An Open Letter to Human Resources Teams

March 28th, 2017 1 comment

Every few years, it seems, the information security community has a renewed interest in, and debate over, the value of certifications, degrees, experience, etc. in helping information security professionals land jobs. Along with this renewed interest comes a spate of blog posts and articles that aim to help those new to the industry advance, and advice for varying levels of professionals who want to move up, move on, and so on. Unfortunately, we’re still talking to one another (security folks talking to other security folks). Nothing wrong with that, but I want to direct this post to human resources teams. I hope that’s you, and I hope you take my words to heart. If you’d like to read some other posts that I find useful and relevant, I’ve linked them at the bottom of this one, as well.

First, please learn to differentiate between technical security positions and compliance/risk/governance positions. While that sounds like a banal statement, I really think many HR teams don’t understand the difference intrinsically, and it’s a critical one. GRC professionals need a different background and skill set than technical ones, although there is certainly some overlap. When hiring people for GRC positions (risk analyst, compliance analyst, etc.) look for the following:

  • Backgrounds in IT audit, risk assessment, and IT governance
  • Knowledge of, and experience with, any relevant compliance mandates and regulations
  • Skills with GRC tools like RSA Archer or…spreadsheets
  • IT certifications like the ISACA CISA/CISM or the CISSP (it’s relevant here, more in a moment)

For technical positions, well…things are a little different. And here’s the fact of the matter today (and critical point #2): THERE ARE NO CERTIFICATIONS THAT PROVE A TECHNICAL SECURITY PROFESSIONAL CAN DO THE JOB. ALMOST. Lest you think me wishy-washy, let me explain. Much has been said about certain certifications in the realm of information security. As someone who teaches regularly for SANS (, and helps numerous students attain the GIAC certifications that go along with SANS courses (, I see both sides of the certification argument. Most do not do anything to really prove technical proficiency, to be fair. Do they show a bit of motivation? Sure. Maybe some knowledge. But the GIAC exams are open book. You can look up the answers during the test. It’s a lot of material, and so it’s not necessarily easy, but these are exams that show some knowledge and motivation, and not a lot more. The CISSP is even worse, in many ways. It’s held up as the “gold standard” in the industry, but does NOTHING to indicate that a technical security professional knows how to do the job. So here’s my request:


Instead, make certifications “nice to have” considerations – if you are going into forensics, a GCFA ( or GCFE ( is great. However, I’d value experience performing investigations, using tools like EnCase and open-source tools like the Coroner’s Toolkit, etc much more. Same goes for event management and network intrusion analysis (the GCIA is great, There are only a handful of hands-on security certifications – in the GIAC spectrum, only the vaunted GIAC Security Expert (GSE) requires hands-on practical time. If you really want to require a cert, there are a few that may make sense, whether a hybrid like the Cisco CCIE, or the CREST certification for pen testers, but honestly? Most don’t really show off someone’s true capabilities.

So what should you look for with technical security professionals?

  • Experience. Direct, hands-on experience. Look for specific tools, specific techniques, etc. Lean heavily on your technical security team to supply the input to this.
  • If this is a junior position, maybe a college degree in computer science or information systems, but most degree programs are woefully inadequate in preparing kids for real work in this field, sadly. Information assurance degrees are barely better. So don’t use this as your true measuring stick, trust my 20 years of experience in this field, seriously.
  • MAYBE a certification as a differentiator or proof of motivation, but that is it. Don’t require this – it’s a trap, and a silly one. The CISSP, especially – it is a great general base of knowledge, but has ZERO bearing on true skills.
  • More than anything else, challenge your information security team/department to require a TECHNICAL INTERVIEW. As in, hands on keyboard. Do not trust someone’s resume, or great interviewing skills, alone. Make them DO something. This really shouldn’t be a stretch – but for many, it sadly is. Require candidates to actually demonstrate technical proficiency before hiring them. Crazy, I know.

I know hiring talented information security professionals is hard. There’s not enough of us, and it’s getting harder than ever to really find talent. This post may not make your job any easier. But trust me – the certification market is a bit of a racket, and it’s not providing nearly the value you may think it is. For GRC positions, the base of knowledge provided by the CISA, CISM, or CISSP is a good thing to have, and might prove valuable if contrasting one candidate to another. But with technical people, these are largely meaningless. Many of the best security professionals I know have none of them, and do not care about acquiring them. If you are hiring for a senior position (15+ years of experience), don’t even BOTHER with certifications – they are 100% useless and meaningless. Seriously.

Please know, this is not an anti-certification message. They have value. I like seeing people get them, and they should get them if they are so inclined. If you have two TOTALLY EQUAL CANDIDATES, and one has the certs and one does not, the cert may indicate a wider breadth of knowledge or more motivation to learn and improve, if nothing else. But don’t assume this, please.

Additional posts that are useful:

  1. My friend Robin Sundaram, a well-known CISO, just posted an article talking about the usefulness of certs: “Security Certifications are Useless, Right?
  2. My other friend, Daniel Miessler, has written quite a bit on the topic: “How to Build a Successful Information Security Career
  3. Another post from Daniel: “Information Security Interview Questions

Hopefully, you found some of this useful. Good night, and good luck.

Categories: Information Security, Musings Tags:

MITM-as-a-Service: The Threat Surface We Didn’t Know We Had

February 26th, 2017 Comments off

This past week, as most security professionals know by now, a severe bug was discovered in the Cloudflare content delivery network’s service by noted researcher Tavis Ormandy. Organizations should pay attention when Tavis reaches out, just like they should when Brian Krebs reaches out – there’s a damn good reason, and it’s probably important. I’d like to publicly commend the team at Cloudflare for handling this as well as anyone could in that situation. They took him seriously, responded quickly, and worked their butts off to get the problem handled. From everything I’ve seen, a model vendor response to a serious issue. If you’re just learning about this, here are some links to get the background:

Project Zero page describing the bug

Cloudflare blog post

Troy Hunt’s EXCELLENT writeup on this

Rather than just be another blog talking about this issue (I think it’s been covered well enough elsewhere), I’d rather focus on the bigger picture for a minute. As someone who works with many organizations on their virtualization and cloud architecture, strategy, and more, I believe this incident is one we should really take to heart for a few reasons.

The nature of security architecture has been changing for a few years now. CDN services like Akamai and Cloudflare are almost mandatory for many organizations who need security and availability controls applied to their internet traffic. The Cloud Access Security Broker (CASB) market is also growing rapidly, and processes organizations’ cloud data.

The entire nature of trust is changing with these trends. We’re relying on SSAE 16 SOC 2 reports and other *extremely* superfluous documentation offered by the service providers to guarantee that security best practices are being followed. What we really don’t know, however, is the TRUE nature of the software and architecture in place within these environments, because the providers never offer this. Ever.

We’re exposed using these services, of course. I’m as bullish on cloud as anyone. But we are not really modeling our threat surface around these services, and occasionally things will go dramatically wrong. I believe this is an opportunity for those in the bug bounty industry to shine – where we have the least visibility, and the most trust assumed. Not to knock Cloudflare, but Tavis called out their bug bounty – a T-shirt. That’s not a bug bounty, that’s just a token to say you have a bounty program. If you want the best hackers to REALLY find your issues for you, ethically and professionally, you need to step up. More than that, WE (the community using cloud providers and the brokering services that transit our data to and fro) need the best hackers in the world looking at these technologies with a much more scrutinizing eye than a CPA firm with a checklist.

I think this will hit a tipping point sooner rather than later, sadly. Cloudflare handled the problem admirably, and we really don’t know how exposed people’s data was (although everyone and their mothers are speculating wildly, of course, this being the infosec community). That may not be the case forever – sooner or later, someone is going to turn one of these CASBs or CDNs into the world’s biggest Man-in-the-Middle tool, and things are really going to get ugly.

The More Infosec Changes, the More it Stays the Same

February 14th, 2017 Comments off

I took a full year off from blogging. It felt wonderful. Time to get back to being my ranty self, though, so I’m kicking off 2017 in style, at RSA in San Francisco.

This will be a short post.

It’s amazing to me, that in all this time in the industry, we have the exact same scenarios (in albeit different ways) that we did 10 years ago.

Passwords everywhere, just killing us.

Massively insecure software development from vendors – now it’s the IoT, of course, but just terrible practices.

Vendors making insane claims that are just laughable.

Companies not fixing the most basic of security issues. Consistently.

There’s so much to talk about, and yet nothing to talk about…we’re really saying the same things we’ve been saying for many years. The bigger question is WHY things are the same. It’s easy to be cynical, and laugh it off with peers in the industry. But this is turning into a real mess, and quickly. Something’s got to give.

I’ll be writing weekly from here on out. Turns out, I’ve missed it.

If you’re at RSA this week, say hi!

Categories: Information Security, Musings Tags:

Hacking the 0-day Supply Chain

February 9th, 2016 Comments off

0dayI’ve been thinking about security and the supply chain a lot lately, likely for obvious reasons to anyone in the information security industry. It’s a perennial weak link, and often we’ve done the barest of due diligence in ensuring our partners, suppliers, and even customers have properly secured systems and applications that could lead to attacks against our own infrastructure.

There are lots of types of supply chains, though, and one I’ve been mulling over recently is the entire bug hunting/bug bounty industry. If I were an attacker or group with significant skill and resources, I’d focus on the bug bounty supply chain – why bother finding bugs when I could just steal them from Charlie Miller or Tavis Ormandy? I’m not calling either of these gentlemen out for any reason, obviously, other than their fame at finding and demonstrating flaws.

What about the rest of this supply chain? Companies like HackerOne and bugcrowd have access to many talented researchers, although I’m guessing they don’t store exploits (at least not for long). Even then, the wealth of data about bugs, researchers, and more would be well worth the effort for any sophisticated adversaries.

Finally, targeting the security teams that handle bug submissions at vendors would be another excellent choice for any adversary. These folks have to validate bug submissions, often with POC code, and they would certainly make great targets for attackers looking to shortcut the process of discovering flaws.

What responsibilities do researchers have to keep this information safe? Obviously they want to protect their own stuff, and any brokering firm would do the same, but as the Hacking Team debacle showed us, someone is more than willing to steal your exploits and put them to good use.

You know what I think would be a great talk at a conference? Not another “I found a bug” talk. I think people would be interested in how researchers defend themselves, given that they’re prime targets today. I’m sure these folks get attacked regularly, and hearing about how they protect their research would be fascinating.

Categories: Information Security, Musings Tags:

Do CISOs Dream of Electric Boardrooms?

December 31st, 2015 1 comment

This, believe it or not, is a “year end” post above all, with food for thought going into 2016. So here goes.

CISOs are an in-demand bunch. Well, that’s what the media tells us, anyway. Here are some examples of articles that suggest that CISOs are highly sought after:

In High Demand, CISOs Need Boardroom Skills to Succeed

Cyber Security Attacks Spike Demand for CISO Talent

As Cybersecurity Concerns Grow, So Does Demand for Healthcare CISOs

The Rise in the Demand for CISOs

And so on and so on. I think this is reasonable – many organizations are feeling pressured to put someone in charge of information security, and charting and leading a strategy in this area is obviously important to the long-term stability of our increasingly-connected business endeavors. However, I think the security community itself is a bit deluded in terms of where the CISO role will ultimately sit within the organization, and how it’ll be perceived. How many conference tracks and talks have you seen that discuss how CISOs can “get a seat at the business table”? Are we not taken seriously!? Are we undervalued?!! Based on my experience, I don’t actually think so. What I DO think is that we may have unrealistic expectations about the level CISOs should attain in the corporate hierarchy.

To get straight to the point – I don’t believe most companies will EVER elevate CISOs to actual C-level positions. I did a bit of research to see whether any of the world’s largest companies publicly listed their CISOs on the site. The short answer (for the top 10 companies listed on Wikipedia’s biggest company by revenue) is no. Nope. Not a one. Here are direct links to the top 5, just in case you feel like checking:






It seems like that “C” in the title is really an indication of being the head of the security function, but this security function is not valued at the same level as that of the financial, legal, operations, and overall technology areas within the organization (among others). The great news? That’s actually fine. It’s time to craft a more realistic and effective view of this advisory and support role, and put the ego to the side. Malcolm Gladwell’s book “The Tipping Point” has a lot of wisdom we can draw from.

First, Gladwell defines something called “The Law of the Few”. What he’s arguing is that 20% of the people in any given field or industry actually get the job done and advance causes, while the others tend to follow. These “few” fall into three major categories:

  • Connectors: They know and connect people to accomplish goals
  • Mavens: They are helpful and solve their own and others’ problems
  • Salesmen: They persuade and negotiate with charisma

As a security professional, I think knowing where you naturally fall is key to the success of both the security program at your organization, as well as your own continued career trajectory. Gladwell also defines the “Stickiness Factor” in the same book. This is the quality that compels people to pay close, sustained attention to a product, concept, or idea. Stickiness is hard to define, and its presence or absence often depends heavily on context. Often, the way that the Stickiness Factor is generated is unconventional, unexpected, and contrary to received wisdom. So again, another question: how will you get your point across, and make it “sticky”? In my last post, I argued that the “sky is falling” breach argument is weak. Given this, what will you do to make your impact?

The final Gladwell concept in the Tipping Point that I’ll drag out here is the idea of “the power of context”.

Context means the following:

If the environment or historical moment in which a trend is introduced is not right, it is not as likely that the tipping point will be attained.

Is the context right for business leaders right now?

I think this should be a major goal for many of us in 2016. Whether you’re a CISO, an aspiring CISO, or just an in-the-trenches security person, you need to decide what your best means of influence might be, how to make your message impactful, and whether the time is right to be a bit more dramatic in your approach. Should you use “shock and awe” with pen test or red team results? Or try using back room politics? Both?

I think security has a bit of an identity crisis. We’re told we’re incredibly important by the media, but that doesn’t always get reflected in job titles and “clout” in our organizations. We get paid well (w00t!) but still often feel as though we could get a little more respect. In a bank, you can be a junior admin and still be the VP of something-or-another. In most other industries, though, you MIGHT be called a CSO or CISO, but the reality is that many are not real top-level execs. Does it matter? Maybe not. If you can influence, that’s the goal, regardless. We have a lot of work to do…so let’s figure out how best to get it done, titles and prestige aside. Here’s to an awesome, and more secure, 2016!

Categories: Information Security, Musings Tags:

We Need a New FUD

June 22nd, 2015 1 comment

One of the most common questions I hear debated in infosec (usually rhetorical) is – “what will it take for management to realize how important security is?” I think we’ve all kind of been waiting for that one breach that’s SO bad, or expect that the total volume of breaches and updates from Krebs will reach a tipping point that forces execs and board members to acknowledge that security is critical and pay more attention to it. Folks, I’m not sure it’s going to happen. In fact, I’m willing to argue that “breach weariness” is most certainly never going to be the catalyst for increased investment in security, and really bad/big breaches likely won’t either.

I did a bit of research on some of the top breaches of the last decade, primarily based on the number of records accessed or exposed. A great site to visually see this quickly is “Information is Beautiful”, here. I then went and charted the stock performance of the public companies on the list, and the results may actually surprise you. In short, companies that have experienced breaches are not just overcoming the incident, but thriving. Here are some examples:

Heartland Payments:







TJX Companies:









Adobe Systems:









Global Payments:


















Could this be entirely coincidental? Sure. In fact, what I am NOT asserting is a definitive correlation between breaches and corporate success – although if you had created a stock fund with breached companies, you’d likely have outperformed the market considerably. What I AM suggesting is that we have a bigger problem, and that’s one of credibility at the business level. No one wants to be breached (DUH). There ARE impacts – fines, breach cleanup costs, short-term reputation impacts, and so on. Neither security professionals nor executives want to experience any of this. However, business execs will look at companies who have experienced breaches, weathered the storm, and even RALLIED….and they will not be inclined to turn the whole ship to spending lots of time and money on security initiatives.

I think it’s important that we realized that in our little echo chamber, this is the most important issue all the time. To executives and business professionals, this is just another issue to contend with. We need a better business case for security than “we could be breached”. Based on some of the data I am seeing (which incidentally, many others have delved into better than I have), it’s going to be a hard sell to use breach FUD as a catalyst for change in our security posture.


Categories: Information Security Tags:

Phoning it in

December 31st, 2014 1 comment

The-Simpsons-s11e11-Faith-OffThis will be a short post, really an end note to 2014 and a thought with which to start 2015. I’ve actually been meaning to write this since early November, but…life. What inspired me to think of this post, and inspired me in general, was a concert. Every year, schedule permitting, I go to New Orleans at the end of October for a 3-day festival called Voodoo Fest. The venue is great (New Orleans City Park), the weather is usually jus spectacular, the lineups have been consistently good, and you are of course in NOLA, which doesn’t suck. This post really has nothing to do with Voodoo Fest, per se, but I caught a show that made a deep impression on me. That show was the Foo Fighters, who I happen to be a big fan of. Now, whether you like the Foos or not, that really isn’t the point. What matters here is the incredible zeal these dudes put into their show, when they could easily just show up and perform, then leave. Dave Grohl and crew got up on stage and proceeded to blow everyone’s minds for hours, actually playing until they were forced to stop. They enjoyed the hell out of themselves, and gave the crowd everything they possibly could.

At this stage of Dave Grohl’s career, he could phone it in. Easily. But…he didn’t. Not even CLOSE. And it got me to thinking…am I phoning it in in my career? Are others? Looking at how hard I’ve been working the last few years, I’d say no, from a pure work ethic. But then I asked myself…what else could I be phoning in, in the scheme of my life and career? And I realized…I wasn’t trying nearly as hard at a few things that are important to me. Music, for one – I’ve been a musician since I can remember, and haven’t been playing much. Learning some languages I want to learn, finally setting up that kick ass vintage Commodore 128 I bought a year ago, etc. These are all just personal things, of course, and it’s easy to find them going on the backburner. But in my career? I realized I wasn’t branching out as much into new areas, finding stuff that I didn’t know about at all and exploring different ideas and topics, etc. Riding my laurels? No, not really…but not being as inquisitive or curious as I had been in the past. Some of that’s symptomatic of being insanely busy. But I can do a bit more, and I realized I missed it. I’m not phoning it in…but I damn sure don’t want to wake up sometime in the near future and realize I have been.

So, my friends, for 2015, take a good hard look at where you’re at, where you’ve come from, and where you are going…and don’t forget to think about where you want to go, too. Are you wallowing in the quagmire of compliance and want to get out to a more technical role? Do you aspire to security management or leadership? Want to learn a totally new skill…just because it’s interesting and different? We can all continue to grow and improve at any age, whether we’re talking career, fitness, relationships, etc. This is your chance to ask whether you’re phoning it in, and if you are, get off the bus. There’s so much opportunity out there in our field, you can do whatever the hell you put your mind to. And I hope you will.

Happy New Year, and here’s to a rocking, kick-ass 2015!


Categories: Musings Tags:

Rethinking the Security “Con”

October 11th, 2014 15 comments

shoppingI realized a while back that I had lost the zeal to attend security conferences. I’ve been attending security conferences for a long damn time, as many of you have too. DEF CON, RSA, Shmoo, a whole $HIATLOAD of B-Sides, SANS of course, etc. Lots of smaller ones here and there, too (logistics have prevented me from getting to Derby yet, which makes me a little sad). The number of security conferences being held is off the chart. If you take a look at SECore, you’ll see just how many conferences are going on anywhere in the world at one point or another.

I think it’s gotten out of hand, honestly. Not because security cons are a bad thing, truth be told. Because we’re saying the same damn thing at all of them. The themes are the same, it’s a lot of the same people talking, the talks sometimes even say the exact same thing in different language. I can hear the criticism now. “Shack, that’s bullshit. We learn things at cons.” Mmmm hmmm. Sure you do. You hear what people say, you may find it fascinating, but very rarely will it make an impact on what you do day-to-day. Especially the heaping quantities of “Internet of Things” flaws and “sky is falling” talks about how doomed we all are when our thermostat becomes sentient, remotely takes over our cars, and we all die. Get a grip. It’s interesting, but we have major problems today, they’re a lot damn simpler than any of that “forward looking research”, and we’re still sucking ass at the basic stuff.

If you can’t lock down your desktops, what the hell are you doing listening to someone talk about malware reversing and shellcode? If you can’t detect a freaking port scan, let alone a DNS C2 channel, why are you waiting hours in line to hear a talk about hijacking car internals? I am a true believer in lifelong learning, so learning something just for the sake of learning is A-OK with me, I get it. But cons aren’t really helping us accomplish anything, unless they are straight-up training cons. And I don’t mean training your livers, since most cons involve staggering quantities of alcohol. Really, for a lot of folks, I think cons have become a few things:

  • A way to escape reality. Very few con talks touch on the mundane bullshit that we’re sucking at. They discuss pie-in-the-sky scenarios that involve vendors, “researchers”, and stuff that we can ogle at.
  • A stand-in for a social life. I have a lot of friends in infosec. I’ve got plenty that aren’t too. I can get shitfaced anytime – I don’t need to wait for a con. Seeing your infosec friends is cool. Going to more and more cons to see those people…well, that’s up to you. But maybe you could get together OUTSIDE a con for once? That’s what real friends do. Plan a trip somewhere that does not involve security. Shocking.
  • A place where people who don’t actually DO shit for a living can expound on their amazing security philosophy, telling those of us that DO do shit for a living how it’s all shaping up. Please. I know what the hell is going on in security, I live it every day. With a lot of clients. Doing real work.
  • An egomaniac stomping ground. If you continually got your ass beat in high school, sunlight sets you aflame instantly, and you have deep-seated challenges interacting socially, you can still be a rock god by breaking something and giving a talk on it. This is getting ridiculous. I love smart people, too, but I’m kind of over the “celebrity researcher”. I like people when they’re cool people, not just because they have some amazing “use after free” flaw they presented on.
  • A “scene whore”…well, scene. It’s COOL to be in infosec, apparently. You can almost predict the tweets when a con starts:
    <scene_whore>Arrived! Where’s everyone at? #ConHashtag
    …10 min later…
    <scene_whore>I’m in the bar at the <con_hotel>! <Picture of alcoholic beverage> #ConHashtag
    …20 min later…
    <scene_whore>What’s going on? where is everyone? #ConHashtag
    Most people are just folks. But being at a security con does not even come close to making you a real infosec professional. Knowing a bunch of people on Twitter doesn’t either. Drinking with people in bars may make you new friends, but still doesn’t mean you can accomplish shit as a security professional. There are even some people I see on Twitter who seem to attend every security conference on the fucking planet. What the hell is your JOB? Does someone pay you to go to cons? It’s SAD…NOT endearing.

This is a rant. I know this. But really, folks, cons are not doing shit for us, aside from giving us some fun times and maybe a handful of interesting talks here and there. If you really get value out of tons of cons, awesome. I would never tell anyone how to live their lives, or what to do with their time. But we are not FIXING ANYTHING. We still have Adobe and Java problems. We still suck at intrusion detection. We still suck at incident response. People are still clicking shit. We don’t know what we don’t know. Pretty much every con I see today won’t even begin to help with any of that. If you’re a pen tester? Sure, you’ll get some new tools, new techniques. But only about 5% of security folks are ACTUAL PENTESTERS. Lots of people like to fake it. But 95% of you are defense folks. Which is probably just fine. So do defense. Get better at fixing stuff. Focus on the boring, the mundane, but incredibly important crap like inventory management, patch management, configuration management, blocking and tackling at the network layer, security awareness, etc. I see almost no talks at cons on “solving this one problem in 10 different ways”. Almost none of you need to worry about hacking an ATM or a car. You DO need to get your backyard cleaned up. It’d be nice to see a conference with the following parameters:

  • The theme of “we’re failing” is 100% forbidden. No talks accepted, no slides with that, if you say it in your talk you are forced to listen to Barry Manilow albums the rest of the con.
  • All talks tell us how to fix something. That’s it. And REAL somethings, not some arcane crap that is only a reality for .00000004% of the world.
  • Absolutely no slides that include references to the Verizon Data Breach report. Verboten.
  • Every single attendee must write a blog post chronicling at least 5 things they learned. Tactical, “fix shit” things they learned.
  • No selfies. NONE.
  • People can only use their real names. Be a human being, and we’ll hang out. I have a real hard time here in 2014 referring to someone as only a “handle”. Call me “Dave” or “Shack” and we’re good. Let’s actually be real professionals. Crazy, right? Imagine if people at law or medical conferences referred to themselves as “D@rk Malpractice L0rd” or “SurgeonZer0”. Please. We’re not in chat rooms, people. And even if we were…that shit is OLD.

It probably won’t happen. There are still some really good efforts and conferences out there – I’m not disparaging the enormous efforts of those who run them. But I think we’re starting to look silly. Security is just a shit show, and we throw booze fests in the name of “research” constantly. Yay us.

Categories: Information Security, Rants Tags:

Infosec Monogamy

August 1st, 2014 3 comments

swansI’ve been thinking a lot lately about how security professionals can grow their skills and experience most effectively. As someone who consults in large organizations, as well as runs training classes for infosec, I’ve long pondered what the right mix is to help people gain the broadest, most applicable knowledge and experience in the shortest amount of time. Personal motivation, self-study, and natural proclivity for certain types of work are all factors, of course. However, I do think there’s some general truths in how you go about acquiring jobs, working in those jobs for X length of time, and then moving on from those jobs to different ones.

From what I’ve seen, most corporate infosec jobs do not really allow you to explore a lot of new and different activities and disciplines. In other words, you start as a network monitoring staffer, you stay in that role, and you watch the traffic. Or, you work as a risk analyst or security architect, and you have zero chance of exploring things like vulnerability management or pen testing. And so on. This is not absolute. Some organizations I’ve worked in and observed really facilitate infosec team members moving in different directions and exploring new skill areas. On the flip side, some organizations are so understaffed that the security team does too MANY jobs, all of them somewhat haphazardly. Many organizations DO send people to training, but I see a lot of people come to SANS classes that are just learning something they’ll never do at work – pen testing in particular. A good 50% or more of my students in some conferences are learning pen testing because they think it’s “cool”, not because they have any hope whatsoever of doing it within their organization.

What do you value in a job? Aside from a paycheck, of course. If stability and a “comfort level” with your workplace is important to you, then you should stay in one organization for a longer amount of time. However, if you want to get real hands-on experience with a much broader variety of scenarios, tools, and disciplines, you’ll likely have to do a bit more “job hopping”. In some ways, I think infosec is vastly different from a lot of traditional IT, in that it is entirely different depending on where you are. Risks are different, politics are different, attacks and breaches differ, etc. Contrast this with an Exchange admin – Exchange is Exchange is Exchange, with some differences in integration and tweaks to make it work. I suppose the same could be said for someone whose infosec career is “tool focused”, like ASA firewalls or EnCase for forensics. But if you really want to learn more technical areas of security, and see more scenarios, I think you’ve got to move around a bit. One other reality is the “job rut” – people get burned out, and some organizations just don’t value security. That may also be as good a reason as any to get the hell on down the road to something new and different.

One argument I get is that “knowing the organization” is invaluable in security…and to some extent, I agree. But really more for defense than offense. If you want to be a great defender of ONE ORGANIZATION, then you’ll probably need to stay there for a longer period of time to really get the lay of the land. If you want to be a better pen tester or red team member, you’ll likely need to work at a number of different places, or go work for a consulting firm (at least for a while to get more broad experiences). Some very big companies I know have so much stuff for pen testers to assess that they get a lot of variety. But most are not this way. So in general, I’d say that defense and risk positions may be good fits for longer-term positions in one organization. But if you want to do offense, you may be better off moving around a bit.

In general, I think loyalty to an organization is somewhat overrated. Most aren’t really loyal to you – that’s an old mentality from the 1950’s. Getting a bit more and different experience is a better way to go, in my opinion. I’ve also seen a trend related to tools and products – they’re really only useful as resume fodder in the earlier stages of your career, with some exceptions. If your goal is to be a firewall jockey, then go for it. List all those hardware and software versions you spend time with, because they DO matter. But later on, especially for risk-focused positions, or architect jobs, this seems to be less important (unless you need really advanced skills with a complex technology like a particular SIEM, for example). If you’re in more management-oriented roles, moving to new jobs tends to be more based on your track record of success stories versus hands-on skills. Did you develop a sound program at company X? Successfully coordinate a data breach defense at Organization Y? And so on.

Just some observations I’ve had over the years.

Categories: Information Security, Musings Tags:

A Hacker Looks at 40.

May 29th, 2014 5 comments

40Wow. It’s finally happened – the fabled 40th birthday that everyone loathes. It’s upon me. At 40, I think you’re supposed to reflect back on what you’ve done, what you’ve accomplished, what’s been good and bad, and where the hell you’re going in life. Right? OK, this will depend largely on the individual, but 40 feels like a pretty damn good spot to reflect. Why not?

Some of you will say “40? WTF? That’s nothing.” And you know what? You’re right. 40 IS nothing. It’s been the most amazing ride so far, and things are only getting more interesting. So…a few observations on infosec, life, and the big picture. Warning: opinions ahead, and I get it if this is content easily skipped.

