. This study and future research will be critical in understanding the role IT auditors’ competency plays in relation to notable breaches like the 2017 Equifax Breach.
Towards Uncharted Horizons
Dr. Blake Curtis’s accomplishments reverberate through education, industry transformation, and workforce development. His completion of a master’s degree in 10 weeks and his instrumental role in aiding over 150 students to expedite their degrees speaks volumes of his dedication and mentoring capabilities (See related article).
He shattered the foundation for Malcolm Gladwell’s 10,000-hour rule with empirical evidence and statistical support, advocating for objective hiring and promotion practices (See original study). His groundbreaking Modern Equity Experience Model (MEEM) concept does not solely rely on using years of experience to measure knowledge and skills objectively. Instead, he champions task-based experience and promotes skills-based hiring over time-based experience (e.g., years of experience). In addition, he has other notable achievements:
- Co-author of ISACA’s Cybersecurity Auditor Study Guide/Certificate, which aligns the industry with the National Initiative for Cybersecurity Education (NICE) and Skills Framework for Information Age (SFIA) objective skill frameworks.
- Co-author and technical editor for ISACA’s Digital Trust Ecosystem Framework, prioritizing task-based experience over time-based experience to ensure the appropriate professionals are hired to protect digital investments.
- Awarded the Executive Leadership Credential by the National Society of Leadership & Success for completing the Better World Project.
- Awarded the role of Global Governance COBIT Topic Leader at ISACA.
- Offers innovative insights as a member of ISACA’s Emerging Technology Advisory Board.
- Recipient of Western Governor University’s 2021 Distinguished Alumni Award.
- Received the Vanderbilt University Information Technology 2018 Pacesetter Award.
- Architected Deloitte’s Secure System Development Lifecycle (SSDLC) 2.0 Framework and Program.
“My journey is far from over.”
He’s now working on a second doctorate in Cyberpsychology, which marks a new trajectory, pivoting toward Business Consulting Psychology, workforce development, and establishing objective metrics for measuring technical competence. Dr. Blake Curtis’s visionary leadership and transformative contributions continue to reshape the cybersecurity and GRC landscape, infusing innovation, resilience, and a relentless pursuit of excellence.
Leading The Way in Cybersecurity Auditing and GRC
Dr. Blake Curtis’s extensive research in the Next Generation Cybersecurity Auditor study shed light on the gaps and challenges in the IT auditing and cybersecurity professions. His studies have provided valuable insights into the need for standardization, competency-based training, and the importance of task-based performance assessments for professionals in these fields. With his continued dedication to pushing boundaries and driving positive change, Dr. Curtis’s impact on the industry is set to reach new heights.
Bridging the Gap Between Theoretical Science and Practical Experience
With a successful career in GRC and cybersecurity, Dr. Blake Curtis brings practical industry knowledge to his research and contributions via his hands-on experience in auditing, assessing technical risks, and recommending safeguards, which adds credibility to his research findings and recommendations. Dr. Curtis’s commitment to volunteering in professional organizations, such as ISACA, SFIA, DVMS Institute, and (ISC)², showcases his dedication to advancing the cybersecurity and IT auditing professions. Through his involvement, he actively develops standards, promotes best practices, and mentors future professionals.
Charting the Future: Dr. Blake Curtis’s Influence on Cybersecurity Training and Education
Dr. Blake Curtis plays a pivotal role in shaping the future of cybersecurity training and education by authoring several books and articles, leading global governance discussions, and sitting on advisory boards. His contributions and reputation enable him to influence policies, strategies, and initiatives addressing the evolving cybersecurity challenges.
Dr. Curtis’s systems thinking approach, scientific research, career experience, and board involvement position him as a critical influencer and advocate for advancing and standardizing cybersecurity, GRC, and IT auditing practices. His efforts contribute to creating a more competent cybersecurity workforce capable of addressing the complex challenges of the digital age.
Learning More About Dr. Blake Curtis’s Scientific Contributions in Cybersecurity, GRC, and IT Audit
Dr. Blake Curtis’s research found that obtaining higher academic degrees, such as bachelor’s, master’s, and doctoral degrees, did not have a significant influence on the overall performance of IT auditors and subject matter experts’ (SMEs) task-based experience (demonstrable skills) (See original study). The study examined the relationship between obtaining higher academic degrees and the participants’ declarative and procedural knowledge scores. While some IT auditors and cybersecurity professionals with higher academic degrees achieved higher performance levels, the differences were insignificant to establish a clear correlation between higher academic degree levels and their influence on improving task-based proficiency.
However, there was a standout finding in Dr. Curtis’s research. Combining implementing and auditing skills from a systems thinking perspective was strongly associated with the top performers. This insight reveals new possibilities for the profession, encouraging aspiring experts to embrace a multidisciplinary approach toward skill acquisition by obtaining a comprehensive understanding of their domain from both an implementation and auditing viewpoint.
Most IT Certifications Did Not Directly Influence (Hands-On) Skills
As a byproduct of this research, Dr. Blake Curtis discovered that prominent certifications like the CISSP and CISA did not significantly influence technical proficiency. In fact, like the Dunning-Kruger effect, research participants who held these certifications were overconfident in their ability to interpret technical evidence; conversely, they were either average or novice performers. He stressed that overreliance on multiple-choice questions instead of using fictitious scenarios and task-based assessments would continue to paint a false impression of technical competency and trust in one’s knowledge, skills, and abilities (KSAs).
Despite these findings, there is a silver lining that points us toward positive change. Dr. Blake Curtis’s research opens the door to reevaluating how we assess technical proficiency and certifications. By incorporating scenario and task-based assessments, we can better identify true expertise and nurture the growth of professionals with the practical skills necessary to excel in cybersecurity auditing and information technology.
Working in an Unregulated Industry & Defining Knowledge Skills, and Abilities
Dr. Blake Curtis points out that the cybersecurity field is actually unregulated and, unfortunately, less mature than other professions, such as accounting and healthcare (See related article). One reason is that it lacks federal and state boards that define competency and ethical behavior standards.
Unlike traditional professions with licensure requirements and regulatory bodies, the cybersecurity industry largely relies on proprietary certifications, standards, benchmarks, and guidelines developed by various organizations and vendors.
Dr. Blake Curtis could not help but find this situation quite ironic. “It is interesting,” he remarked, “that professionals like barbers, cosmetologists, and building inspectors need licenses before practicing their crafts, ensuring people’s appearances and buildings are up to standard. Yet, in the world of IT and cybersecurity, where we handle critical infrastructure and protect sensitive data, there’s no such requirement for licensure.”
He believes that this lack of standardization and regulation is one of the significant variables that hinder the establishment of a common body of knowledge, consistent workforce training, and professional development. As a result, the cybersecurity profession faces challenges in objectively assessing and ensuring the competency of its practitioners, leading to gaps in the knowledge and skills needed to address the evolving threats in the information age.
The Technology Field Struggles to Define and Distinguish Knowledge, Skills, and Abilities (KSAs)
Dr. Blake Curtis states that IT, cyber, and GRC industries are still relatively young compared to mature regulated industries. Therefore, there are numerous misconceptions about defining and quantifying knowledge, skills, and abilities (KSAs) and truly understanding their differences. Broadly speaking, he states that there are three holistic levels of competency or proficiency: declarative knowledge, procedural knowledge, and automaticity. Declarative knowledge refers to knowing “what” something is, such as facts and information (book/theoretical knowledge). Procedural knowledge involves knowing “how” to do something, like the steps required to perform a task (demonstrable skills).
Automaticity is the ability to perform a skill effortlessly and reflexively without conscious effort (mature habits). For example, knowing the capital of a country is declarative knowledge while riding a bike is procedural knowledge, and typing without looking at the keyboard is a form of automaticity.
IT Certifications Primarily Test Declarative Knowledge
According to the research conducted by Dr. Blake Curtis, more than 85% of IT certifications use declarative knowledge practices (See original study). These certifications primarily assess candidates’ knowledge through multiple-choice questions, which test their theoretical understanding of concepts, definitions, and principles.
Unfortunately, many of these certifications do not comprehensively evaluate candidates’ practical skills and abilities to implement and apply their knowledge in real-world scenarios—however, Dr. Blake Curtis states that IT certifications are necessary in these fields due to the lack of standardization for education and experience.
Fortunately, his study discovered that IT auditors and cybersecurity professionals possess adequate levels of declarative knowledge. Notably, there are some IT certifications created by Offensive Security, Microsoft, and other vendors that introduce procedural knowledge practices or task-based experience into their training programs.
Task-Based Experience and Skill Frameworks: Years of Experience vs. Years of Exposure
Years of exposure, often mistaken for experience, indicates the total time an individual has been exposed to a particular field, including both active and passive exposure, such as being present in a work setting, even if not actively participating in relevant tasks. Dr. Curtis states that this is what we have been calling years of experience for decades.
Conversely, Dr. Blake Curtis distinguishes this from actual years of experience, which involve years of demonstrable task-based experience, actively performing tasks at a certain proficiency level, receiving constant feedback regarding task performance, and accumulating additional knowledge and exposure to refine those skills over time in a measurable manner.
Unfortunately, most fields, such as cybersecurity, GRC, and IT audit, do not use an objective skill framework to measure experience in this way, like the NICE or SFIA frameworks.
The Echo Chamber and Saturation Effect: Dr. Blake Curtis’s Push for Disciplined Thinking
Dr. Blake Curtis highlights how the echo chamber and saturation effect have resulted in a society where individuals are commonly exposed to information that reinforces their existing beliefs, making them less likely to consider alternate viewpoints or leading to the exclusion of diverse perspectives. The saturation effect, on the other hand, occurs when a message is repeated so frequently that it starts to appear authentic simply due to its prevalence, regardless of its factual accuracy. In response, like most fields, cybersecurity, GRC, and IT audit rely heavily on time-based experience (years of exposure) to indicate success, wisdom, and expertise.
Unfortunately, there is not much evidence to support how increased years of experience significantly influence performance. But why?
We’ve always used it, so it must be accurate, right? Unfortunately, no. Through his quantitative correlational research, Dr. Curtis illuminated the assumptions and limitations of using the years of experience rule as a reliable measure of expertise and proficiency. In fact, using years of experience is too broad to objectively measure skill development because it doesn’t consider the actual hours worked in a year. In response, he assessed the relationship between obtaining additional years of experience (in work hours) and its influence on improving task-based performance in the IT audit and cybersecurity professions.
Interestingly, as the number of years (broken down into work hours) increased, it had minimal influence on the research participants’ overall performance.
He states that we all tend to unconsciously assume that additional “years of exposure” (commonly confused with years of experience) or time spent on earth automatically translates to expertise or knowledge in a particular field.
Years of Experience vs. Hours Worked: The True Measure of Expertise
Through a mathematical exercise, he debunks the conventional notion of ‘years of experience’ as an accurate measure of actual expertise or experience. Dr. Blake Curtis adds, “The exercise involves calculating the average number of work hours you acquire in a year (E.g., five days a week, times 8 hours a day, times 52 weeks out of the year = 2,080 hours). Next, you will multiply this number by your years of experience (e.g., 2,080 hours times five years = 10,400 hours).
Lastly, you will divide this number by the number of hours that make up a true year of experience to determine the actual amount of experience you have obtained in working hours (e.g., 10,400 hours\8,760 hours = 1.18 years). This exercise showed that the number of years of experience claimed by an individual may be significantly inflated when translated into their actual work hours.”
Through data collected during his research, Dr. Blake Curtis confirmed that the average professional spends approximately three to four hours out of their eight-hour workday actually working on the tasks specified in their job description (See related video).
The remaining time is often occupied by planning activities or distractions, such as meetings, emails, and instant messages. More interestingly, given that a year consists of 8,760 hours, most professionals only average 1,800 to 2,080 hours, which is not equivalent to a quarter of a year. To put that in perspective, it would take the average person four to five years to obtain one quantifiable year of experience when you calculate it into work hours.
Therefore, using “years of experience” as the sole criterion for evaluating proficiency or competence is not scientifically valid and will result in hiring individuals who may have a great deal of exposure but may not have high levels of task proficiency or demonstrable skills. Instead, Dr. Blake Curtis emphasizes the importance of focusing on task-based experience and adopting performance-based interviews and competency-based hiring assessments to evaluate candidates’ abilities and knowledge objectively.
Standardization for Equity: Aligning Job Descriptions, Hiring, and Promotions
Dr. Blake Curtis’s study exposes the divergence between theoretical knowledge and practical skill, underscoring the need for standardized job descriptions, hiring practices, and promotion processes. Additionally, it emphasized the importance of adopting objective skill frameworks like NICE and SFIA to evaluate IT auditors’ and cybersecurity professionals’ performance. Ultimately, his research has contributed valuable insights to the field and serves as a catalyst for advancing the cybersecurity profession with data-driven approaches.
Debunking the 10,000-hour rule
Dr. Blake Curtis dispels the famed 10,000-hour rule, originated by Malcolm Gladwell in ‘Outliers,’ which suggests it takes 10,000 hours of practice to achieve mastery in any field.
However, Dr. Curtis argued that this oversimplified interpretation disregards critical factors contributing to expertise and task-based performance, like:
Deliberate practice: The nature of deliberate practice, as originally researched by Anders Ericsson, emphasizes goal-directed tasks, feedback, and increasingly complex activities.
Task-based experience: As pioneered by Blake Curtis, considers the number of times a task is performed, the hours spent performing the task at work, and the quality or output of the task.
Theory vs Practice: The distinction between declarative knowledge (theory) and procedural knowledge (practice) and how both are essential in achieving true expertise.
The Unconfirmed 10,000-Hour Rule: Lack of Verification from Original Researchers
Interestingly, Dr. Curtis didn’t need statistics to prove his point. He further unravels the 10,000-hour rule’s origin, tracing it back to Anders Ericsson, the authority on expertise, revealing Gladwell’s misinterpretations of Ericsson’s original study (See original study). Ericsson stated that Gladwell’s interpretation and generalizations were never confirmed by the original researchers in his book Peak: The New Science of Expertise, an article called Training History, Deliberate Practice and Elite Sports Performance, and on a podcast called Finding Mastery, Episode 45: The Science of Expertise.
Dr. Blake Curtis’s work highlights the need for a paradigm shift in how we measure and evaluate expertise, urging the adoption of objective performance measures and task-based assessments for a more accurate understanding of true mastery in any field.
Challenges and Triumphs
Dr. Blake Curtis encountered formidable challenges in his ascent through cybersecurity, GRC, IT audit, and academia. As an African American, he had to overcome various stereotypes and biases associated with his ethnicity, which sometimes led to being underestimated or not taken seriously in professional settings. Driven by tenacity, he confronted such biases head-on. He coined the term ‘Title Bias’ in an article he drafted for ISACA, which delved into the issue of bias based on job titles and its impact on professionals’ self-efficacy, career growth, confidence, and independence (See article here).
He argued that treating someone differently based on their role or title is no different than discriminating against someone based on their race, age, religion, or sexual orientation. The publication offered practical solutions and strategies for organizations to combat Title Bias effectively.
The Need to Go Above and Beyond
He elevated himself as a young industry leader. Architecting numerous cybersecurity and
compliance programs, leading groundbreaking research, and obtaining numerous accolades were pivotal in establishing himself as a trusted authority in the field. Dr. Blake Curtis states that as an African American, there is an age-old saying that most young black women and men were taught early on:
“You are going to have to do twice as much to get half as much.”
Climbing the ranks in the cybersecurity industry as a black man and challenging the status quo required breaking through glass ceilings and advocating for diversity, equity, and inclusion. Most importantly, Dr. Curtis’s pursuit of equitable hiring practices and use of standardized skill frameworks help address systemic biases and barriers underlying phrases like “years of experience.”
However, achieving all of this was far from effortless. Pursuing advanced degrees while managing a demanding career in cybersecurity required exceptional time management and dedication. Dr. Blake Curtis had to juggle the responsibilities of academia and work, often putting in long hours and working numerous jobs to excel in both domains simultaneously. Like any professional’s journey, Dr. Curtis faced rejections and setbacks.
“From stepping down from leadership roles to prioritize his family and education to overcoming life-threatening health challenges, each experience fueled his growth-oriented outlook and forged his path to success.”
The Secret Behind Dr. Curtis’s Success
Dr. Blake Curtis attributes his success to a combination of factors, including his pursuit of expertise in cyberpsychology and related fields, his dedication to continuous learning and deliberate practice, his ability to process and retain information using memory techniques, and his stoic approach to emotional regulation and self-governance.
Additionally, he emphasizes the importance of setting clear goals, maintaining a strong work ethic, and being open to mentorship and guidance from others.
Dr. Curtis practices Stoicism as a philosophy of life, particularly for emotional regulation and self-governance. Stoic principles enable him to retain composure amidst challenges, make rational decisions, and generate value for his loved ones, friends, and those who are less fortunate. Before reacting to any situation, he invokes the Stoic concept of “Memento Mori” (Remember Death) to pause and consider the impact of his words and actions on others, fostering more compassionate and understanding interactions.
Stoicism helps him focus on his goals, prioritize his education and personal growth, and ultimately shape his approach to leadership and mentorship in the industry.
Interestingly, Dr. Blake Curtis developed a custom Life Operating System, Exigence, using the productivity tool Notion, to which he attributes much of his success. His disciplined approach mirrors a CEO managing a business, featuring a mission statement, strategic goals, various projects, action items, and a comprehensive set of daily practices.
These practices encompass cognitive exercises like memory techniques, communication science, and foreign language training in the morning. Additionally, he engages in activities like strength training, scientific research, and studying for IT certifications in the evening. Regular progress tracking and frequent reviews ensure he stays on track toward his yearly objectives.
Discovering the Man Behind the Science
In 2010, Dr. Blake Curtis faced a life-altering event when he was diagnosed with a muscular dystrophy disorder.
Within three weeks, he went from being a strong, active individual to fighting for every breath in the ICU. It was a terrifying experience that made him realize the fragility and transience of his life.
But the most profound lesson came not from the fear of dying but from the fear of leaving this world without making a meaningful impact. He made a vow to himself that if he survived, he would live every day with intention and purpose, cherishing every moment and leaving a positive mark on the lives of others.
This transformative experience propelled him on a journey of growth and achievement. He’s had the privilege of supporting over 150 students in completing their master’s degrees. With a burning desire to share knowledge and inspire change, he began publishing content to uplift and motivate others. Along the way, he recognized the importance of breaking barriers and fostering inclusivity, especially for minorities and women.
His life-changing encounter taught him that time is a precious gift and we should embrace every opportunity to make a difference. Each step he takes is a testament to the power of purposeful living, and he’s devoted to empowering others to do the same.
Dr. Curtis’s social media:
