Writing UNSECURITY Journey – Back Home/Kidney Stones

/0 Comments/in /by

A series of posts dedicated to the journey of writing my first book, Unsecurity: Information security is failing. Breaches are epidemic. How can we fix this broken industry?

This is the seventh article in the series. The others:

See here for the full list of articles, including those that are yet to be written for this series.

Introduction

You already know what’s coming in this article. My titles in this series aren’t very creative, are they?

It was good to be back home. The only thing that sucked was the weather. In Cancun it was sunny most days and the temperature was in the mid-to-upper 70s. At home, it was below zero and snowing. The good news was I wouldn’t be tempted to go outside much. Good writing weather!

Cancun was mostly a success, minus the first week drama. The score at the beginning of the Cancun trip was; 76 days to go before my self-imposed deadline and zero words written (sort of). I came back with a score of 62 days to go and 21,672 words written. Seemed good to me at the time. Remember though, I was a naive newbie writer, and I had no clue how long these books are supposed to be or what they’re supposed to look like.

The Routine

While I was away, I had few interruptions. At the office, I was interrupted constantly. I love being an accessible leader who’s genuinely interested in every employee who works at FRSecure and SecurityStudio. Between my need to be with our employees, the phone calls, meetings, and emails, there was no time to write anything between the hours of 8:00am and 5:00pm.

I wanted to avoid writing at home because knew it would dominate family time. Something had to give. I needed to find writing time somewhere.

The solution… I’ll get up every morning at 3:00am, get to the office by 4:00am, and write from 4:00am to 8:00am. Brilliant. I knew that I wouldn’t be able to do this every morning, but I would try anyway. If I couldn’t find the energy some mornings to get out of bed, I would just reset the alarm and find an hour or two somewhere else in the day.

Week one was essentially shot because I hadn’t figured out what I was going to do yet. It was a struggle to catch up with emails, let alone write anything. Score: 54 days to go and maybe 22,000 words done. I felt like I was starting to fall behind, but I was sure I had a solution.

Week two, Monday morning, I’m up and raring to go! Good writing session. Tuesday, same thing. Wednesday, starting to drag a little. Thursday, nope. Friday, somehow managed to get in early, but could not write anything. My brain was not having it. The 3:00am thing is going to be a real turd. Maybe I’ll try 4:00am instead.

Turns out the 4:00am each morning did the trick. Some days were better writing days than others. I tracked my progress each day by how many words I wrote. Some days I wrote 1,200(ish) words and some days I struggled to write 250 words. Here’s what I learned…

How many words you write each day doesn’t matter as much as writing each day.

Kidney Stone

Life was good, and I was trucking along, until one morning I didn’t feel right. I wasn’t sure why, but I felt like I needed to use the restroom really bad. No problem, to the restroom I would go. At this time it’s probably 5:30am, and there’s nobody else in the office yet. I didn’t feel right, but there was no reason to panic.

I tried writing, but it was a struggle because I couldn’t concentrate. I constantly felt like I needed to go to the bathroom, yet every time I went to the bathroom, nothing happened. There was no urine or bowel movement, just an unusually pronounced feeling that I needed to excrete something. As time went on, the feeling got worse, bit by bit. The time was now 9:30, and I’m getting a little more concerned.

Things progressed much faster, and by 11:00am, I’m laying on the bathroom floor. Wasn’t panicking before, that’s changed. Something is seriously wrong. Thankfully my wife was in the office at the time, so I told her about my problem. I told her that I need to go to the doctor right away. I don’t know what’s wrong, but I know that it hurts like a sumbich. She knows I have a high pain tolerance, so this is very unusual. She immediately gets the car while I get my jacket.

We’re in the car on the way to the nearest clinic, 15 minutes away. She keeps asking me if I’m OK, and I don’t want to talk. I want the pain to go away, and I’m in full on “GIVE ME ANYTHING TO TAKE THIS PAIN AWAY RIGHT NOW” mode. After an eternity, we arrive at the clinic. We get in to see a doctor quickly and the doctor starts asking me a bunch of questions. I don’t want to answer any questions! The pain is unbearable, and I want her to 1) give me something to make me feel better or 2) shoot me. She tells us she thinks I have a kidney stone, and that I have to go to a hospital.

That’s it?! No drugs? No gun?! Just go to a damn hospital?! Useless. I’m pissed. I’m angry. I feel like an alien is going to come popping out of my stomach or my ass or my back at anytime (I can’t tell which). I’m obviously dying, and now I’m told to get back into a car and endure another 20 minutes of hell before I eventually get to the emergency room. Fine. Whatever. I’ll do anything right now.

Another eternity passes. Two eternities in one day if your keeping score. We arrive at the emergency room, and more questions! The nurses want to ask me questions, and I don’t want to talk to anyone. I want drugs or a bullet. That’s it. My wife intervenes (she’s an angel) and eventually I end up in a bed. Still dying, but dying harder now. How can I possibly be dying harder? This is crazy! Why God?! What did I do to deserve a living death like this?

We’re in this room with a curtain thing that separates my bare bottom in a scratchy gown from the rest of the world. A nurse or doctor (I can’t tell because I’m having trouble seeing now, I think) comes in and she wants to ask me questions too! Seriously, stop with the flipping questions already, and get down to business! I look at my wife in desperation. She tells the doctor I don’t want to talk and she answers for me. Out of all the questions that were asked, I heard one that I actually wanted to answer. The doctor asked what my pain level was on a scale of 1 – 10, 10 being the worst. I blurt out, “it’s a 20!”. Even that answer was hard to muster between my panting and dry heaving. Oh yeah, the pain is making me dry heave now.

Seriously, I’m dyyyyyyyiiiiiiiinnnnnnnggggggggg. The doctor leaves for some reason or another, an now I can’t lay down. I’m pacing the room, stopping to lean head first against a wall every now and then. While I’m pacing and trying to find some way to move in a manner that will give me some relief, I can overhear the nurses outside my shower curtain door talking about recipes for some whatever thing. I’m like, why?! Why do you let a good man die while you talk about tater tot hot dish recipes?! Life sucks. Seriously, is this the end?! Is this how I’m going out?

Finally, a nurse comes in to see me again. She wants me to pee in a cup. I want to shove the cup up her… No! I stop myself. It’s the pain talking. I did shout, “when can I get some drugs”? She stopped what she was doing and gives me a puzzled look. “Wait. Nobody has given you anything yet?”. I can’t say anything because I want to cry. My wife answers for me, and before long I get some morphine. Thank you Jesus!

The pain slowly eases, and I can talk better. Why do things like this always happen to me? For one, this mother of all pains, and then forgetting to give me some drugs? Double whammy of suck.

The morphine didn’t take the pain away entirely and it didn’t last very long either. My pain probably dropped to an 8 (which is a helluva lot better than 20). Seemed like thirty minutes later, and my pain started to inch up again. Next up, the doctor wants a CT scan. OK fine, just don’t forget the drugs. The whole CT scan thing was quick, and before I know it, I’m back in my room. The pain is getting really strong again, but the nurse gives me something in my IV right away. Within five minutes I’m feeling good. Like, what the hell just happened?! I asked the nurse what she just gave me, because I want that stuff on stand-by.

I was expecting the nurse to tell me the name of some super-narcotic, but no. She gave me ibuprofen in my IV. Ibu fricken profen?! Really?! Yep. I was too amazed and exhausted to ask them why we didn’t start with this an hour or two ago. The results from the CT scan were ready, and it turned out that I had a 7mm kidney stone. The doctor suggested that we let the stone pass. Skeptically, I agreed. She thought it would pass on its own and told me if the pain comes back, take more ibuprofen. Easy enough. I LOVE Ibuprofen (now).

Before the doctor left, she mentions one more thing on the way out. She requested that I come see her at the nurse’s station after I get dressed. I asked he why. She wanted to show me something on my CT scan. My wife and I looked at each other, and we could read what the other was thinking. Why? What do you want to show us? I quickly got dressed and scurried out to the nurse’s station where the doctor was waiting for me.

She showed us a grainy looking image. In the middle of the image was my kidney. The doctor pointed at the kidney, and focused out attention on a darker part of the image. She explained that she’s concerned about a “mass” on my kidney. Apparently the mass had a diameter of 55mm. She advised that I get a CT scan with contrast soon, and that was that. She wouldn’t answer any additional questions and just referred us to our family doctor for next steps.

That’s it… Writing wasn’t really on my mind anymore, at least not on this day.

You Want to Get Into Security? – Part 3

/0 Comments/in /by

This is a five-part series about getting and keeping job in the information security industry. There is no one way to get and keep a job in the information security industry. This is a good thing! The series doesn’t contain THE advice, it just contains advice. Big difference. Some of this information is also found in the Unsecurity book, chapter 10.

The series consists of the following articles:

This is the third installment in the aforementioned series; Landing Your First Job.

Landing Your First Job – Introduction

I have to admit, it’s been a very long time since I landed my first information security job, and it’s been more than 10 years since I’ve hunted for any job at all. This means that my advice will come from somebody who hires more than it will as someone who’s looking for a job. I think the advice is still valid, but you can judge for yourself.

My first information security job came in the early 1990s. I had the pleasure of cleaning boot sector viruses off thousands of Windows 3.0 and 3.1 computers. Back then, information security wasn’t really a thing like it is today. Even though there are more information security jobs today then there were then, I think it’s harder to get jobs now for some reason. Probably unrealistic expectations. Anyway, it’s not easy for most people to land their first information security job.

In this article I’ll give you some tips that I hope will help you get your first information security job.

Matchmaking

Getting a job is like finding a girlfriend or boyfriend on a matchmaking site. People post a profile of themselves and all the things they’re looking for in a mate. Then there’s other people who also post a profile, but they’re more active in looking for a date. These people browse profiles, sometimes for hours, looking for the right person to contact. In our analogy, the first person is the company or recruiter, and the second person is the one looking for a job.

The first objective is to get a date with someone. The ultimate objective is to go steady, or enter into a committed relationship. Dates are interviews and going steady is landing the job.

A match isn’t likely to happen if either party has unrealistic expectations. Not all jobs are like an exceptionally attractive European noble with billions of dollars and a love for puppies. You might want a unicorn job, and the hiring organization might want a unicorn to work for them, but these things are extremely rare for someone who’s new to this industry. Keep your expectations in check.

The matchmaking analogy applies best to using job sites like Google, Indeed, Monster and others. As we’ll see, this is only one way you can go about finding a date, and it might not be the best.

Getting a Date

When you’re trying to get a date, you don’t want a date with just anyone do you? Hopefully not. We want to find the right person, the right job. Hopefully, you’ve done some research and prepared yourself for the job market as we outlined in our previous article. If you did the research, you’ve probably found some good job sites .

Where to find dates

There are many ways and places to land a date, and there are many places you can go to try to find an interview. Depending upon your specific circumstances and your specific preferences, choose the right path or paths for you. Here are ways people find us at FRSecure and where we might find you too:

Internships

Internships aren’t for everyone because they don’t usually pay well, if at all. Internships come in all forms. Some are paid, some are not, some require experience, some do not. Paid internships can be a challenge to find, but they’re out there. Unpaid internships are a little easier to find. A simple Google search for “where to find information security internships” will produce many leads for you; however, the best way to find an internship is through someone you know. Ask around.

‘Most large organizations with security teams and information security companies offer internships. Contact them directly and inquire. This will give you more control and might land you an opportunity with a company you like more.

Job Sites

Using a job site is fast and easy. It should be included in your strategy, but I caution against using job sites as your sole source for dates/interviews. These are some of the job sites you might want to check out:

  • Google – Google integrated with ZipRecruiter in 2017 and produces pretty good results. Just type a job title and the word “jobs” into Google search.
  • LinkedIn Jobs – There are plenty of jobs and some good job seeking advice on LinkedIn. You will probably want to use LinkedIn for yourself anyway as you build your career, it’s a well known and heavily used networking tool.
  • Indeed – A clean, quality job site.
  • Monster – A job site that has been around for a long time (1994). It’s still a quality site, even though it’s not as dominant as it used to be.
  • ZipRecruiter – A very popular job site, and probably one of the fastest growing.
  • CareerBuilding – A popular job site, but not one of my favorites. I have no objective reason for this site not being one of my favorites though, it just isn’t.

These are the major job sites that I know of. Whatever site(s) you use, be sure to document what jobs you’ve applied to and keep track of any/all responses. It probably doesn’t reflect very well if you apply to the same job multiple times through multiple sites.

Networking

Networking is difficult for some people because they don’t feel confident or comfortable in groups or crowds. I get it. I’m one of those people. Go to local information security events, meetups, chapter meetings, etc. to meet new people. You can network with anybody, and they don’t have to be security people. If you get good at networking, you’ll find that most people know a security person that they can put you in touch with. Getting referrals or door openers is a differentiator that could work in your favor.

Mentor

Mentors are great for many things, helping you land a job is just one of those things. Mentors will help you prep for interviews and offer wisdom throughout your career too. Everyone should have a mentor, no matter where you’re at in your career. My mentor and I met in 1995. He was my boss when I worked for Jasc Software (known for Paint Shop Pro). We’ve both moved on in our careers, but we still have a standing coffee meeting every Friday, and his support has been instrumental in my success.

Finding a mentor isn’t easy. You’ll have to take a risk and ask someone, and they might say no. A mentor could be a teacher you had in school, a boss you admire (like my mentor), a friend you respect, a family member, someone from church, or anyone in between. I suggest that you write down the names of five to ten people you respect and admire, then go ask them if they’d be willing to be your mentor. If you strike out, do some online searches for mentorship programs. They come and go all the time.

Once you feel you’re ready, be sure to return the favor by becoming a mentor for someone else.

Local Community Events

There are groups of information security people meeting all over the place, all the time. Chances are very good that there are information security groups meeting regularly in your area. These are great places to meet and learn from other information security professionals. Building relationships with others will create a wonderful support group for yourself and open doors to all sorts of opportunities, including jobs.

Where I live, in Minneapolis, there are more than fifteen information security-related groups that meet regularly. This means that I could conceivably attend fifteen or more events every month, and meet hundreds of other security professionals. Pure gold!

92A2F78B-DF88-4665-BD99-F7758134AB53

A simple search on meetup.com, will probably produce some good leads for you. The Information Systems Security Association (ISSA) has local chapters all over the world, and they welcome new visitors. Other organizations that have local chapters all over the United States (and maybe the world) include the Information Systems Audit and Control Association (ISACA), InfraGard, and the International Information Systems Security Certification Consortium (ISC2). Check them out, it’s worth it.

Prep for Dating

Alright, hopefully you’ve got some good leads now. You have a solid resume, right? If you don’t, get one.

Need help? Start with a sample resume. You can ask for one from a friend or see if you like one of these free online samples:

Now you need to plug your information into the sample/template resume. If you don’t have any experience, you might not have much to put down. Don’t let that discourage you. There are companies who put a high price on intangibles. Take where I work for example, we always hire for the intangibles first. Intangibles are the things that align with our core values, which were covered previously in Part 2.

Think we’re the only company who does this? Think again. Just last week (2/21/19) I had the honor of moderating a panel of amazing female security experts for an AnitaB.org event at the University of Minnesota. AnitaB.org is a great organization supporting women in technology. One of the questions for the panel was “What skill sets would you look for in your team?” Each of the panelists gave their answer, but none of the answers had anything to do with technology skills. All the answers were about the intangibles! Good validation for what we already knew.

Fill your resume with information about you, focusing on how you will help your employer. Include your community work (if you have any) and be sure to list these groups you’ve been attending (see above). I used to customize my resume for each job that I applied for. This would ensure that my tangible and intangible skills would align perfectly with what they were looking for

Additional tips for writing a good resume can be found online:

Above all, be sure that the resume is true to who you are. We want a company to like you for you.

Your Best Face

Alright, you got a date?!

You want to be you, but you also want to be a good fit for the culture of the organization. If you haven’t already, now’s the time to do some research. Find out everything you can about the organization and about their culture. Find out how they dress, because you don’t want to overdress or underdress for the interview. Find out what they believe in, because you’ll want to validate and compliment their mission. Find out about their successes, because you’ll want to acknowledge them and verbalize your commitment to helping them get more similar successes.

Put the address for the interview into a mapping application days before your interview. Figure out your route and how long it will take you to get there. If you don’t feel comfortable with the drive, make the drive yourself a day or two before your interview.

Get to the interview at least 15 minutes early.

Eat something reasonable before you go to the interview. Pee before you get there.

The best advice I can give you in preparing for an interview is to be you. Don’t try to BS or be somebody you’re not. The person your interviewing with will probably see through your ruse, and if they don’t, you can’t feel good about starting your relationship being somebody you’re not.

Making a Commitment

You had an interview or two, or twenty. Now you get an actual job offer! Somebody wants to go steady. Yay you! Now you need to make a choice, do you take it or not? This is gut check time. My suggestion is to not take any job that you can’t commit to for at least two years, and ideally five years. Ask yourself if you could see yourself with this organization for two years or more. If the answer is no, I would say no to the offer. This takes a certain amount of discipline, and your circumstances may not permit any choosiness. Most people would take the offer anyway

The reason why I suggest staying with an organization for two years or more is because it validates your intangibles. It shows that you take commitment seriously, you are loyal, and you understand that you can’t rush experience.

You may decide to negotiate your offer, but if you’re new to the industry, you probably don’t have much to negotiate with. I’d advise against much, if any negotiation.

CONGRATS on the offer and the new job (hopefully)!

Conclusion

Getting your first job in this industry isn’t as easy as some people think. You need to work at it and you need to be creative. Make friends, make connections, and earn a good reputation. Take a pragmatic and formal approach to the process, after all, you are working for you!

Now that you landed your first information security job, how are you going to become a good (and ever-improving) information security expert?

BONUS: What is an “expert” anyway? This was a question that Brad Nigh (co-host of the UNSECURITY Podcast) asked me today during our recording of episode 16 (available 2/25). Comment below. No Googling or official definitions allowed. 😉

UNSECURITY Podcast Episode 16 Show Notes

/0 Comments/in /by

Each Friday, I’m going to do my best to post the notes for the UNSECURITY Podcast episode that Brad Nigh and Evan Francen (me) will record on the following Monday morning. Each week, Brad and I alternate leading episodes, so I lead the odd episodes and Brad leads the even ones.

If you missed episode 15, you can still give it a listen.

These are the notes we use to guide our discussion for the UNSECURITY PODCAST – Episode 16. This will end in disaster, or it will be great. Hard to tell where this one will go.

Saturday, February 23rd, 2019 @ 4:00pm

Description

This podcast is led by Brad and he’s invited two special guests for this one; his wife and Evan’s wife. We’ll talk about what it’s like to be married to an information security person and ask a bunch of questions that we think might help us learn more about maintaining a healthy relationship at home while working like we do (long hours, hard challenges, and mission-driven).

Opening

[BRAD] Alright, welcome to the UNSECURITY Podcast. My name is Brad Nigh, and I’ll be your host for today’s show. Joining me as always is Evan Francen. Hi Evan.

[EVAN] Hi Brad. Good afternoon.

[BRAD] That’s right. We had to switch it up a little this week because Evan is travelling to a client on Monday and Tuesday. Instead of recording our podcast on a Monday morning, like usual, we’re recording on Saturday afternoon.

We’re excited for today’s show because we have not one, but two special guests.

[EVAN] That’s right. We’re excited. Tell the listeners why we’re so excited Brad.

[BRAD] We’re excited because we’ve invited our wives to participate in today’s show!

[EVAN] Oh boy.

[BRAD] No, I think it’s OK. They promised they’d be nice, and only tell half-truths to protect us.

[EVAN] OK, good.

[BRAD] Ladies, welcome. Say “hi”

[GUEST ONE AND GUEST TWO] Hello guys. Thanks for having us (or whatever).

Interview Questions

These are interview questions for our guests, or more accurately, our own wives.

All our questions are addressed to both wives; however, other questions may come up during the interview that could be addressed to one or the other specifically.

[BRAD] Alright, you guys ready? You’re sort of the stars of the show today. Remember, no bashing and be nice! We can delete this recording if we need to.

Our sample questions. Depending on how things go, we might skip some or add some. We’ll see…

  1. What’s it like to be married to someone who works in information security?
  2. Share some of the hardest challenges in balancing your marriage with his job.
  3. Do you have any interest in being an information security professional yourself?
  4. Do you notice times of increased stress in your spouse’s life that you know come from their work?
  5. How often do you notice increased stress?
  6. Can you share any tips on how to handle your spouse’s work stress?
  7. Do you give advice to your spouse when he’s stressing from work? If so, what advice have you given him that helped (or not)?
  8. How many hours per week does you husband work? Is it too much? What’s the right number of hours?
  9. What’s the best advice for getting your husband to stop thinking about work?
  10. What do you think is different about being married to a person who works in information security versus some other careers?
  11. If you could give one piece of advice to your husbands related to work/life balance, what would it be?
  12. If you could give one piece of advice to other spouses who are married to information security people, what would it be?

ENDING ON A HAPPY NOTE…

What are some of the greatest benefits to your family that have come from your husband’s work in information security?

[BRAD] Phew. Alright then. Thank you, ladies! We made it out of that alive, right?

DIALOG AS NEEEDED…

Week Recap

Quick recap of anything exciting that happened to either one of us last week…

We’re always looking for feedback from you, our listeners. Tell us how you liked our show, make suggestions, or volunteer to be a guest. Whatever. Just email the show at unsecurity@protonmail.com.

By now, you should know where to find me and Evan. Find me on Twitter at @BradNigh. You can find Evan on his website https://evanfrancen.com or on Twitter at @evanfrancen.

News

OK, let’s get to some news quick. I think we have some time. Ladies, feel free to chime in. You’re perspective matters too.

Closing

Well, that just about wraps it up for this week’s show, episode 16. This was another good show. A special thank you to our special guests. Ladies, thank you! I know that both Evan and I are very grateful to be supported like we are.

Any parting words Evan?

Next week, we’re not sure what we’re doing yet. We’ve always been pretty good at winging it anyway. Another quick reminder to send your questions and suggestions to us at unsecurity@protonmail.com

Thank you and see you next week!

Writing UNSECURITY Journey – Cancun(2)

/0 Comments/in /by

A series of posts dedicated to the journey of writing my first book, Unsecurity: Information security is failing. Breaches are epidemic. How can we fix this broken industry?

This is the sixth article in the series. The others:

See here for the full list of articles, including those that are yet to be written for this series.

Introduction

The second week in Cancun was infinitely better than the first. The second week officially started with the arrival of my wife and daughter. They were coming to spend time with me and enjoy some of the Cancun sun. My wife had a spare laptop power cord in hand, so I was finally back in full service! After writing the first 25 pages of the book on an iPhone, it was such a relief.

The Restart

It’s Saturday, and the alarm was set for 5:00am. The plan was to write all day at corner table in the resort lobby. I chose this table because it was off in a quiet corner, it was just the right height, and the chairs were comfortable. I was pumped! Last week it felt like this day was never going to come.

One thing I did a few days ago, maybe Thursday, was set goals. I also wanted to set some writing time structure that I could follow. My goal was to write 3,000 words/day and adjust as I went. This would equate to about 12 pages/day, and this seemed like a reasonable goal starting out. The structure I would follow would be 50 minutes on, followed by 10 minutes off, and I would not stop any earlier than 3pm. I had already done a lot of research for the book, so my day would be all a go for writing!

My first ever full writing day ended at 3:45pm. I hadn’t eaten anything, but I didn’t even notice my hunger until I stopped for the day. Final results; 2,732 words, or about one and a half chapters. It felt like a productive day, and it felt an incredible sense of accomplishment. Finally, something got done!

I spent the rest of day with family. Great day.

The Coffee Club

Sunday started with the same goal and the same approach as the day before. Writing started at 5am sharp. Each writing session would be 50 minutes, just as it was the day before. As I was starting the third writing session of the day, two old guys came and sat at my table, one on my left and the other on my right. Awkward. I struggled a little to maintain focus, and did my best to ignore them. These guys obviously knew each other and they began a (loud) conversation like I wasn’t there, even though I was in between them. Ten minutes later, another old guy shows up and takes his seat at the table. The conversation amongst the old men continues.

I’m doing my best to stay in the zone, but my bladder starts screaming for some relief, so I had to stop for a quick bathroom break. After relieving myself, I walk back to my writing spot when I notice that there’s a problem. This isn’t my spot anymore. There are now eight or nine old men sitting all around the table! I sit down, but I’m cramped. I struggled through the rest of the writing session, and took a break outside. I’m flustered and irritated by these rude old men. I’ll just need to fight on and keep writing. It’s the only comfortable spot around here.

Three quarters of the way through the next writing session, the old men begin to disperse. Before long, I’m alone at my table again. Awesome! During the next break, I reflect on the awkward experience, and convince myself that it must have been some kind of Sunday morning gathering. I’m hoping that tomorrow will be different, back to normal. The second day was a little better than the first in terms of the number of words  written, 3,012. I was determined to hit my goal, and I was getting better at writing too.

Monday comes, and the same old man experience. The first five minutes with these guys were frustrating. I was actually angry. Today was different though. Before long, I started listening to their conversations, and they even addressed me a couple of times. Before they left, I had introduced myself to them all, and I was actually starting to warm up to these guys. Monday was a good writing day, but I have to admit I was looking forward to seeing the guys tomorrow.

Tuesday came, and so did the old men. These guys meet each morning for their coffee club and I was in their territory. I was happy to see them, and I think they were happy to see me too. Rather than trying to write anything, I closed my laptop and fully engaged in conversations. I’m not good with names, but there were two guys that I immediately hit it off with, Bob and Lynn. Bob was a dentist for 36 years in a small Missouri town. Lynn owns a farm that is the largest producer of gladiolas in the United States. All these guys were retired and spend some number of winter weeks in Cancun each year.

4ED34A53-1426-453E-B00A-7C6A4DFC1A9C

My Cancun Coffee Club

Bob asked me what I was doing with my laptop, working. When I told him that I was working on a book, he seemed genuinely interested. He asked me what I was writing about, and I told him that I was writing about information security. The look on his face was priceless, partially because it’s Bob and partially because he had no idea what I was talking about. I did my best to explain, but I could tell it was going to take a while. He wanted to know more, but we didn’t have the time.

This is when I realized what the second book would be. You know, the one I’m writing right now. This thought at the time was crazy because I hadn’t even written half my first book before I’m thinking about the second one. The second book would be titled “Information Security for Normal People”, or something similar. Normal people are people like Bob. The more I thought about it, the more convinced I became. How sad would it be for a wonderful, salt of the earth, all-around good guy to lose everything to some jackass attacker? Yes, I have to write this second book. Shelve it for now.

As the week progressed, my relationship with the coffee club deepened. We got to know each other pretty well. It didn’t let it take away from writing progress because I planned it each day now. When it came time for me to leave for home, we said our good-byes, and  I promised them I would be back again next year.

Heading Home

The second week went fast, much faster than the first. I spent at least 60 hours at the keyboard, and still found time to become part of a coffee club and make great memories with my wife and daughter. The week produced a total of 21,672 words. If I would have avoided the week one drama, I think I could have had 45,000 words. Oh well, at this point I still have a month and a half to finish up the draft. I’ll just need to do it at home.

Lessons from Cancun:

  1. Prepare much better. There was no excuse for leaving my laptop cord behind. If you’re going somewhere to write, pack well and prepare for contingencies.
  2. Goal setting is important. There were days where I wanted to quit for the day, but I was short of my goal. I would not allow myself to quit on a couple of days, because of my goal.
  3. Segmented writing works well for me. The 50 minutes of focused writing followed by a 10 minute break was a good approach. It forced some discipline into my writing and inserted healthy breaks.
  4. Don’t try to force through distractions. If I don’t want distractions, go somewhere quiet. If I’m distracted, and I don’t want to go somewhere else, stop writing. It saves me frustration and I made some great new friends.

That’s it for the two-week Cancun writing trip. I’m actually starting to feel like a writer at this point in the process, and I’m excited to write at home or in my office.

UNSECURITY Podcast Episode 15 Show Notes

/0 Comments/in /by

You Want to Get Into Security? – Part 2

/0 Comments/in /by

This is a five-part series about getting and keeping job in the information security industry. There is no one way to get and keep a job in the information security industry. This is a good thing! The series doesn’t contain THE advice, it just contains advice. Big difference. Some of this information is also found in the Unsecurity book, chapter 10.

The series consists of the following articles:

The Right Person – Introduction

In the last article, we concluded that there is plenty of opportunity in the information security industry, especially for jobs. The job market looks good far into the future.

Great, now what? There are two types of people asking this question, maybe three:

  • People working in the industry who want a change.
  • People not working the industry who want to explore the possibility.
  • People who don’t care one way of the other about #1 or #2.

Type 1: You might find this article interesting, but I’m not writing it specifically for you. You’ll find more benefit in the fourth and fifth articles of this series; “Becoming Good” and “Staying Healthy”.

Type 2: This is your article. I’m writing this for you, giving you the best advice I can.

Type 3: You should care. You’re either missing out on a possible opportunity for you and your family, or you know someone who could use some advice. People who don’t care about things seem like miserable people to me.

There. I’ve explicitly defined the audience and set expectations. Now, let’s get on with it. Back to our question, now what?

The ‘Now What’

If you’re still reading, you must be interested in getting an information security job, or you know someone who is. The first thing you should know is what it takes to be a security person. There are common traits that good security people have.  Rather than trying to build specific security skills, first focus on the traits you possess that will translate well into security roles.

Please don’t overlook these traits or take them for granted. They’re very important.

I’ll share the approach we use at FRSecure because it’s what I know best and it’s served us very well over the past 10 years.

FRSecure’s Approach

We hire for the intangibles, the things we can’t teach. As a business, there are three things that we must establish with each one our customers before we ever do work with them, and these three things translate directly to our Security Analysts who do all our work:

  1. Trust – People trust us and we must never betray their trust. Are you trustworthy? Do you consistently do what you say you’re going to do? Can people count on you? Do you put other people’s best interests above your own? (very important for consulting)
  2. Credibility – Directly related to trust, are you believable? Credible doesn’t mean you know everything, but it does mean that you know what you know and you’re willing to stand by your words and actions.
  3. Likeability – Nobody wants to work with a jerk, not co-workers and certainly not clients. Are you pleasant, friendly, and easy to like?

You must do well in these three things if you want to work here. Next comes our non-negotiable core values:

  • We tell the truth.
  • We are collaborative.
  • We are supportive and driven to serve.
  • We do whatever it takes.
  • We are committed to constant improvement.
  • We have balance. We work hard and play hard.
  • We all buy in to who we are, what we do, and where we’re going.

The non-negotiable traits that make people a good fit here are; truth, collaboration, support, service, doing, commitment, consistency, improvement, balance, and being bought in. These aren’t traits that we negotiate on, we live up to these values always.

Other bonus traits that work:

  • Humble – The best information security professionals are humble people who are willing to help others. Ego takes a back seat to building others up. If you’re full of pride and you like to feed your ego, please (for the sake of all of us) don’t become a security professional, you’ll just make everyone’s job more difficult.
  • Learner – You will never learn everything there is to learn about information security, and things change very fast. If you don’t like to learn, you’re probably not going to make it far.
  • Persistent – I swear I’ve said the same things a million times, and many of the things that I say today, I said 20 years ago. People are slowly getting some of the things we’ve been preaching for years. Persistence will serve you well in all sorts of problem-solving scenarios.
  • Aware – Another word for this would be perceptive.
  • Logical – There are reasons for just about everything. You’ll need to use logic often. Computers and other digital things are discrete, meaning everything is on or off, a one or a zero. Things can get confusing when there are millions of ones and zeros because what was black and white becomes gray. No matter, there’s logic in all of it. Human beings are a different case altogether, they’re analog.
  • Moral – You must be able to discern right from wrong, always. Integrity is a very big deal, do wrong, and you could ruin your career.
  • Comfortable with discomfort – Most information security experts are always in some degree of discomfort. If you can’t get comfortable being uncomfortable, you’ll be less happy in this business.

Love People

My favorite trait in a good security person is their love of people. The best information security professionals know that information security isn’t as much about information or security as it is about people. People from all walks, all faiths, all colors, all genders, etc., etc. Information security doesn’t discriminate, neither should it’s professionals.

If you don’t have these traits, we probably don’t want to hire you. If you do, then start researching job roles.

Job Roles

You read previously that there were more than 800 variations of different job titles in our industry. Not to make this any more overwhelming, but there are 1,000s of variations of job roles and responsibilities to fit these job titles. Start researching the roles that seem interesting to you and take note of educational and skill requirements. Keep researching until you feel comfortable and convinced about where you want to take your security journey. Research entry-level positions and research expert-level positions. See if you can draw out your career path for yourself beyond landing your first security job. Just because you draw it out doesn’t mean you can’t change it later, after you know more.

Places to review information security job roles, education, and skills:

  • LinkedIn – the site (or the app) has really good search filters, so you can look by experience level, location, type, and several other criteria.
  • Google – Google has a nice search function, with many filtering options, built right into the search engine. Just Google “information security jobs’ and you’ll see what I mean.
  • Indeed.com – A solid job site with many options.
  • CareerBuilder – Another pretty good site.

Keep researching until you feel like you know what want, or at least you think you know what you want. If you get it wrong, not a huge deal. Like most things, you can adjust later.

Bonus: A Mentor

Navigating the waters of the information security industry is always better with someone who’s been there, done that. If you know someone who’s been in the industry for a while, ask them if they’d be willing to be a mentor for you. If you don’t know anyone, ask around. If that still doesn’t yield any results, you can try other resources like your local Information Systems Security Association (ISSA) or International Information Systems Security Certification Consortium (ISC2) chapter. There are always good and helpful security pros at the chapter meetings. Another resource that I just ran across recently is MentorCruise. I’ve never used this service before, and I don’t personally know anyone who has. I can’t really recommend it, but I can’t not recommend it either. Worth checking out.

A good mentor makes a big difference. I’ve always had a mentor.

Skills

Now you know what traits are important (sort of), you know what role you want (sort of), and you know what skills you need (sort of). You won’t be certain of any of these things until you get going, if ever.

You don’t have to be a technical genius to get a security job. You don’t even need have strong technical skills. Some people disagree with me on this, but it’s usually because we’re not saying the same thing. Let me explain.

People who are new to our industry, and even some who are already in our industry, are easily confused by the words and terms that we use. Don’t let the confusion lead to intimidation and don’t become too easily discouraged. Take the terms “information security” and “cybersecurity” for instance.

Information Security and Cybersecurity

You will encounter times when the term information security and the word cybersecurity are used interchangeably. They are two different things, and this is important to know. Information security deals with administrative (people and process), physical and technical controls (or safeguards), whereas cybersecurity only deals with technical controls. Further proof of this is the definition of the word “cyber” by itself:

relating to electronic communication networks and virtual reality.

So, when I say you don’t need to be a technical genius, I’m talking about for the information security field. Cybersecurity jobs are ones where more technical acumen is required. It’s important for you to understand this. The misconception that you must be a “techie” or a “geek” to get into this industry is false and shuts the door on good people. There are many jobs in our industry that don’t require an in depth, expert-level understanding of technology. Having said that, you will need to learn basic technical concepts.

The advice I received from my mentor when I first started out in technology (before information security was formally a thing) was to read anything and everything I could get my hands on about the subjects I was interested in. This is good advice.

My advice to you is to follow industry news, read books, take courses, and learn everything you can. Learn, learn, learn, but DON’T RUSH. Rushing yourself creates undue pressure and steals the enjoyment. Everyone has their own healthy pace. Find yours and commit to it.

Resources

Here are some resources that I use, or have used in the past. This is not an all-inclusive list, so don’t get bent out of shape if your favorite isn’t listed, OK?

Industry News Sources

Books

Courses (FREE)

Conclusion

The order you go in, and the specific path you take will be up to you. There is no one way. You’ll notice that I didn’t mention degree programs in this article. This doesn’t mean that I don’t believe in them. Most degree programs have job placement and job assistance services included; therefore, many of these students will get what they need to land a job. Although degree programs are good, you don’t have to have a cybersecurity or information security degree to get a job with us.

If you want to get a job in the information security industry, you can. I hope you have the right traits, and I hope you’ll help fix problems in our industry and won’t add to them. Many of us who work in this industry take our jobs very seriously and we welcome new recruits. Don’t take shortcuts and do the right thing (always), and you’ll do great. If you run into a jerk along the way, ignore them. They’ve got personal problems that you won’t be able to solve anyway.

Good Luck! Next is Landing Your First Job.

Writing UNSECURITY Journey – Cancun(1)

/0 Comments/in /by

A series of posts dedicated to the journey of writing my first book, Unsecurity: Information security is failing. Breaches are epidemic. How can we fix this broken industry?

This is the fifth article in the series. The others:

See here for the full list of articles in this series, including those that are planned in the future.

Introduction

This article is longer than the others. There’s some drama in this one.

If you don’t recall, or if you’re just joining the conversation now, my plan called for a two-week writing trip to Cancun in January 2018. Life sucks, right?! The challenge was convincing my co-workers that I was going to Cancun to write a book, not to go on vacation. They said they believed me, but you could see the skepticism on their faces. I had to come back with a finished book, or at least solid progress on one if I was going to convince them. This was added pressure that I didn’t need, but I was up for proving them wrong.

The plan was for me to be in Cancun for one week by myself, doing nothing but writing. I would be joined by my wife and my 13 year-old daughter for the second week. On the second week, I would write all day and spend the evenings with my family. A good plan, I thought.

The Outline

I didn’t want to wait for the trip before I started doing something with the book. So, months before leaving, I started the outline. At the time, there was no title and all I had was the idea. The book was supposed to be about what’s broken in the information security industry. If you know this industry, you know that there’s no shortage of topics that I could have chosen to write about. The fact is, there are many things that are broken, depending upon your perspective and experience. I needed to figure out how to take all the things that I think are broken and organize them logically into chunks, which would later become chapters.

I open Microsoft Word and stare at the screen. Ten minutes pass. What’s wrong with me?! OK, break time.

While on my well-deserved break, I convinced myself that I needed to write something. Write anything! This is where it all started. I just wrote anything and everything that came to mind about the frustrations I have with the information security industry and what seems broken to me.

I think the experts call this brainstorming.

I drew upon the experiences of my past, and kept typing words, with no attention given to context or structure. The document started to fill with topics. Slowly, out of the topics emerged themes. Once thoughts started to flow, I was surprised by how easy the thoughts went from brain to document. After an hour, I even added some pictures that I downloaded from the Internet. The pictures with the smattering of unorganized words in a Word document started to become my outline. I did something. Yay me!

Here’s the first brainstorming document. Impressed?

Over the course of the next few months, and before leaving for Cancun, I made numerous changes to the outline. I didn’t do any heavy writing, just revisiting the outline once a week and tweaking it here and there.

Before I knew it, it was time to leave, and it was time to get serious about writing this book!

Can’t Believe I Forgot

This was a week that I won’t forget. Read on, and you’ll know why.

I arrived in Cancun on Saturday, January 6th. We rented someone’s condo lockoff at the Royal Sands. I’m a regular guy, so a four-star resort is not an everyday experience for me. The Royal Sands is an impressive place, and I had to check it all out. I already knew that I wasn’t going to get much writing done on this first day in Mexican paradise, and I needed to get comfortable with my new surroundings first. I spent the day getting oriented. The weather was perfect, the resort was very comfortable, and I didn’t know anybody. This was going to be the perfect place to get comfortable and write. I was feeling good!

Just one thing to do before I turned in for the day. I needed to complete some tasks for a large bank client of ours. Once I completed these simple tasks, I planned to get some rest. I would get up early the next morning and get busy. No problem. I break out my laptop and get to work. Thirty minutes in, I notice that my laptop could use a charge. Easy enough. I grab my computer bag and stick my hand in the pocket where I always keep my power cord, and…

I FORGOT MY POWER CORD!!!

Who does this? Turns out I do. I’m notorious for leaving power cords behind, and my wife even reminded me before I left. Ugh. At first, a little panic. The panic didn’t last long though. Cancun is a big town, and I’m sure I can find a power cord somewhere. In the morning, I’ll just check with the front desk.

Finished up my bank work, then sat outside in the warm ocean air before I turned in for the night. It was a good day.

The Hunt

It’s Sunday. I’m settled, and I’m excited to get focused on what I came here for, writing! Quick shower, short walk on the beach, and a visit with the kind people at the front desk was in order. I asked the concierge if he knew where I could find a laptop charging cable. He had no idea. OK, not a good start. I asked if the resort had any laptop power cables that were left behind by other guests. Nope. I try my first inquiry again. After some back and forth, he tells me that there’s an Office Depot in town. Cool, they’re sure to have a cord! I whipped out my iPhone and found it. It’s only 10 miles away.

Take the R2 bus for 12 pesos, 30 minute ride, and I’m there.

I’m starting to feel a sense of relief and excitement as I walk in the store confident that they’ll have what I’m looking for. I had trouble communicating with the store employees because I don’t speak Spanish and they didn’t speak English. This just meant that I roamed around the store for awhile. Then voila! I’m in luck, a universal laptop charger with an assortment of attachments! I grab the goods for a closer inspection. The closer look revealed that this universal charger wasn’t all that “universal”. It didn’t contain my attachment, so it wouldn’t work. At the time I was using a Lenovo laptop with a rectangular male end. No dice.

What now? Well, I’m thinking that this can’t possibly be the only store in Cancun with computer accessories, and I was right. My trusty iPhone revealed that there’s an Office Max, a Walmart, a RadioShack (yes, Radio Shack), an Ofix, and a Sanborns. Plenty of options. I just need to walk. Lord knows, I can use the exercise. First stop Walmart, on the way I pass a scary looking jail or prison, no dice. Next, RadioShack, nope. Ofix wasn’t open. Sanborns had some computers, but no cords. Another RadioShack, and I’ve struck out. In all, I’ve walked 9 – 10 miles and I have nothing to show for it. My mind is racing because I have writing to do dammit!

I decide to do what I always do when I’m at my wit’s end. I called my wife. After discussing the situation, we figured we had two options. I could buy a new laptop or we could (maybe) ship my power cord from Minnesota to Cancun. We decide to check on whether latter. Twenty minutes later, my wife calls to tell me that FedEx can get my cord to me by Tuesday morning for $83. OK, deal. Between this time and Tuesday, I figure I’ll write thoughts on paper and conduct as much research as I can on my iPhone. I needed a haircut, so I’ll knock that out too in my new spare time.

On the walk back to the resort, I called a friend, just to chat. I shared my dilemma with him, and he had a seemingly brilliant idea. Isn’t there a Dragon dictation app for iPhone? My heart jumps, is there?! I open my iPhone’s App Store, do a quick search, and YES, yes there is an app! There’s an app called Dragon Anywhere. Sweet, I’ll just dictate my book while I wait for my new cord to arrive. I install the app, pay the fee to open all the features, and I’m in business.

Or so it seemed.

I don’t know if you’ve tried dictating a book on an iPhone, but it’s painful. I couldn’t get it to work well. I don’t think it’s the app, I think it’s me. Training the app, and my training for using the app, were both pains in the butt. In addition to my troubles using the app, I couldn’t get over the awkward feeling of talking to my phone without a person on the other end. I was not digging this at all, but I’d just have to fight through it. Maybe it would get easier.

I finally got back to the resort late in the afternoon, and I was tired. No writing on Saturday. A great workout on Sunday, but very little writing done. This is not going according to plan.

Painfully Waiting

It’s Monday morning. I have some expectations, and I have some hope. I expect to get my power cord the next day. Today I’ll spend my time muscling through the best I can with paper and an iPhone. I spend the morning writing thoughts in my notebook, doing research on my iPhone, and talking to a stupid blinking cursor that hated me. My frustration was mounting, but I had hope. By noon, I’d already had enough. I needed a break.

I took the bus downtown to get a haircut. I found this place called La Cueva del Lobo (The Cave of the Wolf). It was listed online and it looked like a decent place. The reviews were good, so I went. My barber didn’t speak a lick of English, so I used my phone to translate what I wanted. Oh my…

THE BEST SHAVE AND A HAIRCUT EVER!!!

I’m not a high-end barber or spa guy, I’m a give me a quick haircut and get me out of here guy. All I wanted was a quick trim, and what I got was so much more. The visit to this small barber shop in Cancun was an incredible experience. My barber’s name was Jose Luis, and this guy takes his craft seriously! It’s hard to put this experience into words. I knew that I didn’t want it to end, but it did. Is this weird?

Despite the fact that my haircut was magical, I still wasn’t making much progress on the book. Writing was painfully slow without my laptop. I tracked my FedEx package all day, and my spirits were raised with each new update. The updates showed my cord getting closer and closer. I went to bed this night confident that I’d be running at full speed sometime the next day.

Tuesday arrives. It’s another beautiful day. I continued my slow progress while checking the FedEx tracking for my package every hour. This was an uneventful day. Then 3:30 in the afternoon came. This is when I got the ominous message from FedEx. The status on my package had been updated with a bright red bold “Clearance delay” message. According to the update from FedEx, my power cord is in Cancun, but it’s held up in the “clearance process”. I have no scheduled delivery date anymore, so I’m not sure what to think.

After getting over the disappointment, I convince myself that it can’t take long for a power cord to clear Mexican customs, can it? Hope returns. Tuesday passes, no cord.

Wednesday arrives. Same status. I’m now wishing that I would have bought a new laptop during my forced tour of Cancun on Sunday. I could go get one now, but the cord could clear customs at any moment, plus my wife arrives in two days. This is a pickle. Called FedEx, they’re completely useless in this situation.

Wednesday passes, no cord. I hate writing on an iPhone and a notebook. 4-1/2 days gone, 15 pages written, all on an iPhone, using my teeny keyboard and a dumb dictation app that keeps misspelling every other word.

Thursday arrives. Same status. My power cord is still held up in the clearance process! It’s hard to express my anger. Checked the package status all day, same stupid message. At this point, I hate FedEx, I hate Mexican customs people, I hate writing, I hate my neighbors, I hate the sun, I hate ocean waves, I hate everything. Believe it or not, I’m a positive guy. Eventually I get over it. My wife arrives in less than 24 hours. She’ll rescue me again, this time with a power cord.

Thursday ends. Friday arrives. I’m juiced! My wife will arrive today! She’ll bring her pretty self and she’ll bring me a power cord! She arrived in the afternoon, with a power cord in hand. All seemed right with my world again.

Week one was over. Progress: 25 pages on an iPhone. Package still stuck in customs. On to next week…

You Want to Get Into Security? – Part 1

/0 Comments/in /by

This is a five-part series about getting and keeping job in the information security industry. There is no one way to get and keep a job in the information security industry. This is a good thing! The series doesn’t contain THE advice, it just contains advice. Big difference. Some of this information is also found in the Unsecurity book, chapter 10.

The series consists of the following articles:

Abundance of Opportunity – Introduction

First, a little background.

1992. That was the year I started my career in information security. We didn’t really call it information security back then, but it’s (mostly) what it was. There didn’t seem to be much specialization then. Most of us just did what had to be done to keep the business running. Certifications weren’t very popular yet, and there wasn’t a call for security-certified personnel. The first Microsoft Certified Systems Engineers (MCSEs) were named in 1993, and so were the first Certified Information Systems Security Professional’s (CISSPs). The information security industry was just starting to become a mainstream thing.

Today the information security industry is still young and relatively immature. This is especially true when we compare it with other service-related industries. For instance, the American Institute of Certified Public Accountants (AICPA) traces its roots back to 1887, and the American Bar Association was founded in 1878.

The information security industry is also complex. With each passing day, the industry seems to grow in it’s complexity, which is sad because I’m a firm believer that complexity is the enemy of security. The complexity leads to confusion. In fact, confusion reigns. It reigns despite the fact that some among us are too proud to admit it. The confusion creates chaos, and out of the chaos comes opportunity. Opportunities for investors, security product peddlers, consulting companies, and many others.

One opportunity in particular, and the one that we’re most interested in here, is the abundance of well-paying jobs. Like, lots of jobs.

Information security professionals, people like me, are in very high demand. Jobs are everywhere (for certain disciplines), the money is good, and future employment prospects are sky-high. A very frequent question that I get is, “How can I get an information security job?”. I could just tell you what I think, but I would be remiss if I didn’t put things into context for you.

Before you start enrolling in classes, updating your resume, and applying for jobs, you should know more about what you could be getting yourself into. One central theme throughout this series is to slow down. Don’t rush things.

Abundance of Opportunity.

When some people hear the word “opportunity”, they rush head on. They’ll rush without even knowing what the opportunity is. If you’re considering a new career in information security, or a career change, you should know more about the opportunities. If I were you, I’d be asking a few questions.first.

How much opportunity is there?

Do some research! Wait a second. Did you want me to do this for you?!

Fine. Here’s what I’ve found.

There’s a general consensus that the informations security industry is very talent poor, meaning that we’re hurting for more information security professionals. There are thousands of information security positions open right now. In fact, Cyber Seek estimates that there are 315,735 open positions in the United States alone. Here are some additional details about our talent shortage:

Seems like there are plenty of job openings, so that shouldn’t be a problem. Basic supply and demand would indicate that the pay must be pretty good then. It is.

*NOTE: The CISO position is the top of the corporate ladder for information security professionals. Two things to think about. First, you may choose a path of specialization in our industry and never become a CISO. This is not necessarily a career-limiting decision. There are non-CISOs that I know personally who have a tremendous impact and make more salary than the range cited above. Second, it takes a while (or should) to become a CISO. If you’re newly employed in this industry, it may take you more than 10 years to earn such a role. Keyword is “earn”. Please don’t take a role that you haven’t earned. Doing so hurts your career, your employer, and the rest of us in this industry. Wishful thinking…

Here’s another thing that I’ve learned about jobs in our industry, job titles matter. Not only do titles matter, there are a ton of them to choose from. In 2015, Lenny Zeltser identified 822 variations of information security job titles. This is probably a function of the industry’s immaturity and complexity. The job title you target or obtain will likely matter though. According to Nate Swanner at Dice.com, “If you want a decent cyber security salary, presenting yourself as an ‘engineer’ is your best bet: It’s a title that tends to pay on the higher end of the tech pro salary spectrum.”

If salary is your thing, there’s another factor to consider. Location. Some metro areas have a higher demand for security talent and some metro areas have a higher cost of living. Two important factors to consider. The metro areas with the highest paying information security jobs are Charlotte, North Carolina, Chicago, Illinois, and San Francisco, California. 

The graphic below is taken from the Cyber Seek website, and it shows the talent demand on a state-by-state basis.

6C3B2611-D130-486B-B236-49339BC3C684

To summarize, there are opportunities just about everywhere. More experience will mean more pay. Physical location and job titles should be taken into consideration too because certain locations and certain titles might mean more opportunity and/or salary.

If you have no experience, you might not have much choice in job title, location or pay. You will probably have to take what you can get. The information that I’ve presented to you thus far should be considered as you decide what path you’ll take in your information security career journey. It’s exciting to be someone who’s just starting out because you’ll have so many options along the way!

What’s the starting salary, and can I afford it?

This will depend on some additional factors such as how much (if any) experience you have, your education level, the type of organization that you choose to work for, and the industry your potential employer operates within. In general, the entry-level salary range is $38,000 – $68,000 for someone with no experience and without a degree. That’s a wide range because there are a wide range of different opportunities available.

The entry-level salary range for someone who has a few security skills (but not much) and a Bachelors degree is $49,214 – $92,285, with a median of $65,338. Again, this is a wide range for the same reason that I cited previously.  If you have more experience and/or education, you might expect more salary.

Now that you know more about the abundance of opportunity, we’ll get honest with ourselves and see if you’re the right person for the job. We’ll tackle this in the next article. Coming soon!

UNSECURITY Podcast Episode 14

/in /by

Each Friday, I’m going to do my best to post the notes for the UNSECURITY Podcast episode that Brad Nigh and Evan Francen (me) will record on the following Monday morning. Each week, Brad and I alternate leading episodes, so I lead the odd episodes and Brad leads the even ones.

If you missed episode 13, which featured MN State Rep. Jim Nash, you can still give it a listen.

These are the notes we use to guide our discussion for episode 14.

Opening

OK, here we go. Today is Monday, February 11th, 2019, and this is episode 14 of the UNSECURITY Podcast. My name is Brad Nigh and joining me as always is Evan Francen. Good morning Evan, how are you today?

Also joining the show today is a special guest, he goes by the name M1ndFl4y or “Ben”, depending upon how well you know him. For the sake of today’s show, we’ll call him Ben. Good morning Ben and welcome.

Everyone knows me and Evan, but Ben, people may or may not know who you are. what would you say you do here? Ben discusses what he does. (NOTE: Don’t let him off easy. He’s a social engineer, pen tester, researcher, mentor and creator of cool things.)

My day today. Evan’s got next week.

Week Recap

Let’s replay some of the things we did this week. Although we all work together at the same place, we don’t often get a chance to hear what each other is doing. Ben, start us off.

Ben

(NOTE: Don’t let him off easy again. Make sure he mentions his https://haveibeenpwned.com/ bash script, and the fact that it’s posted on Troy Hunt’s site and he should also share some goodies from his most recent pen test).

Brad

Well, this is what I did this week. Brad’s leading the show and has the liberty to take this wherever he wants.

Evan

Excellent meetings and collaboration this week. Met with a CISO from a large company this week (We’ll leave out the name because nothing’s been cleared with him). The company is a top 50 company in terms of size. Great meeting (Discuss). Maybe give some other highlights, if there’s time.

Awesome. We have a lot to cover in this week’s episode, so let’s get going. But, before we get started, we want to make sure everyone knows how to get in touch with us. Send us your suggestions, questions, or cool things you might want us to know. Use unsecurity@protonmail.com.

Social Engineering

The main theme for today’s episode is social engineering. You know anything about social engineering Ben?

Ben, Evan, and I will share between 3 – 5 real stories from our own personal experiences. The exact number will depend on time.

Three questions:

  1. How does someone go about becoming a social engineer?
  2. Can you suggest any good educational resources (classes, books, podcasts, etc.)
  3. If you could give one piece of advice to our listeners on how to protect themselves, what would it be? (We’re not really gonna hold you to one!)

Alright, good stuff. You can follow M1ndFl4y on Twitter, although he doesn’t post much, at @M1ndFl4y. Be careful though! He probably only uses Twitter as some sort of OSINT source for his next project.

By now, you should know where to find me and Evan. Find me on Twitter at @BradNigh. You can find Evan using his website https://evanfrancen.com or on Twitter at @evanfrancen.

OK, let’s get to some news…

Topics for Discussion

Any other topic before we get into some of the news?

Recent News

Oh yeah, Apple released a security update on Thursday. The biggest fix was for the FaceTime bug that blew things up last week. The update is iOS version 12.1.4, go apply it!

Closing

Well, that just about wraps it up for this week’s show, episode 14. Thank you, Ben, for coming on. Always fun catching up with you.

Next week, I think we might be starting a series about incident response. We’ll see what Evan decides to do. As always, be sure to send your questions and suggestions to us at unsecurity@protonmail.com.

See you next week!