First, the industry we’re in. WOW. What a shit show. Who could have known what it’d turn into – I remember how I got into infosec, and never for a second thought it’d be this. So first, I was a fucking nerd as a kid. I wrote computer games in BASIC for the Commodore and Atari systems, most of which consisted of “What do you do? Turn left. Well, you die!” So yeah…game designer was out. I exploded shit in my basement as a kid with my chemistry set. I also took apart every electronic thing I could get my hands on, and *sometimes* put them back together. I was born to be a hacker, and that is all there is to it. So when one of my college professors hired me into a large Fortune 500 program, I had no idea what I was getting into, but security felt RIGHT. And today? Man, who could have imagined this?

I get bored easily. REAL easily. I need mental stimulation, and boring ass IT gigs sucked for me. Can you imagine being a day-to-day Exchange admin? That’s a “wake up in a cold sweat” nightmare for me. Day in, day out, Exchange. GAWD. So infosec? Yeah, it is volatile, and messy, and changes all the time. Thank goodness. I think change keeps you fresh, and this industry is just insane.

I miss some of the “old days”. I think it’s natural for some of us “old schoolers” who did infosec in the 90’s (or before). Back then, people had to innovate “solutions”, and actually understand sysadmin roles, technology, and maybe even code. Today, that is more rare than ever. We have pockets of brilliance…surrounded by an ocean of “just got my information assurance degree” bullshit that belies total lack of experience and real technical competence. Some of that is likely me being old and curmudgeonly, but damn…don’t talk security until you have done the actual work, or at least SOME of it.

So at 40 – how am I feeling about my infosec career and life in general? Let’s start with infosec, naturally. Infosec is the most incredible gift I could ever have received. All cynicism aside, it pays well, is dynamic, and more than anything…I love you people. Many of you are not just assholes, but FUCKING assholes. Some of us assholes NEED other assholes to hang out with. I love the vitriol, technical condescension, and pathetic attempts to deflect Twitter comments from your employers. You’re good company, and challenge the status quo…which is exactly what the industry needs. The ridiculous focus on all these stupid ass conferences? Not so much. But…you take the bad with the good.

What about life in general? Well, I’ll keep it short. I have far exceeded all of my wildest dreams. I have no real regrets at all, even though I’ve done some of the dumbest shit you’d ever hear about (most of which will remain private). I have an incredible wife and daughter, a few good friends, a lot of insane hacker acquaintances, and a good paying gig that I absolutely love. So all is well with the universe.

What advice could I offer? Heh. If you take advice from me…a big grain of salt should be involved. But in general, a few things I’ve learned along the way:

  1. Learn more. Constantly. If you are chillin’ with your skills from a few years back, no. Advance, learn more, or find a new gig. Infosec does NOT need dead weight.
  2. Make sure you have thick skin. If you are easily offended, or get worked up about critical comments and such, you need to toughen up. This is not an industry that cares about personal feelings. Good and bad, true, but it is what it is.
  3. Make as much money as you can. Seriously. Don’t be lulled into this “greed is bad, do it for the community” horseshit. You are in a very in-demand industry, and SOMEONE is going to make great money at it. Might as well be you. So do this.
  4. Do not make infosec your life. It’s a job. One you can, and should, enjoy SO MUCH. But your REAL life? That’s other things. If it’s not, you are putting all your eggs in one basket, and that directly defies some-or-another CISSP principle, I’m pretty sure. Seriously – get out more, explore hobbies, and think about the other part of your life that does not involve infosec. If there’s not one, you need to develop one.
  5. 1’s and 0’s are our work life. But step back. Look at the PEOPLE. Your family, friends. This is what matters most. Appreciate this more. Yes, you can.
  6. If your health sucks – change it. You cannot live a full and awesome life 200 pounds overweight and miserable. There’s nothing awesome about being a walking heart attack- and no, I’m not telling you to become a fitness nut. I am one, but that’s irrelevant. This is your LIFE. Your body lets you enjoy it. So take care of yourselves, people! I want to have a drink with you at DEF CON, and if you fucking die, that won’t happen. 😉

All in all, this hacker is looking at 40 with an incredible perspective on life. I’ve had severe highs and the most guttural lows along the way, but I would not trade my life for anything. I hope you feel the same. Cheers.

Categories: Information Security, Musings Tags: