UNSECURITY Podcast Episode 21 Show Notes

I’m a little less late with the show notes this week.

This week, Brad and I are back together. Brad’s back from his vacation, I’ve been back from mine, and now we’re in Rochester working on some projects. It’s always good to have Brad back, and I’m looking forward to a good week.

Last week’s episode was great! The listeners got to meet Shawn Pollard, a Security Analyst from FRSecure, and a good friend. Shawn and I were on a road trip, working with a client in Aberdeen, South Dakota. Episode 20 was about staying healthy in this industry, and the conversation was genuine. We all know someone who is struggling with mental and/or physical health issues. Some of us have even lost someone close to us. We confront these issues in episode 20, and like I said, it was great!

If you missed episode 20, go give it a listen!

Episode 21

Date: Monday, April 1st, 2019

These are the notes we use to guide the discussion. These notes were written by me (Evan). Last week’s notes were mine too, but I think we’re back to normal schedule-wise after this week.

Brad’s back!

Today’s Topic(s): Dealing with bully customers, and third-party security risk management

The basis for the content of today’s show will be provided by some real-life bullying examples and the recent experience from the last week’s Hacks & Hops event.

Opening

[Evan] Good morning everyone, today is April 1st and this is episode 21 of the UNSECURITY Podcast. I’m your host, Evan Francen, and joining me today is my guy, Mr. Brad Nigh.

Brad, welcome back!

[Brad] Says something…

[Evan] I just realized that it’s April Fool’s Day. You planning anything today Brad?

[Brad] Says something…

[Evan] How was your vacation? Wait! I know you had some drama, care to share a little?

[Brad] Says something…

Some additional catch-up/chit-chat…

Bullying Customers

[Evan] One topic that I wanted to discuss in today’s podcast is mean customers, or bully customers. Doesn’t have to be restricted to customers either really, a bully is a bully I suppose. The reason why this was top-of-mind for me was because %STORY%. Couple of questions, do you know the story I’m talking about and have you ever been bullied by a customer?

[Brad] Says something…

Open Discussion, Dealing with bullying customers and bullies in general

[Evan] Alright, good insight. Switching gears now.

Third-party security risk management

[Evan] This is actually a topic that’s near and dear to my heart, and I think it’s one that you happen to like to Brad; third-party security risk management.

[Brad] Says something…

[Evan] Last week, FRSecure held their latest Hacks & Hops event titled DEFEND! Step Up Your Data Security Defenses Against Third-Party Risks. What did you think about the event Brad?

This slideshow requires JavaScript.

[Brad] Says something…

[Evan] I’m really diggin’ the whole Hacks & Hops Event Series, and I’m pumped for the next one. You know what the next one is?

Open Discussion

[Evan] So, you and I have built at least our share (probably more) of third-party security risk management programs over the years. Let’s discuss the good, the bad, and the ugly.

Open Discussion, Nuts and Bolts of Third-Party Security Risk Management

News

[Evan] You have time to catch-up on the news this week?

[Brad] Says something…

[Evan] Yeah, it was a crazy week. Things should settle down travel-wise after this week, and we’ve got the CISSP Mentor Program kicking off one week from today!

[Brad] Says something…

[Evan] It’s not too late to sign up for the online/remote access, but the in-person registrations were sold out months ago.

[Evan] Here’s some recent news that caught my eye this week.

There’s a ton more news to talk about, but we’re out of time. There’s no shortage of breaches, bugs, and attack news. Stay alert and be careful! If you’re not keeping up with the news, or you feel a bit overwhelmed, you’re not alone. What are some of you’re favorite ways to stay up-to-date, but not get slammed?

Closing

[Evan] Any parting words of wisdom Brad? Great to have you back!

[Brad] Wisdomy things.

OK, well that just about wraps things up here from sunny Rochester, New York.

Don’t forget, you can follow me or Brad on Twitter; @evanfrancen  and @BradNigh.

Email us on the show at unsecurity@protonmail.com.

Thank you and see you next week!

Status Update – March 24, 2019

Just got to the hotel in Aberdeen. Getting into the groove, and I felt compelled to share an update with you all. Compelled mainly because I haven’t been able to write here nearly as much as I had intended. It’s not unusual for me to bite off a little (or a lot) more than I can chew.

No matter. It is what it is. If I could learn to say no more often, I’d probably be healthier.

Current (or Recent) Things

Here’s some of things going on in this guy’s work life:

  • Running FRSecure, sort of. I’m the CEO here, but I’m not the person who get’s things done. I say “sort of” because I’ve been blessed with an INCREDIBLE leadership team who truly runs the best company in our industry. I love what they’re doing and they’re breaking records every month.
  • Running SecurityStudio, sort of. I’m the CEO here too. Like FRSecure, I’m not the person who get’s things done. I’m a little more involved with SecurityStudio because it’s such a young company. Awesome, awesome, awesome leaders here and it’s so much fun to watch this company grow. VENDEFENSE is attracting new customers every week, and there is some really exciting news coming soon!
  • The UNSECURITY: Information Security for Normal People book is behind schedule right now, so I need to focus more attention on completing the draft/manuscript. This will take up most of my time for the next few weeks or so. I’m really excited about this book, mostly because of the audience it’s intended for and the plain-Englishness of it all. I’m hoping it will resonate with “normal” people and help them better, more secure lives.
  • The So You Want to Get into Security? series of articles is complete, and I’ve compiled the articles into a simple free eBook. I’d never published an eBook to iTunes before, and it was a fun exercise to learn. I’ll plan on making more, and better quality eBooks available in the future. Check out this one, if you don’t mine, and let me know what you think.
  • The UNSECURITY Podcast is going well, but it’s a struggle to do a weekly one hour show sometimes. Feeling like we’re dragging @55 a little bit, but we’ll get back into the groove. My show notes have been a couple days late the last two weeks (vacation and work travel), but that should get back on track soon. We’ve done 19 consecutive weekly shows so far and we’ve learned a lot, but we’ve still got a ways to go before it really feels dialed in. Please be patient with us (me and Brad Nigh). We’re committed to creating a really good show and we’ll keep at it.
  • I’ve written a few more articles lately for other publications. Some are better than others:
  • I’m coming up on my one-year anniversary as the vCISO for a large, global company. I’m actually the vCISO for only one region, the Americas region that includes Canada, United States, and Mexico. It’s a 40-50 hour/month commitment, but it would be a lot more if there weren’t some awesome people there running the day-to-day operations. Great experience with really good people all around.
  • Was at the RSA Conference a couple weeks ago. I had no agenda but to see a friend of mine give his talk and to have lunch with him. Flew in late Thursday night, did what I was there to do, then left Friday afternoon. My friend is Roger Grimes, and he delivered a really good, and very well-attended talk titled 12 Ways to Hack 2FA. Afterwards, we visited (not nearly long enough) for lunch. Roger has an amazing security mind and he’s got impeccable character. We think A LOT alike.
  • The first gathering/meeting of the Cloud Security Alliance Minnesota Chapter (CSA MN) Executive Advisory Board met on March 14th, but I was on vacation. Sucked to miss the first meeting, but vacation was scheduled many months ago. I’m excited to help CSA MN make a real impact. Lots of great people involved!
  • Trying to stay up with Twitter and LinkedIn feeds. I’m thinking that I sort of suck at social mediaing.

I think that covers most of it.

What’s Coming – Future Things

  • Travelling to Aberdeen, South Dakota this week to work with a new client and figure out how we can secure the Ag industry better. We have a lot of work to do in the ag industry!
  • The UNSECURITY Podcast episode 20, live from Aberdeen with Shawn Pollard.
  • Sometime this week, I’m going to start a new hashtag #100DaysOfSecurityTruth. Each day, for 100 days, I will tweet a new truth. Hoping for some interaction, ideas, suggestions, etc.
  • New article for Cyber Security Intelligence about Identity Management. Tim Heath is the CEO over there, and he’s a good dude.
  • New article for here (or somewhere) about the bad things about RSA.
  • Planning the next Security Summit for my vCISO client. These are always fun. People from all over the region come to meet, learn, teach, and have fun together. The last Security Summit was one full day of incident management training and a second day about identity and access management.
  • The next Hacks and Hops event is this week. We didn’t pick the most enthralling topic (third-party security risk management), but it is a critical one. There will be good opportunities to network and learn what work (and what doesn’t). Come if you can.
  • Speaking of third-party security risk management, there’s another eBook being planned. The book will be a soup to nuts/zero to hero book; practical advice from starting from scratch —> the best friggin’ program ever, and everything in between. Thinking a few months or so, but it’s on the docket.
  • Lots of writing for the next book. I’m already behind a bit, so it’s time to get real on this thing! This is actually the number one priority right now.
  • More collaboration with security people I admire. I’d like to collaborate more with Chris Roberts and Roger. I already said a few great things about Roger, but Chris is pretty damn awesome too. More allies = more progress.

I’m sure something else will pop up, but that’s all I can think of right now. If you ask me to do something else, don’t be offended if I graciously decline (for now).

NOTE:  The Writing UNSECURITY series of articles – I still intend to finish writing this series, but for now it’s on hold. There are too many other pressing things (the Information Security for Normal People book, other articles, business commitments, speaking engagements, podcasting, and oh yeah… family!) that need focus too. Comes down to priorities, as it should, and this series must take a back seat for now.

Take care!

-Evan

 

UNSECURITY Podcast Episode 20 Show Notes

Late again.

Hopefully, I’ll be back on track with getting these show notes posted on Friday like they’re supposed to be.

Two weeks ago, I was out. Last week, I was back, but I was stuck in New Orleans. This week, Brad is out and I’m in Aberdeen, South Dakota. Confusing. Such is the life of… well, us I guess.

If you missed episode 19, you can still give it a listen. I think we still have some work to do on our audio quality and more structure to our content. In time. Please enjoy while you maintain your patience with us.

Episode 20

These are the notes we use to guide the discussion. These notes were written by me (Evan). This episode would normally be led by Brad, but he wanted a vacation or something. I was like, whatever man.

Description – Today’s Topic: Staying Healthy

The basis for the content of today’s show will be provided by the article with the same name that was written and published on March 7th. The article also became Chapter 5 in the So You Want to Get into Security? eBook. The eBook is free on iTunes.

Show Recording: Monday, March 25th, 2019 @ 6:45am

Opening

[Evan] Good morning folks, this is episode 20 of the UNSECURITY Podcast. The date is March 25th, 2019 and not joining me today is my friend Brad Nigh. Brad wanted a vacation. Can you believe it?! Whatever.

I’m not going solo however. Joining me this morning is Shawn Pollard. Good morning Shawn!

[Shawn] Says something…

[Evan] Backing up a second. On the topic of vacation. I guess I took one a couple of weeks ago, so I should cut Brad some slack. Shawn, for people who don’t know, is an Analyst at FRSecure. Shawn, is that you’re title?

[Shawn] Says something…

[Evan] How long have you been with FRSecure now?

[Shawn] Says something…

[Evan] Do you take vacations? When was the last vacation you took?

[Shawn] Says something…

[Evan] What’s you’re thoughts on vacations? Are they important for us?

[Shawn] Says something…

[Evan] I think they’re critical to healthy living, especially as a security professional. I should have added this to a recent article I wrote titled Staying Healthy. Have you seen and read this article Shawn?

[Shawn] Says something…

[Evan] What did you think?

[Shawn] Says something…

Open Discussion

Open discussion about the importance of getting and staying healthy, based on the article. I have a lot to learn here, and I’m very interested in Shawn’s take on these things.

News

[Evan] I have to admit, I’ve been swamped this week and I haven’t been up-to-date on the news as much as I normally do. Shawn, do you keep up with the news and if so, how do you do it?

[Shawn] Says something…

[Evan] Here’s some recent news that did catch my eye this week.

There’s a ton more news to talk about, but we’re out of time. There’s no shortage of breaches, bugs, and attack news. Stay alert and be careful! If you’re not keeping up with the news, or you feel a bit overwhelmed, you’re not alone. What are some of you’re favorite ways to stay up-to-date, but not get slammed?

Closing

[Evan] Any parting words of wisdom Shawn?

[Shawn] Wisdomy things.

[Evan] We have work to do soon, don’t we? What did you think of your first podcast experience?

[Shawn] Says something…

Thank you very much for stepping in Shawn. It’s always a great experience to chat with you! Next week, Brad’s back. Neither one of us will be at the home office though. Both of us are working on a project in Rochester, New York, so that’s where we’ll be coming to you from next week.

Don’t forget, you can follow me Brad or I on Twitter; @evanfrancen  and @BradNigh. Shawn, you use Twitter at all?

Email us on the show at unsecurity@protonmail.com.

Thanks again and see you next week!

UNSECURITY Podcast Episode 19 Show Notes

Well, I planned to post this on Friday. Good intentions will get you…

I have good reason, at least I think I do, for the delay. I was on vacation last week, and I promised my lovely wife that I wouldn’t work. It’s always a good idea to keep your word with the ones you love! You might remember episode 16 (notes and show). If we want a smooth episode like that again, we’d better behave.

On normal weeks, I do my best to post the notes for the upcoming UNSECURITY Podcast episode on Fridays. Brad Nigh and I record each podcast early on Monday morning, before the week has a chance to get out of control. Brad and I alternate leading episodes, he leads the even ones, and I lead the odd ones. There’s probably some hidden meaning in that.

Brad led last week, and I wasn’t around for episode 18. I don’t get any credit for what you liked about it. If you missed episode 18, you can still give it a listen.

Episode 19

These are the notes we use to guide the discussion. These notes were written by me (Evan).

Description

Show Recording: Monday, March 18th, 2019 @ 6:45am

Brad went solo (sort of) last week, as Evan was not allowed to join the podcast because of his vacation. Key words are “not” and “allowed”. Evan’s back from vacation (sort of), and we’ll pick up from there.

Opening

[Evan] Top of the mornin’ to ya Brad! I’m not Irish, but yesterday was St. Patrick’s Day. I can do that right?

This is the UNSECURITY Podcast episode 19, and I’m your host this morning, Evan Francen. Joining me as usual is my favorite security pal, Brad Nigh. Say “hi” Brad. Today is Monday, March 18th and I’m stuck in New Orleans. More about that later.

Man, we’ve got so much to catch up on Brad! You and I haven’t even talked really for what seems like forever. Where do we start? What’s new?

[Brad] Says all sorts of cool stuff probably.

[Evan] As you know, I was on a boat. A big boat. Internet service sucked, and I didn’t do any work. I had one call on Friday with some lawyers and read a few emails, but none of that counted really. Last work thing was leaving RSA like 10(ish) days ago. More about that later too. What about you Brad, tell me about your week.

[Brad] More cool stuff probably.

[Evan] How did last week’s podcast go? I know you and “Host X” were going to talk about some IR stuff, right? Where’d you go with that and where’d you leave off?

[Brad] More cool stuff probably, but it’ll get cooler even.

[Evan] Nice. Let’s come back to the IR talk later. As you know, I have a love/hate relationship with all things IR. Since it’s been a while, I want to share some RSA stuff with the audience quick.

RSA Thoughts

For those who don’t know, the RSA Conference is an annual information security conference held each year in San Francisco. It’s arguably the largest, most well-attended conference in our industry.

General discussion about RSA and why I went there in the first place.

  • Been to RSA before?
  • What’s to like/dislike about RSA? There are two things that I hate in our industry, and both can be found at RSA.
  • Why I went:
    • See my friend Roger Grimes give his talk, “12 Ways to Hack MFA”.
    • Met up (briefly) with our team.
    • Have lunch with Roger and his wife.

From RSA, I flew to New Orleans to meet up with my wife and start our vacation.

Vacationy Things

  • Quick recap on the importance of vacations and taking a break.
  • I wrote an article before I left about the importance of health for the information security professional.
  • What I did on my vacation, and what Brad’s gonna be doing on his soon.

Incident Response (cont)

So, where did we leave off last week? I honestly don’t know as I write these notes because I haven’t listened to episode 18 yet. That’s OK though, you can listen to us wing it.

News

We read things in the news all the time. It’s so easy to tune things out because there seems to be so much noise nowadays. Have you ever tried personalizing the news you read? How often do we ask ourselves the question; What does this mean for me and the ones I love? Questions like this make news more meaningful.

There’s a ton more news to talk about, but we’re out of time. There’s no shortage of breaches, bugs, and attack news. Stay alert and be careful! If you’re not keeping up with the news, or you feel a bit overwhelmed, you’re not alone. What are some of you’re favorite ways to stay up-to-date, but not get slammed?

Closing

[Evan] Any parting words of wisdom Mr. Nigh?

[Brad] Wisdomy things.

[Evan] What’d think? Good episode?

It’s good to be back. Thank you! That’s a wrap for episode 19. Follow me on Twitter @evanfrancen. Follow Brad on Twitter @BradNigh. Email us on the show at unsecurity@protonmail.com.

Oh yeah, one more thing. We have our upcoming Hacks & Hops event. We’ve got some good experts coming to share how they tackle third-party information security risk. Maybe not the most exciting topic ever, but a SUPER critical one that must be addressed better than it is.

Thanks again and see you next week!

UNSECURITY Podcast Episode 18 Show Notes

Each Friday, I’m going to do my best to post the notes for the UNSECURITY Podcast episode that Brad Nigh and Evan Francen (me) will record on the following Monday morning. Each week, Brad and I alternate leading episodes, so I lead the odd episodes and Brad leads the even ones.

If you missed episode 17, you can still give it a listen.

Episode 18

These are the notes we use to guide the discussion. These notes were written by Brad.

Description

Show Recording: Monday, March 11th, 2019 @ 6:45am

Good morning, this is your host for the day Brad. Today’s show is going to be different.  We kicked Evan out for a week and refused to give him a call in number so he could actually enjoy his vacation.  So joining me today is a special guest host, say hello Host X (I’m not telling you, you have to tune in to see who we got!)

We’ve been talking a lot about all the incident responses we’ve been seeing and so we wanted to start talking a little bit more about preparing for when it happens to you.  This will be the first in a series around a successful Incident Response program.  Buckle up, it will be riveting.

Opening

[Brad] Alright, here we are again. This is the UNSECURITY Podcast, and this is episode 18. My name is Brad Nigh, and I’ll be your host for today’s show. Joining me is NOT Evan Francen, instead we have Host X. Host X, what’s up?

[Host X] Will introduce themselves and talk a little about their experience around Incident Response and Information Security

[Brad] Well thank you for helping out and saving the listeners from an hour of me talking to myself.

Discuss Last Week’s Show (Teaser Questions)

  • Have you been listening to the podcast? (It’s always a great idea to put the person who is stepping in to help out on the spot right away)
  • Explain to the listeners a bit about you and your role(s) at FRSecure, and previously. Do you have any experience in security incident response?

Week Recap

[Brad] Host X we like to start off with a recap of our week.  Would you like to share anything about the last week that stood out to you?

[Host X] Probably says things that are deep and introspective, basically the opposite of Evan and my weekly shenanigans.

Discuss the important things about last week, including:

  • More IRs. Why do you think we’re seeing such an increase? What are some of the commonalities between these incidents? Nope not a repeat.. More IRs
  • Not a last week thing but an upcoming event.  FRSecure has their next Hacks & Hops event coming up
    • Thursday, March 28th, 2-5 p.m. at Day Block Event Center in Minneapolis
    • You can go to hacksandhops.com to register/buy tickets
    • Tickets include appetizers, beer, networking, and the keynote/panel discussion
    • Evan will be there with books, and attendees can purchase signed copies
    • Listen to the podcast for a special promo code that will get you 50% off

One more piece of housekeeping before we really get going. We want to remind everyone how to contact the show, and each of us. Send your suggestions, comments, or whatever else to unsecurity@protonmail.com. If you’d like to be a guest on our show, you can email us there too. The best, least intrusive way to keep up and/or contact either Evan or me is probably through Twitter. Evan is@EvanFrancen and I am @BradNigh

Easy, right?! Let’s move on.

Let’s talk about, at a high level, the phases of an IR plan, get Host X’s perspective on how these go, and if we have any time left we have some news stories as well.  I think this will be a good conversation because Host X is a normal person, meaning not an information security professional, so we will be getting a more business perspective around this which is important.

[Brad] Okay Host X from a business perspective what do you think of when you hear IR plan?

[Host X] Business, business, business. Numbers. Is this working? Yaaaaaaay! (Okay it will probably be really good stuff and interesting to hear from the business perspective)

[Brad]  Have you been through an IR before?  Did your company have a good IR plan in place or was it more ad-hoc?

[Host X] Shares what happened and their take on the process. 

[This will undoubtably lead to more Q&A that will be spontaneous, or will be painfully awkward with lots of silence… Tune in to find out!]

[Brad] Okay so now let’s talk about what we do when we put together an IR plan and the phases we go through.  Obviously there is a lot more detail and work that will go into each of these but let’s start building the foundation of being prepared. Today we are just going to talk through these at a very high level with more detailed discussions into the phases and how to attack them in the weeks to come.

  • Phase I – Preparation
  • Phase II – Identification and Assessment
  • Phase III – Containment
  • Phase IV – Investigation
  • Phase V – Eradication & Recovery
  • Phase VI – Follow-Up

[Hopefully Host X is still awake, it is early and they are not an infosec professional.]

Okay some news

News

Closing

[Brad] This was fun, thank you Host X for filling in for Evan and providing your insights on Incident Response

[Host X] Hopefully something positive and about how much fun was had.  

Well, that’s episode 18 of the Unsecurity Podcast. Evan will be back next week with stories about his trip to RSA and I’m sure more IR stories. Don’t forget to register for Hacks and Hops using the super-secret promo code.

Another quick reminder to send your questions and suggestions to us at unsecurity@protonmail.com

Thank you and see you next week!

You Want to Get Into Security? – Part 5

This is a five-part series about getting a job, keeping a job, and staying healthy as you progress in your career as an information security professional. There is no one way to do things, rather there are many. I won’t cover all advice, or THE advice, I will offer my advice. Some of the information covered in this series is also found in my book; Unsecurity, chapter 10.

The series consists of the following articles:

This is the fifth and final installment in the series; Staying Healthy. After this I’ll wrap the  entire series together, do some editing, and make this a short ebook for anyone who’s interested.

Staying Healthy – Introduction

Caveat: This is where I’m a hypocrite. I will give advice that I don’t follow myself. The (sad) fact is I’ve established habits (some good and some bad) over the years that have become very ingrained into the way I do things. Throughout this article I will share more about my experiences because it’s what I know best. From these experiences, I will offer advice that you can take or leave. If you can follow the advice in this article, you’ll be healthier.

So many of us are passionate about what we do. We love information security, we love helping people, and we can easily take things too seriously if we’re not careful.

I’ll speak for myself here for a second. I love my job, I love the people I work with everyday, and I love the people I get to serve. All this love makes my job not a job. Sounds great, doesn’t it? Sure. It would be, if I didn’t need sleep, or friends, or family, or exercise, or everything else that makes for a health lifestyle. If I were left to my own devices, you would find me dead behind a keyboard, doing what I’m always doing… work.

Thank God I’m not left to my own devices. I’ve got loving support and accountability, both of which are important to health and longevity. These things have served me well so far as I’ve survived more than 25 years in this industry. It’s not that I’m completely unhealthy, I’m just not as healthy as I should be.

Obviously, I don’t know everyone in our industry, but I can’t help thinking that I’m not all that unique. I think many of us work more hours than we should. I think many of us don’t exercise enough. I think many of us don’t eat as well as we should. I think most of us could use a little more sleep. Fine, but is this a problem?

The Problem

Our jobs come with stress. I don’t think we know if it’s more or less stress than other jobs, but I’m not all that concerned about other jobs. I’m concerned about information security jobs. Here’s some recent news and studies about our stress and health:

CISOs appear to be stressed.

CISO Burnout is Real, Survey Finds –  Based on interviews with 408 CISOs around the world. 1 in 4 CISOs suffer from physical or mental health issues due to stress. A little less tha 1 in 5 turn to alcohol or medication. More than half have trouble turning off work, meaning they’re not able to completely disconnect from work to focus on other things, healthy things.

It’s not just CISOs either. I think all security professionals struggle with stress.

The stress isn’t even isolated to information security professionals. Even the non-professionals are feeling it.

OK, so it looks like there’s plenty of stress to go around, and I don’t think it’s going to get better anytime soon. Two things would be sad to see, two things that I’m hoping you and I will avoid:

  1. Burning out, or leaving our industry because of it’s unhealthy affects.
  2. Sticking it out, not living a life of joy, then retiring in mental or physical pain.

If there’s anything I can do to help you to avoid these things, I’m committed to that!

Support

Sometimes, working as an information security professional is a lonely job. We get so focused in the tasks and challenges we face some days. The tasks and challenges can start to become a part of who we are.

I don’t know about you, but sometimes it’s difficult to pull myself out of the work that I’m doing and get back into other parts of my life. When I get home some days (or nights) and I need to unwind, I don’t know where to share my thoughts or feelings for/from the day. If I do share, I feel like the person I’m sharing with doesn’t understand what it’s really like.

I wonder if other information security professionals feel the same way.

Family

The best support structure we have in our lives is our family. I’m convinced of this. Invest your time, energy, and soul into your family relationships, starting with your spouse/partner, and then your children, if you have them. No matter what you may think, family must come first. In return, you will likely get support beyond anything you deserve.

Note to those who don’t have a family or those with unhealthy family relationships. I have an extra amount of respect for you because I think your road is a little (or a lot) more difficult, and I admire your strength.

I’m not a family or marriage counselor. I only write from my own experiences on this matter. Without the support of my wife and my family, I wouldn’t be close to where I am today. My wife is my greatest cheerleader, and she make’s the stresses of my job melt away (on most days).

I can’t overemphasize the importance of family support.

Mentor

Here’s mention of a mentor again. I’ve mentioned mentorship in at least three of the articles in this series. Mentors are helpful in so many ways, and getting one is well worth your investment of time and energy. I suggest you find one.

Associations and Trade Groups

Advice from someone who has been there before comes with credibility like no other advice can. There’s something that feels good about being with your own kind too. People in good information security associations (or chapters of associations) are a valuable asset and support structure for you as you rise through the ranks. Initially, you may consume more than you give, but in time the tides will shift and it will be your time to give.

Here’s a list of information security associations from Cybersecurity Ventures. Try a couple groups out, if you don’t feel like you’re getting the support you need, try a different one.

Co-workers and Friends

My experiences have varied with confiding in co-workers and friends, and in seeking advice from them about my career. Mileage varies, and the advice falls somewhere between healthy and destructive. Sharing things with co-workers can sometimes lead to gossip and political crap that makes things worse (at least for someone). Friends sometimes just want to have fun, and will have trouble relating to my work life. Use discernment here.

No matter how tough, or how cool you think you are. You need support. Everyone does. The earlier you setup your support structure, the better.

Accountability

Supporting us doesn’t mean cheering us on and making us feel better all the time. The right type of support comes from someone who loves us. It comes from someone who wants what’s best for us. If someone really supports you, or loves you, they’ll always tell you the truth. Sometimes the truth doesn’t feel good, and neither does accountability.

Find support that will tell you the truth and hold you accountable. For me, this starts with my wife. I also have amazing management teams at FRSecure and SecurityStudio who won’t let me stray too far off the path.

Balance

Personally, this is my hardest fight. I am not a person who understands balance very well, if at all. You see, I have an addictive personality. People with addictive personalities struggle with finding balance more than other people do. This was part of what I alluding to when I mentioned earlier that I would work myself into the grave if I was left to my own devices. I am a work addict, and that’s not good. I have my other additions too which just complicates matters. This is another reason why a health support structure (or system) is critical.

Why is balance so important, if it’s not obvious?

There are (at least) two truths here:

  1. Everything in our lives requires some semblance of balance, otherwise everything falls apart.
  2. Everyone has a different balance, so be careful thinking what works for someone else will work for you.

Balance in your life between family, friends, work, play, etc. is healthy. The sooner you find your balance, the better off you will be. Make adjustments here and there, change your schedule until you get it right. Use your support structure to help you along the way.

The fact that your balance isn’t the same as someone else’s balance should come as no surprise to you. Some people are in balance working 40 hours a week, some are in balance working 60. Some people are in balance when they spend entire weekends with their family, while others work some on weekends. Be careful judging others, and be careful not to think that their balance should be yours. Your balance is your balance.

Find balance and stick to it. Don’t let someone else, even your job, disrupt your balance.

Health

Healthy habits do wonders for how you feel and perform. Your mood, your relationships, and your work all benefit greatly. Maintaining your health is important for life, let alone to your job performance and career longevity. For me this is also hard, it’s hard to find time for church, exercise, and rest. Between work, family, friends, and everything else in life, I don’t have any hours left in my week.

There are people who can live a balanced life, accomplish much, and still create the necessary margin to focus on their health. These people are to be admired and emulated to some extent, just not copied. You and I should create margin and make healthy living part of our lives too.

Spiritual

I rely on my faith every day. The name Jesus offends some people, and I’m certainly not out to offend anyone. I’m here to tell you the truth though. Jesus is the CEO of our business, and He has been since the beginning. Without faith, I think I’d be lost. There’s a long story here, but for now, just know that my faith is critical to my sanity and any of the success I enjoy (it’s a gift). When the day has gone to crap and I don’t know where to turn, I can turn to Jesus.

Now you know my faith, but there are many faiths in this world. People who have faith in something or someone larger than themselves, have something special. Genuine faith has a tendency to bring strength beyond your own, peace beyond your understanding, and courage to face battles you never thought possible. Faith also brings you into a family of other believers of the same faith, whatever faith it is you believe in. So, an added benefit to faith often includes a new support group.

Don’t neglect your spiritual health. If you have, make margin and find it (maybe again).

Physical

There are two parts to physical health, diet and exercise. Diet trumps exercise. If you don’t eat well, exercise won’t really matter as much. Slow down, eat healthy. If you need help eating healthy, get help.

Many, or most of us work in an office environment where we sit at a desk all day. This, without the countering effects of physical exercise, comes with some very negative consequences. According to the Mayo Clinic, the consequences “include obesity and a cluster of conditions — increased blood pressure, high blood sugar, excess body fat around the waist and abnormal cholesterol levels — that make up metabolic syndrome. Too much sitting overall and prolonged periods of sitting also seem to increase the risk of death from cardiovascular disease and cancer.”

Sounds pretty serious. There’s good news though. One study of more than one million people found that an hour to an hour and a half of moderately intense physical activity per day can counter the effects of too much sitting. That’s great, but this is another 60+ minutes that we have to find. More balance, and more margin.

If you have the option of working at a standing desk, this will help with the sitting problem . The point is that you and I need exercise to live a healthy life.

Mental

Mental health often comes with a stigma, and that’s very sad. This one hit close to home for me last year, when we lost someone dear to us. His suicide cast a dark cloud on all of us, and we still struggle with it sometimes. He was a good guy with so many good traits and gobs of untapped potential. On the outside, nobody could have guessed there was anything wrong. On the inside, he must have been living a hell that few of us will ever know. We will miss him, and we’ll always live with this feeling that we could have helped if only we would have known.

Here’s the deal. Mental health issues can be complex, and there is no stigma. Even if there were a stigma, who gives a crap?

If you struggle with any mental health issue, there’s a whole army of people who will run to your side and fight alongside you, for you.

If you’re not suffering with any mental health issues yourself, recognize that there are people in your circle who are. Invest in your relationships and get to know the people in your circle. When you see an opportunity to help someone, help someone. Give them love.

Don’t neglect mental health issues. They don’t just go away, and you don’t just buck up. Mental health issues can be treated, but only with treatment. If you’re struggling with your own mental health issues, please get help!

At Work

Work can be healthy or it can be unhealthy. The decision is up to you.

People falsely believe that they work for someone else, when the truth is that you work for you. You make the decision on what your profession will be, where you will work, and who you will work for. Your employer doesn’t do that. If you feel trapped, get yourself out.

I’ve witnessed two ways that work has negatively affected health in employees. One is stress and the other is a toxic work environment. You can do everything right to live a healthy life, but if your work is killing you, it’s killing you. It doesn’t matter what else you do, if you drink poison, you’re going to die.

Stress

The number one unhealthy factor at work for security professionals is stress. Our jobs already come with inherent stress. It’s just the nature of our work. Like I stated earlier, regardless of whether it feels like we live with more stress than other people, this is hard to say. It’s hard to say if our jobs come with any more stress than other peoples’ jobs, say like an accountant or janitor. It depends on the person. I know that I would absolutely stress out if I had to do accounting or clean some of the things janitors do.

I can’t help but wonder how much stress is caused by the person who’s stressed or by a person’s ability to cope with it.

Stressful situations affect different people in different ways. What makes one person stressed out can have little or no effect on others. It doesn’t mean that there’s something wrong with one person, it just means that they’re different people. If you’re stressed at work, don’t let it continue. Look for the source and talk to someone about it. If you find the source, and it’s addressable, address it. If you can’t find the source, or can’t find relief, give serious consideration to getting out of the environment you’re in and finding a new job or a new profession.

Maybe the environment you work in doesn’t jibe with you. Maybe the culture is counter to what you believe it, even if it’s not overtly expressed, you can feel it. Maybe you’re not made for the job you do. Maybe this career isn’t the right career for you. Nobody will know the answers like you can. Tap into your support structure for help. Living through a long career, laden with stress, will take it’s toll on you and your family, and I don’t think it’s worth it.

Pro tip: Slow down.

Toxic Work Environment

Studies have shown that working in a toxic environment will negatively affect your mental health. I had a job like this once. Thank God I was able to leave after ten months, even though it felt like an eternity. These were ten of the hardest months of my life, and I wasn’t the only one who noticed. My wife could tell that I was depressed and she knew the source. I’m grateful that I had good support and other options. You can have these things too with a good support, a little creativity and some work.

If you can’t change toxic work environment you’re in, which is unlikely, then leave. Staying, even for a boatload of money, isn’t worth it. Especially when you consider that many of us possess skills that are in high demand elsewhere.

Summary

The information security industry is like no other, but it’s a great industry. Sure it’s a broken industry, but it will become more functional over time. Despite our brokenness, this is a wonderful industry filled with AMAZING people. The good people in our industry are my brothers and sisters. We fight every day to make the world a little better that it was the day before. I’m grateful for the men and women in this industry.

If you want to get into this industry, do it. If you’ve got the intangibles, we welcome you with open arms. I hope you found use in this series, and I’d love to hear your thoughts. Comment below or use the contact page to get in touch.

My best wishes for you!

You Want to Get Into Security? – Part 4

This is a five-part series about getting a job, keeping a job, and staying healthy as you progress in your career as an information security professional. There is no one way to do things, rather there are many. I won’t cover all advice, or THE advice, I will offer my advice. Some of the information covered in this series is also found in my book; Unsecurity, chapter 10.

The series consists of the following articles:

This is the fourth installment in the aforementioned series; Becoming Good.

Becoming Good – Introduction

Assuming that we’re progressing through this series in order, maybe you’ve landed your first job! Your first gig! Good for you!

If you’re like most* of us, you’re going to progress in your career. Some will progress because it’s just the natural thing as a function of time and opportunity. Some will progress because they deserve it, because they’re damn good at what they do!

It’s one thing to be an information security professional, it’s an entirely different thing to be a good information security professional. I say “professional” because we get paid, and I also use it as a generic term to apply to all the various types of jobs we do in this industry. Here’s a small sampling:

  • Chief Information Security Officer
  • Chief Risk Officer
  • Penetration Tester
  • Security Researcher
  • IT Security Engineer
  • Information Assurance Analyst
  • Security Systems Administrator
  • Senior IT Security Consultant

Every position in our industry, plays a specific role in an organization and comes with specific responsibilities. The specific responsibilities may not be documented (different issue), but that doesn’t mean they don’t exist. They exist, and they’re not the same from position to position. Each role in information security requires the mastery of certain skills.

Is skills all it takes to be “good” though? The answer is NO. There’s more to it than that. Read on.

*NOTE – I use the word “most” because it’s generic. This means there are exceptions. Some (the leftovers from most) people have no desire to take on additional responsibilities in their career, they’re content right where they are. Perhaps they’ve reached the top, maybe they’re just OK with their place in the middle, or at the bottom somewhere. If you haven’t reached your potential, it’s sad to leave so much more untapped potential.

Not Good? – You’re A Problem

When you’re not good at your job, there’s a good chance someone else, or many someone elses, pay the price to compensate for your lack of goodness. Sure, information security is about managing risk, not eliminating it, but your lack of “good” leads to poor risk management, and that costs someone something.

You see, information security isn’t as much about information or security as it is about people. It’s always been about people and it will always be about people. The more you and I suck at our jobs, the more people suffer for it. Sure, we can’t eliminate suffering, but we can do our best we can to make it less likely and less impactful*. If nobody suffered, there wouldn’t ever be a need for what we do.

The less good you are, the more people will suffer (in general).

*Less likely and less impactful ring a bell? That’s risk. The likelihood of something bad happening and the impact if it did. That’s the layman’s definition of risk.

If you’ve been around long enough, you can thinks of dozens, even hundreds of examples where bad advice was given, and an organization suffered for it, and through that, customers also suffered (eventually). If you haven’t been around long enough, here’s a quick example off the top of my head:

You advise an organization to buy an SIEM solution because monitoring and alerting is a good thing to do. They spend $100K+ on the SIEM and struggle over the next 6-12 months to get it working right (operationally). Great. They don’t patch and they have no asset inventory. Two questions then, 1) was SIEM the best place to spend the $100K+, meaning was it the most significant risk, and 2) how effective do you think the SIEM is going to be when the company doesn’t even know what assets they need to protect?

Was there more harm done than good? The devil’s in the details, but yes. There was more harm than good. Money is a limited resource and constraint; therefore, it must be spent wisely. The money spent on SIEM should have been better spent on the organization’s most significant risk(s), not on a technology because it’s “a good thing to do”. The most significant risk still exists, and customers are still more likely to suffer for it.

Simplified example, but you get the gist. Good intentioned security professionals aren’t aware of the harm they cause sometimes, and this might be most obvious in the rapid growth in consulting.

Dangerous Consultants

We see them all the time, and they come in all shapes. Some are really good people with great intentions to make a difference. Some consultants are people a little less virtuous, wanting to make as much money as possible, regardless of who they help or harm. Both types of consultants can be dangerous if they’re not good. That’s the simple truth.

Read some books, passed some tests, bought a laptop, and setup a Web site. You are now an information security consultant! You’re smart. You have the best intentions. You’re likeable, and you’re inexpensive. You’re ready to advise organizations on what they should do to secure their livelihoods, right?

Mmmm. Maybe, but God I hope not.

There’s more to being good, than that. It takes more than skills and more than good intentions. More than reading books, and more than passing tests. Smart helps, but there’s still something missing.

If you’re going to be a consultant, get good first. Please.

It’s easy to convince someone who’s more ignorant than yourself that you’re an expert. Use buzzwords, look confident, talk fast, and you’re well on your way. But you’re not good (yet).

  • Good consultants don’t need buzzwords, they can explain things in plain English so that others can learn and apply concepts.
  • Good consultants are confident when they’re doing what they’re good at. A good consultant will admit when they’re not good at something, but they usually know someone who is.
  • Good consultants talk at the pace of their audience. They’re not only good information security professionals, they’re also good communicators.

I could write all day about good versus bad consultants. Probably gone too far already.

What about you? Are you already good? We’ll see. Let’s explore how to get good!

How to Get Good

One more thing before we dig in. Are you a sports person? If you are, you’ll get this a little better than those who aren’t. In sports (depending on the sport), there are players, coaches, and player/coaches. Players perform on the field, or behind the keyboard, or wherever the game is being played. Coaches mentor, teach, lead, and prepare their players for the game. Player/coaches do both; they’re typically really good coaches, but they don’t play as much as they used to.

I say these things because I’m a player/coach. I don’t play nearly as much or as well as I used to. It’s important for you to know that as you consider my advice.

I assume you’re here because you want to get good. So what does it take to be a good information security professional, or good at anything really? Like most things in information security, the concept is simple, but the application is hard. There are three simple ingredients; intangibles, education, and experience. Anything else is icing on the cake.

F26C0863-3086-48F9-AD47-8810E3EAD0B7

These things (or ingredients) are in the book, they were in a recent tweet (above), and they’re also here. Consistent message from me because it’s truth.

Words of caution…

It’s important that you don’t rush things. There’s enough stress in most information security jobs, and I highly recommend that you refrain from adding the stress of trying to outperform yourself. Take your time, keep moving forward, don’t take shortcuts, and you’ll be fine. I know there’s lots of opportunity out there, and I know there’s a ton of money to be made, but my best advice is DON’T RUSH. The opportunity and money will come, and you’ll be healthier for it, if you do things the right way.

Intangibles

You might recall that I also covered intangibles in the second article of this series (The Right Person). Intangibles are things that can’t be taught. You either have them or you don’t. There are moral intangibles, like the ones covered in the previous article, and their are gifts (sometimes called natural talent).

Some people are just gifted for certain things while others are not. Do what you can to find your gifts or strengths early and often. The sooner you understand what you’re gifted for, the sooner you’ll find what you’ve been built for. The information security field is broad enough to accommodate a wide variety of gifts, so don’t fret about that.

Get honest with yourself and discover what you’ve been built for, but how?

I don’t think that there is any one way that works best for everyone. Meditation works great for some, but not others. Faith works well for some, but not others. Therapy and/or counseling works well for some, but not others. I’ll share what works for me, but let me remind you that you may not get the same results. I find my honesty and gifts through faith, and I found good value in a book called StrengthsFinder. My faith provided a foundation, while StengthsFinder led me to what I’m naturally good at.

Find what your gifts are and keep seeking. No matter how good you get at knowing yourself and your gifts, you’ll still need to engage in some gotrial and error. You will learn what your gifted for over time (if you focus on it), but you’ll need to find the courage to act.

Education

I include skills with, or under, education. There are millions of opportunities to educate yourself. Some people prefer a formal college degree, some don’t. Some people prefer certifications, some don’t. Some like books, some like instructor-led courses, some prefer video. Whatever method of education works best for you, do it. Then keep doing it. You will never learn everything there is to know. Learning is awesome. DON’T EVER STOP LEARNING.

If you stop learning, you die. At least your career does.

Find the learning resources that work best for you. If you recall, I shared some learning resources in a previous article too. One learning opportunity that I invite you to personally is the FRSecure CISSP Mentor Program. It’s free, and it’s a great opportunity to  learn (and share).

Experience

This is the one ingredient that I see new information security professionals struggle with the most. It’s because this is the one ingredient that takes the most patience. People who de-emphasize the value of experience are some of the most dangerous information security people in our industry. Without experience, we lack the street smarts to know how things will really (or actually) work. Education and skills will teach us how to do stuff, but we won’t learn all the circumstances, context, and oops’ unless we’ve done it before (or been with/witnessed someone else who did).

The experience catch-22. You need experience to do something (or progress in your career), but the only way you’ll get experience is by doing the something. The experience catch-22 sucks, doesn’t it? Here are some suggestions to overcome:

  • You might need a mentor to take you under his/her wings a little.
  • Sometimes we have to take calculated risks, like doing something that we’ve never done before, but doing it in a way that will be calculated and not reckless.
  • Hate to admit it, but sometimes we (hopefully slightly) fake it until we make it too.

Combatting the experience catch-22 isn’t easy, but you can find your way over it (or around it) if your focused and determined.

Wrapping This Up

That’s it. Want to get good? Focus on you. Work on what you’re gifted at, get educated, get out there and take your lumps in the real-world. If you lack experience in something that you need experience in, go get the experience, even if it means a different job. At the end of the day, you work for you (ahead of your company).

Whatever you do, don’t ever try to be someone you’re not. You will fail, and you will fail those who believed in you.

We’ll wrap up this series in our next article. Once that article is complete, we’ll compile this series into a small ebook for you and anyone else who liked it.

UNSECURITY Podcast Episode 17 Show Notes

UNSECURITY PODCAST – Episode 17

Monday, March 4th, 2019 @ 6:45am

Description

This podcast is led by yours truly (Evan, if you didn’t know me). If you’ve been following our podcasts for a while, hopefully you’re noticing that we continue to improve. Sound quality is better for sure, but Brad and I are also feeling more comfortable talking into microphones. Speaking into a microphone is neither of our strengths. This will be a relaxing week/podcast as we try to recover from last week’s visit with our wives. Actually, I’m kidding. Brad and I both loved spending time with them in episode 16, and we both learned some things about ourselves from our wive’s perspectives. We’re grateful for them, and we hope you enjoyed the listen! If you missed episode 16, check it out!

This week we’re going to dig in to our information security principles. When we started FRSecure in 2008, we documented our guiding principles, almost like our very own Ten Commandments. We revisit them every so often just to make sure that they’re still relevant. This podcast will be our review!

Opening

[Evan] Alright, here we are again. This is the UNSECURITY Podcast, and this is episode 17. My name is Evan Francen, and I’ll be your host for today’s show. Joining me as always is Mr. Brad Nigh. Brad, what’s up?

[Brad] He’ll surely say something here… If not, I’ll kick him under the table.

Discuss Last Week’s Show (Teaser Questions)

  • What did you think of last week’s show?
  • Did your wife listen to the show? If so, what did she think?
  • What sort of feedback did we get from listeners?

Week Recap

[Evan] Before we dig in to the meat of the podcast, let’s share some of the highlights (or maybe lowlights) of our last week with the listeners. Brad, tell me about your week.

[Brad] He’ll surely say something here too… If not, I’ll kick him under the table again.

Discuss the important things about last week, including:

  • More IRs. Why do you think we’re seeing such an increase? What are some of the commonalities between these incidents?
  • Pentest and Political Capital
  • Book Signing Event
  • Stuff that Brad did last week that he hasn’t told me about yet.

Well, good. We have a lot to cover this week. So, let’s get started, but before we do, one more thing that we do every week. We want to remind everyone how to contact the show, and each of us. Send your suggestions, comments, or whatever else to unsecurity@protonmail.com. If you’d like to be a guest on our show, you can email us there too. The best, least intrusive way to keep up and/or contact Brad or I is probably through Twitter. Brad is @BradNigh and I am @EvanFrancen.

Easy. Let’s move on now.

FRSecure’s Information Security Principles

As I stated in the opening, Brad and I are going to review FRSecure’s Information Security Principles together. Brad and I have never done this together, so it will be fun to get each other’s view on these things.

Principles are vital to us at FRSecure because they serve as boundaries and reminders. They keep us honest in all the work we do as security professionals. We first documented our principles in 2008, at the same time we established FRSecure. We wrote our principles down because we always wanted to remind ourselves why we’re different and why we wanted to start our own company in the first place.

Basically, we wanted to do information security right. Not just sometimes, but always. Lofty goal and a high (maybe unrealistic) standard for sure, but that’s the kind of people we are. Always striving for perfection, but never actually getting there.

That sort of sounds sad, doesn’t it?

[Evan] Brad, you’ve seen our principles once or twice right?

[Brad] He’ll surely say something here too, but I’m afraid if I kick him under the table again, he’s going to retaliate. I’ll nicely urge him to say stuff, like friends do.

[Evan] As you might now, I review these principles each year. I’m looking for relevance and alignment with what we believe in. If relevance and alignment are good, the principle is still good. Even though I review these each year, I’ve never had to make a change. This makes me believe that maybe these principles are timeless, after all this is the eleventh year.

Now, I’ve never reviewed these with anyone before. Today, I’ll review them with my good buddy and trusted cohort Brad. What do you say Brad? You cool with this?

[Brad] Now it’s totally up to him if he wants to say anything. If I really did have to kick him like I said I might have too, he’s probably not even be here anymore.

We’re going to cover each principle, one-by-one and give our thoughts on them. We’ll at least cover the following questions, but probably more:

  • What does this principle mean to you?
  • Do you think it still applies to the work we do everyday?
  • How well do you think it aligns with our mission?
  • Would you change it if you could? If so, how?

NOTE: As we cover each of the principles, do you notice any change in our tone? Do Brad or I seem to be more engaged? I’m guessing you’ll hear and sense how important these things are to us. We defend what we believe in.

The Principles

#1 – A business is in business to make money

Information security must align with business objectives.

#2 – Information Security is a business issue

Information security is NOT an IT issue.

#3 – Information Security is fun

That’s right, we said “FUN”!

#4 – People are the biggest risk

Not technology.

#5 – “Compliant” and “secure” are different

We shouldn’t confuse the two.

#6 – There is no common sense in Information Security

If there were, we would have better information security.

#7 – “Secure” is relative

One of many reasons for ongoing measurements and comparisons.

#8 – Information Security should drive business

Identify and focus on information security benefits. Information security shouldn’t just be a cost-center.

#9 – Information Security is not one size fits all

No two businesses are exactly alike.

#10 – There is no “easy button”

So stop looking for one.

Other Bonus Security Wisdom

  • If something is insecure at the core, then it will always be insecure at the perimeter.
  • Gain an intimate understanding of “information security” and “risk”. All of security and compliance flows from these two definitions.
  • You cannot prevent all breaches. You better be able to detect them and respond to them too.
  • A wise man once said “Complexity is the Enemy of Security”.

Alright we made it through that. I was taking notes, so if we decided on changing anything, we’ll be sure to get those changes implemented in the next version or our principles. I’d actually be surprised if we did change anything, but who knows. This is the first time we’ve done this together.

News

OK, we like our news, yes? Let’s get to some news quick. I think we have some time.

E59D9CCA-18E1-4340-A056-FFD6F8290ABF

[Evan] I’m not sure how newsworthy this article is, but I love the content. My show, my news.

Closing

[Evan] Well, what do you think Brad? Good show?

[Brad] Assuming Brad is still here or he came back…

Well, that’s episode 17 of the Unsecurity Podcast. I had fun, and I hope the listeners found the hour spent to be a valuable one.

Oh crap, I just remembered! RSA is this week. I’ll be out there, just for a day to see my friend Roger Grimes give his awesome talk on 12 ways to hack MFA. That’ll be cool.

Next week, we’re not sure what we’re doing yet. Brad, you have anything specific planned for next week’s show? We’ll wing it if we gotta. Another quick reminder to send your questions and suggestions to us at unsecurity@protonmail.com

Thank you and see you next week!