Posts

2019 Secure360

Almost caught up with my conference and talk summaries from a couple weeks ago!

Secure360 is arguably “the” security conference in the Twin Cities each year. 2019 was the 14thyear for the event and it was very well-attended.

About Secure360

In the words of the Upper Midwest Security Alliance (“UMSA”):

This marked the first year that the event was held at the Mystic Lake Center in Prior Lake, and it was a perfect venue. Secure360 is a two-day conference, and I showed up in the afternoon of day two for my talk. I wish I had been able to be there for more, but business kept me away until then.

My impressions were very positive. The event was well organized, and there were people everywhere. I ran into a bunch of people that I know, which made the event comfortable too. I didn’t spend any time in the vendor area because I hate being sold stuff. Walking through the vendor areas at conferences sometimes feels like trying to survive a lions den with a T-bone hanging from my neck.

Judging from the published program, the quality of speakers and the content of talks was very good.

2020’s Secure360 conference will be held at the same place on May 5thand 6th. It will mark the 15thyear, one heck of an accomplishment!

What was I doing there?

Just two things this time.

First, just like the Loffler event, this was a great opportunity to say “hi” to a bunch of people that I don’t get to see very often. I ran into some people that I haven’t seen in a very long time! Fun to catch-up.

Second, I gave another talk.

The Talk

The title was Speaking Information Security. A copy of this talk can be downloaded here (link) and it’s also available on Secure360s site.

Like the other talk earlier in the day, this one was also well-attended. This room was mostly full, which sort of surprised me. I was surprised because my session was in the last group of sessions on the 2ndday (last day) of the conference. I didn’t think people would still want to hang out. They did. Here’s what I said to them (in jest, of course).

“Ever throw a party? You know when the party is winding down, and there are those folks that just won’t leave? They keep milling around, you’re tired, and you’re trying to shoo them out the door… That’s you. You’re though folks.”

The Secure360 party was coming to an end, but these infosec party animals wanted to keep going. They were committed!

This was essentially the same talk I gave earlier in the day at Tech Fest, but I was bolder with this crowd. I might have been a little ornery because I was getting tired (3rdtalk of the week), or maybe it was because I was talking to members of my own tribe (information security people). The point of the talk was to drive home the fact that we don’t speak the same language in our industry, and to make matters worse, we don’t have any good translations either. Take slide 7 for instance (pictured below).

Information security is… What? Just about everyone in my talk was a security person, but nobody wanted to give me an answer. Why? As I continued, through the presentation, there was head nodding everywhere. Slide 20 made sense to everyone it seemed. People were taking notes anyway, and nobody spoke up in disagreement.

By the time we got to slide 31, you could see skepticism growing on some people’s faces. FISASCORE® for free?! FRSecure has sold millions of dollars worth of FISASCORE® assessments over the years. Why would we make it free?! The simple answer comes from our mission; to fix our broken industry. Our mission is this, not to make millions of dollars on something that everyone should have. Let’s spend more time and money on fixing things.

I asked the audience, “How many of you are skeptical?” Only a few raised their hands. To the rest, I said (in jest again), “I thought you were all security people. I’m disappointed that more of you aren’t skeptical!”Laughs (maybe just obligatory ones). To the skeptics:

Help us. Join us to make a singular information security language that ALL can speak, and ALL can speak freely.

To the obstructionists; buzz off and get out of the way.

The talk was well received. People genuinely seemed interested, and a dozen or so stayed to talk with me afterwards. Met some new people and I’m looking forward to working with some of them toward some common goals. Oh yeah, I gave away some more books too. I like giving stuff away.

Overall, Secure360 is a great conference. I highly recommend it for the quality of the content and the wonderful people everywhere, which makes for great networking opportunities. Way to go UMSA!

You Want to Get Into Security? – Part 5

This is a five-part series about getting a job, keeping a job, and staying healthy as you progress in your career as an information security professional. There is no one way to do things, rather there are many. I won’t cover all advice, or THE advice, I will offer my advice. Some of the information covered in this series is also found in my book; Unsecurity, chapter 10.

The series consists of the following articles:

This is the fifth and final installment in the series; Staying Healthy. After this I’ll wrap the  entire series together, do some editing, and make this a short ebook for anyone who’s interested.

Staying Healthy – Introduction

Caveat: This is where I’m a hypocrite. I will give advice that I don’t follow myself. The (sad) fact is I’ve established habits (some good and some bad) over the years that have become very ingrained into the way I do things. Throughout this article I will share more about my experiences because it’s what I know best. From these experiences, I will offer advice that you can take or leave. If you can follow the advice in this article, you’ll be healthier.

So many of us are passionate about what we do. We love information security, we love helping people, and we can easily take things too seriously if we’re not careful.

I’ll speak for myself here for a second. I love my job, I love the people I work with everyday, and I love the people I get to serve. All this love makes my job not a job. Sounds great, doesn’t it? Sure. It would be, if I didn’t need sleep, or friends, or family, or exercise, or everything else that makes for a health lifestyle. If I were left to my own devices, you would find me dead behind a keyboard, doing what I’m always doing… work.

Thank God I’m not left to my own devices. I’ve got loving support and accountability, both of which are important to health and longevity. These things have served me well so far as I’ve survived more than 25 years in this industry. It’s not that I’m completely unhealthy, I’m just not as healthy as I should be.

Obviously, I don’t know everyone in our industry, but I can’t help thinking that I’m not all that unique. I think many of us work more hours than we should. I think many of us don’t exercise enough. I think many of us don’t eat as well as we should. I think most of us could use a little more sleep. Fine, but is this a problem?

The Problem

Our jobs come with stress. I don’t think we know if it’s more or less stress than other jobs, but I’m not all that concerned about other jobs. I’m concerned about information security jobs. Here’s some recent news and studies about our stress and health:

CISOs appear to be stressed.

CISO Burnout is Real, Survey Finds –  Based on interviews with 408 CISOs around the world. 1 in 4 CISOs suffer from physical or mental health issues due to stress. A little less tha 1 in 5 turn to alcohol or medication. More than half have trouble turning off work, meaning they’re not able to completely disconnect from work to focus on other things, healthy things.

It’s not just CISOs either. I think all security professionals struggle with stress.

The stress isn’t even isolated to information security professionals. Even the non-professionals are feeling it.

OK, so it looks like there’s plenty of stress to go around, and I don’t think it’s going to get better anytime soon. Two things would be sad to see, two things that I’m hoping you and I will avoid:

  1. Burning out, or leaving our industry because of it’s unhealthy affects.
  2. Sticking it out, not living a life of joy, then retiring in mental or physical pain.

If there’s anything I can do to help you to avoid these things, I’m committed to that!

Support

Sometimes, working as an information security professional is a lonely job. We get so focused in the tasks and challenges we face some days. The tasks and challenges can start to become a part of who we are.

I don’t know about you, but sometimes it’s difficult to pull myself out of the work that I’m doing and get back into other parts of my life. When I get home some days (or nights) and I need to unwind, I don’t know where to share my thoughts or feelings for/from the day. If I do share, I feel like the person I’m sharing with doesn’t understand what it’s really like.

I wonder if other information security professionals feel the same way.

Family

The best support structure we have in our lives is our family. I’m convinced of this. Invest your time, energy, and soul into your family relationships, starting with your spouse/partner, and then your children, if you have them. No matter what you may think, family must come first. In return, you will likely get support beyond anything you deserve.

Note to those who don’t have a family or those with unhealthy family relationships. I have an extra amount of respect for you because I think your road is a little (or a lot) more difficult, and I admire your strength.

I’m not a family or marriage counselor. I only write from my own experiences on this matter. Without the support of my wife and my family, I wouldn’t be close to where I am today. My wife is my greatest cheerleader, and she make’s the stresses of my job melt away (on most days).

I can’t overemphasize the importance of family support.

Mentor

Here’s mention of a mentor again. I’ve mentioned mentorship in at least three of the articles in this series. Mentors are helpful in so many ways, and getting one is well worth your investment of time and energy. I suggest you find one.

Associations and Trade Groups

Advice from someone who has been there before comes with credibility like no other advice can. There’s something that feels good about being with your own kind too. People in good information security associations (or chapters of associations) are a valuable asset and support structure for you as you rise through the ranks. Initially, you may consume more than you give, but in time the tides will shift and it will be your time to give.

Here’s a list of information security associations from Cybersecurity Ventures. Try a couple groups out, if you don’t feel like you’re getting the support you need, try a different one.

Co-workers and Friends

My experiences have varied with confiding in co-workers and friends, and in seeking advice from them about my career. Mileage varies, and the advice falls somewhere between healthy and destructive. Sharing things with co-workers can sometimes lead to gossip and political crap that makes things worse (at least for someone). Friends sometimes just want to have fun, and will have trouble relating to my work life. Use discernment here.

No matter how tough, or how cool you think you are. You need support. Everyone does. The earlier you setup your support structure, the better.

Accountability

Supporting us doesn’t mean cheering us on and making us feel better all the time. The right type of support comes from someone who loves us. It comes from someone who wants what’s best for us. If someone really supports you, or loves you, they’ll always tell you the truth. Sometimes the truth doesn’t feel good, and neither does accountability.

Find support that will tell you the truth and hold you accountable. For me, this starts with my wife. I also have amazing management teams at FRSecure and SecurityStudio who won’t let me stray too far off the path.

Balance

Personally, this is my hardest fight. I am not a person who understands balance very well, if at all. You see, I have an addictive personality. People with addictive personalities struggle with finding balance more than other people do. This was part of what I alluding to when I mentioned earlier that I would work myself into the grave if I was left to my own devices. I am a work addict, and that’s not good. I have my other additions too which just complicates matters. This is another reason why a health support structure (or system) is critical.

Why is balance so important, if it’s not obvious?

There are (at least) two truths here:

  1. Everything in our lives requires some semblance of balance, otherwise everything falls apart.
  2. Everyone has a different balance, so be careful thinking what works for someone else will work for you.

Balance in your life between family, friends, work, play, etc. is healthy. The sooner you find your balance, the better off you will be. Make adjustments here and there, change your schedule until you get it right. Use your support structure to help you along the way.

The fact that your balance isn’t the same as someone else’s balance should come as no surprise to you. Some people are in balance working 40 hours a week, some are in balance working 60. Some people are in balance when they spend entire weekends with their family, while others work some on weekends. Be careful judging others, and be careful not to think that their balance should be yours. Your balance is your balance.

Find balance and stick to it. Don’t let someone else, even your job, disrupt your balance.

Health

Healthy habits do wonders for how you feel and perform. Your mood, your relationships, and your work all benefit greatly. Maintaining your health is important for life, let alone to your job performance and career longevity. For me this is also hard, it’s hard to find time for church, exercise, and rest. Between work, family, friends, and everything else in life, I don’t have any hours left in my week.

There are people who can live a balanced life, accomplish much, and still create the necessary margin to focus on their health. These people are to be admired and emulated to some extent, just not copied. You and I should create margin and make healthy living part of our lives too.

Spiritual

I rely on my faith every day. The name Jesus offends some people, and I’m certainly not out to offend anyone. I’m here to tell you the truth though. Jesus is the CEO of our business, and He has been since the beginning. Without faith, I think I’d be lost. There’s a long story here, but for now, just know that my faith is critical to my sanity and any of the success I enjoy (it’s a gift). When the day has gone to crap and I don’t know where to turn, I can turn to Jesus.

Now you know my faith, but there are many faiths in this world. People who have faith in something or someone larger than themselves, have something special. Genuine faith has a tendency to bring strength beyond your own, peace beyond your understanding, and courage to face battles you never thought possible. Faith also brings you into a family of other believers of the same faith, whatever faith it is you believe in. So, an added benefit to faith often includes a new support group.

Don’t neglect your spiritual health. If you have, make margin and find it (maybe again).

Physical

There are two parts to physical health, diet and exercise. Diet trumps exercise. If you don’t eat well, exercise won’t really matter as much. Slow down, eat healthy. If you need help eating healthy, get help.

Many, or most of us work in an office environment where we sit at a desk all day. This, without the countering effects of physical exercise, comes with some very negative consequences. According to the Mayo Clinic, the consequences “include obesity and a cluster of conditions — increased blood pressure, high blood sugar, excess body fat around the waist and abnormal cholesterol levels — that make up metabolic syndrome. Too much sitting overall and prolonged periods of sitting also seem to increase the risk of death from cardiovascular disease and cancer.”

Sounds pretty serious. There’s good news though. One study of more than one million people found that an hour to an hour and a half of moderately intense physical activity per day can counter the effects of too much sitting. That’s great, but this is another 60+ minutes that we have to find. More balance, and more margin.

If you have the option of working at a standing desk, this will help with the sitting problem . The point is that you and I need exercise to live a healthy life.

Mental

Mental health often comes with a stigma, and that’s very sad. This one hit close to home for me last year, when we lost someone dear to us. His suicide cast a dark cloud on all of us, and we still struggle with it sometimes. He was a good guy with so many good traits and gobs of untapped potential. On the outside, nobody could have guessed there was anything wrong. On the inside, he must have been living a hell that few of us will ever know. We will miss him, and we’ll always live with this feeling that we could have helped if only we would have known.

Here’s the deal. Mental health issues can be complex, and there is no stigma. Even if there were a stigma, who gives a crap?

If you struggle with any mental health issue, there’s a whole army of people who will run to your side and fight alongside you, for you.

If you’re not suffering with any mental health issues yourself, recognize that there are people in your circle who are. Invest in your relationships and get to know the people in your circle. When you see an opportunity to help someone, help someone. Give them love.

Don’t neglect mental health issues. They don’t just go away, and you don’t just buck up. Mental health issues can be treated, but only with treatment. If you’re struggling with your own mental health issues, please get help!

At Work

Work can be healthy or it can be unhealthy. The decision is up to you.

People falsely believe that they work for someone else, when the truth is that you work for you. You make the decision on what your profession will be, where you will work, and who you will work for. Your employer doesn’t do that. If you feel trapped, get yourself out.

I’ve witnessed two ways that work has negatively affected health in employees. One is stress and the other is a toxic work environment. You can do everything right to live a healthy life, but if your work is killing you, it’s killing you. It doesn’t matter what else you do, if you drink poison, you’re going to die.

Stress

The number one unhealthy factor at work for security professionals is stress. Our jobs already come with inherent stress. It’s just the nature of our work. Like I stated earlier, regardless of whether it feels like we live with more stress than other people, this is hard to say. It’s hard to say if our jobs come with any more stress than other peoples’ jobs, say like an accountant or janitor. It depends on the person. I know that I would absolutely stress out if I had to do accounting or clean some of the things janitors do.

I can’t help but wonder how much stress is caused by the person who’s stressed or by a person’s ability to cope with it.

Stressful situations affect different people in different ways. What makes one person stressed out can have little or no effect on others. It doesn’t mean that there’s something wrong with one person, it just means that they’re different people. If you’re stressed at work, don’t let it continue. Look for the source and talk to someone about it. If you find the source, and it’s addressable, address it. If you can’t find the source, or can’t find relief, give serious consideration to getting out of the environment you’re in and finding a new job or a new profession.

Maybe the environment you work in doesn’t jibe with you. Maybe the culture is counter to what you believe it, even if it’s not overtly expressed, you can feel it. Maybe you’re not made for the job you do. Maybe this career isn’t the right career for you. Nobody will know the answers like you can. Tap into your support structure for help. Living through a long career, laden with stress, will take it’s toll on you and your family, and I don’t think it’s worth it.

Pro tip: Slow down.

Toxic Work Environment

Studies have shown that working in a toxic environment will negatively affect your mental health. I had a job like this once. Thank God I was able to leave after ten months, even though it felt like an eternity. These were ten of the hardest months of my life, and I wasn’t the only one who noticed. My wife could tell that I was depressed and she knew the source. I’m grateful that I had good support and other options. You can have these things too with a good support, a little creativity and some work.

If you can’t change toxic work environment you’re in, which is unlikely, then leave. Staying, even for a boatload of money, isn’t worth it. Especially when you consider that many of us possess skills that are in high demand elsewhere.

Summary

The information security industry is like no other, but it’s a great industry. Sure it’s a broken industry, but it will become more functional over time. Despite our brokenness, this is a wonderful industry filled with AMAZING people. The good people in our industry are my brothers and sisters. We fight every day to make the world a little better that it was the day before. I’m grateful for the men and women in this industry.

If you want to get into this industry, do it. If you’ve got the intangibles, we welcome you with open arms. I hope you found use in this series, and I’d love to hear your thoughts. Comment below or use the contact page to get in touch.

My best wishes for you!

You Want to Get Into Security? – Part 4

This is a five-part series about getting a job, keeping a job, and staying healthy as you progress in your career as an information security professional. There is no one way to do things, rather there are many. I won’t cover all advice, or THE advice, I will offer my advice. Some of the information covered in this series is also found in my book; Unsecurity, chapter 10.

The series consists of the following articles:

This is the fourth installment in the aforementioned series; Becoming Good.

Becoming Good – Introduction

Assuming that we’re progressing through this series in order, maybe you’ve landed your first job! Your first gig! Good for you!

If you’re like most* of us, you’re going to progress in your career. Some will progress because it’s just the natural thing as a function of time and opportunity. Some will progress because they deserve it, because they’re damn good at what they do!

It’s one thing to be an information security professional, it’s an entirely different thing to be a good information security professional. I say “professional” because we get paid, and I also use it as a generic term to apply to all the various types of jobs we do in this industry. Here’s a small sampling:

  • Chief Information Security Officer
  • Chief Risk Officer
  • Penetration Tester
  • Security Researcher
  • IT Security Engineer
  • Information Assurance Analyst
  • Security Systems Administrator
  • Senior IT Security Consultant

Every position in our industry, plays a specific role in an organization and comes with specific responsibilities. The specific responsibilities may not be documented (different issue), but that doesn’t mean they don’t exist. They exist, and they’re not the same from position to position. Each role in information security requires the mastery of certain skills.

Is skills all it takes to be “good” though? The answer is NO. There’s more to it than that. Read on.

*NOTE – I use the word “most” because it’s generic. This means there are exceptions. Some (the leftovers from most) people have no desire to take on additional responsibilities in their career, they’re content right where they are. Perhaps they’ve reached the top, maybe they’re just OK with their place in the middle, or at the bottom somewhere. If you haven’t reached your potential, it’s sad to leave so much more untapped potential.

Not Good? – You’re A Problem

When you’re not good at your job, there’s a good chance someone else, or many someone elses, pay the price to compensate for your lack of goodness. Sure, information security is about managing risk, not eliminating it, but your lack of “good” leads to poor risk management, and that costs someone something.

You see, information security isn’t as much about information or security as it is about people. It’s always been about people and it will always be about people. The more you and I suck at our jobs, the more people suffer for it. Sure, we can’t eliminate suffering, but we can do our best we can to make it less likely and less impactful*. If nobody suffered, there wouldn’t ever be a need for what we do.

The less good you are, the more people will suffer (in general).

*Less likely and less impactful ring a bell? That’s risk. The likelihood of something bad happening and the impact if it did. That’s the layman’s definition of risk.

If you’ve been around long enough, you can thinks of dozens, even hundreds of examples where bad advice was given, and an organization suffered for it, and through that, customers also suffered (eventually). If you haven’t been around long enough, here’s a quick example off the top of my head:

You advise an organization to buy an SIEM solution because monitoring and alerting is a good thing to do. They spend $100K+ on the SIEM and struggle over the next 6-12 months to get it working right (operationally). Great. They don’t patch and they have no asset inventory. Two questions then, 1) was SIEM the best place to spend the $100K+, meaning was it the most significant risk, and 2) how effective do you think the SIEM is going to be when the company doesn’t even know what assets they need to protect?

Was there more harm done than good? The devil’s in the details, but yes. There was more harm than good. Money is a limited resource and constraint; therefore, it must be spent wisely. The money spent on SIEM should have been better spent on the organization’s most significant risk(s), not on a technology because it’s “a good thing to do”. The most significant risk still exists, and customers are still more likely to suffer for it.

Simplified example, but you get the gist. Good intentioned security professionals aren’t aware of the harm they cause sometimes, and this might be most obvious in the rapid growth in consulting.

Dangerous Consultants

We see them all the time, and they come in all shapes. Some are really good people with great intentions to make a difference. Some consultants are people a little less virtuous, wanting to make as much money as possible, regardless of who they help or harm. Both types of consultants can be dangerous if they’re not good. That’s the simple truth.

Read some books, passed some tests, bought a laptop, and setup a Web site. You are now an information security consultant! You’re smart. You have the best intentions. You’re likeable, and you’re inexpensive. You’re ready to advise organizations on what they should do to secure their livelihoods, right?

Mmmm. Maybe, but God I hope not.

There’s more to being good, than that. It takes more than skills and more than good intentions. More than reading books, and more than passing tests. Smart helps, but there’s still something missing.

If you’re going to be a consultant, get good first. Please.

It’s easy to convince someone who’s more ignorant than yourself that you’re an expert. Use buzzwords, look confident, talk fast, and you’re well on your way. But you’re not good (yet).

  • Good consultants don’t need buzzwords, they can explain things in plain English so that others can learn and apply concepts.
  • Good consultants are confident when they’re doing what they’re good at. A good consultant will admit when they’re not good at something, but they usually know someone who is.
  • Good consultants talk at the pace of their audience. They’re not only good information security professionals, they’re also good communicators.

I could write all day about good versus bad consultants. Probably gone too far already.

What about you? Are you already good? We’ll see. Let’s explore how to get good!

How to Get Good

One more thing before we dig in. Are you a sports person? If you are, you’ll get this a little better than those who aren’t. In sports (depending on the sport), there are players, coaches, and player/coaches. Players perform on the field, or behind the keyboard, or wherever the game is being played. Coaches mentor, teach, lead, and prepare their players for the game. Player/coaches do both; they’re typically really good coaches, but they don’t play as much as they used to.

I say these things because I’m a player/coach. I don’t play nearly as much or as well as I used to. It’s important for you to know that as you consider my advice.

I assume you’re here because you want to get good. So what does it take to be a good information security professional, or good at anything really? Like most things in information security, the concept is simple, but the application is hard. There are three simple ingredients; intangibles, education, and experience. Anything else is icing on the cake.

F26C0863-3086-48F9-AD47-8810E3EAD0B7

These things (or ingredients) are in the book, they were in a recent tweet (above), and they’re also here. Consistent message from me because it’s truth.

Words of caution…

It’s important that you don’t rush things. There’s enough stress in most information security jobs, and I highly recommend that you refrain from adding the stress of trying to outperform yourself. Take your time, keep moving forward, don’t take shortcuts, and you’ll be fine. I know there’s lots of opportunity out there, and I know there’s a ton of money to be made, but my best advice is DON’T RUSH. The opportunity and money will come, and you’ll be healthier for it, if you do things the right way.

Intangibles

You might recall that I also covered intangibles in the second article of this series (The Right Person). Intangibles are things that can’t be taught. You either have them or you don’t. There are moral intangibles, like the ones covered in the previous article, and their are gifts (sometimes called natural talent).

Some people are just gifted for certain things while others are not. Do what you can to find your gifts or strengths early and often. The sooner you understand what you’re gifted for, the sooner you’ll find what you’ve been built for. The information security field is broad enough to accommodate a wide variety of gifts, so don’t fret about that.

Get honest with yourself and discover what you’ve been built for, but how?

I don’t think that there is any one way that works best for everyone. Meditation works great for some, but not others. Faith works well for some, but not others. Therapy and/or counseling works well for some, but not others. I’ll share what works for me, but let me remind you that you may not get the same results. I find my honesty and gifts through faith, and I found good value in a book called StrengthsFinder. My faith provided a foundation, while StengthsFinder led me to what I’m naturally good at.

Find what your gifts are and keep seeking. No matter how good you get at knowing yourself and your gifts, you’ll still need to engage in some gotrial and error. You will learn what your gifted for over time (if you focus on it), but you’ll need to find the courage to act.

Education

I include skills with, or under, education. There are millions of opportunities to educate yourself. Some people prefer a formal college degree, some don’t. Some people prefer certifications, some don’t. Some like books, some like instructor-led courses, some prefer video. Whatever method of education works best for you, do it. Then keep doing it. You will never learn everything there is to know. Learning is awesome. DON’T EVER STOP LEARNING.

If you stop learning, you die. At least your career does.

Find the learning resources that work best for you. If you recall, I shared some learning resources in a previous article too. One learning opportunity that I invite you to personally is the FRSecure CISSP Mentor Program. It’s free, and it’s a great opportunity to  learn (and share).

Experience

This is the one ingredient that I see new information security professionals struggle with the most. It’s because this is the one ingredient that takes the most patience. People who de-emphasize the value of experience are some of the most dangerous information security people in our industry. Without experience, we lack the street smarts to know how things will really (or actually) work. Education and skills will teach us how to do stuff, but we won’t learn all the circumstances, context, and oops’ unless we’ve done it before (or been with/witnessed someone else who did).

The experience catch-22. You need experience to do something (or progress in your career), but the only way you’ll get experience is by doing the something. The experience catch-22 sucks, doesn’t it? Here are some suggestions to overcome:

  • You might need a mentor to take you under his/her wings a little.
  • Sometimes we have to take calculated risks, like doing something that we’ve never done before, but doing it in a way that will be calculated and not reckless.
  • Hate to admit it, but sometimes we (hopefully slightly) fake it until we make it too.

Combatting the experience catch-22 isn’t easy, but you can find your way over it (or around it) if your focused and determined.

Wrapping This Up

That’s it. Want to get good? Focus on you. Work on what you’re gifted at, get educated, get out there and take your lumps in the real-world. If you lack experience in something that you need experience in, go get the experience, even if it means a different job. At the end of the day, you work for you (ahead of your company).

Whatever you do, don’t ever try to be someone you’re not. You will fail, and you will fail those who believed in you.

We’ll wrap up this series in our next article. Once that article is complete, we’ll compile this series into a small ebook for you and anyone else who liked it.

Writing UNSECURITY Journey – Back Home/Kidney Stones

A series of posts dedicated to the journey of writing my first book, Unsecurity: Information security is failing. Breaches are epidemic. How can we fix this broken industry?

This is the seventh article in the series. The others:

See here for the full list of articles, including those that are yet to be written for this series.

Introduction

You already know what’s coming in this article. My titles in this series aren’t very creative, are they?

It was good to be back home. The only thing that sucked was the weather. In Cancun it was sunny most days and the temperature was in the mid-to-upper 70s. At home, it was below zero and snowing. The good news was I wouldn’t be tempted to go outside much. Good writing weather!

Cancun was mostly a success, minus the first week drama. The score at the beginning of the Cancun trip was; 76 days to go before my self-imposed deadline and zero words written (sort of). I came back with a score of 62 days to go and 21,672 words written. Seemed good to me at the time. Remember though, I was a naive newbie writer, and I had no clue how long these books are supposed to be or what they’re supposed to look like.

The Routine

While I was away, I had few interruptions. At the office, I was interrupted constantly. I love being an accessible leader who’s genuinely interested in every employee who works at FRSecure and SecurityStudio. Between my need to be with our employees, the phone calls, meetings, and emails, there was no time to write anything between the hours of 8:00am and 5:00pm.

I wanted to avoid writing at home because knew it would dominate family time. Something had to give. I needed to find writing time somewhere.

The solution… I’ll get up every morning at 3:00am, get to the office by 4:00am, and write from 4:00am to 8:00am. Brilliant. I knew that I wouldn’t be able to do this every morning, but I would try anyway. If I couldn’t find the energy some mornings to get out of bed, I would just reset the alarm and find an hour or two somewhere else in the day.

Week one was essentially shot because I hadn’t figured out what I was going to do yet. It was a struggle to catch up with emails, let alone write anything. Score: 54 days to go and maybe 22,000 words done. I felt like I was starting to fall behind, but I was sure I had a solution.

Week two, Monday morning, I’m up and raring to go! Good writing session. Tuesday, same thing. Wednesday, starting to drag a little. Thursday, nope. Friday, somehow managed to get in early, but could not write anything. My brain was not having it. The 3:00am thing is going to be a real turd. Maybe I’ll try 4:00am instead.

Turns out the 4:00am each morning did the trick. Some days were better writing days than others. I tracked my progress each day by how many words I wrote. Some days I wrote 1,200(ish) words and some days I struggled to write 250 words. Here’s what I learned…

How many words you write each day doesn’t matter as much as writing each day.

Kidney Stone

Life was good, and I was trucking along, until one morning I didn’t feel right. I wasn’t sure why, but I felt like I needed to use the restroom really bad. No problem, to the restroom I would go. At this time it’s probably 5:30am, and there’s nobody else in the office yet. I didn’t feel right, but there was no reason to panic.

I tried writing, but it was a struggle because I couldn’t concentrate. I constantly felt like I needed to go to the bathroom, yet every time I went to the bathroom, nothing happened. There was no urine or bowel movement, just an unusually pronounced feeling that I needed to excrete something. As time went on, the feeling got worse, bit by bit. The time was now 9:30, and I’m getting a little more concerned.

Things progressed much faster, and by 11:00am, I’m laying on the bathroom floor. Wasn’t panicking before, that’s changed. Something is seriously wrong. Thankfully my wife was in the office at the time, so I told her about my problem. I told her that I need to go to the doctor right away. I don’t know what’s wrong, but I know that it hurts like a sumbich. She knows I have a high pain tolerance, so this is very unusual. She immediately gets the car while I get my jacket.

We’re in the car on the way to the nearest clinic, 15 minutes away. She keeps asking me if I’m OK, and I don’t want to talk. I want the pain to go away, and I’m in full on “GIVE ME ANYTHING TO TAKE THIS PAIN AWAY RIGHT NOW” mode. After an eternity, we arrive at the clinic. We get in to see a doctor quickly and the doctor starts asking me a bunch of questions. I don’t want to answer any questions! The pain is unbearable, and I want her to 1) give me something to make me feel better or 2) shoot me. She tells us she thinks I have a kidney stone, and that I have to go to a hospital.

That’s it?! No drugs? No gun?! Just go to a damn hospital?! Useless. I’m pissed. I’m angry. I feel like an alien is going to come popping out of my stomach or my ass or my back at anytime (I can’t tell which). I’m obviously dying, and now I’m told to get back into a car and endure another 20 minutes of hell before I eventually get to the emergency room. Fine. Whatever. I’ll do anything right now.

Another eternity passes. Two eternities in one day if your keeping score. We arrive at the emergency room, and more questions! The nurses want to ask me questions, and I don’t want to talk to anyone. I want drugs or a bullet. That’s it. My wife intervenes (she’s an angel) and eventually I end up in a bed. Still dying, but dying harder now. How can I possibly be dying harder? This is crazy! Why God?! What did I do to deserve a living death like this?

We’re in this room with a curtain thing that separates my bare bottom in a scratchy gown from the rest of the world. A nurse or doctor (I can’t tell because I’m having trouble seeing now, I think) comes in and she wants to ask me questions too! Seriously, stop with the flipping questions already, and get down to business! I look at my wife in desperation. She tells the doctor I don’t want to talk and she answers for me. Out of all the questions that were asked, I heard one that I actually wanted to answer. The doctor asked what my pain level was on a scale of 1 – 10, 10 being the worst. I blurt out, “it’s a 20!”. Even that answer was hard to muster between my panting and dry heaving. Oh yeah, the pain is making me dry heave now.

Seriously, I’m dyyyyyyyiiiiiiiinnnnnnnggggggggg. The doctor leaves for some reason or another, an now I can’t lay down. I’m pacing the room, stopping to lean head first against a wall every now and then. While I’m pacing and trying to find some way to move in a manner that will give me some relief, I can overhear the nurses outside my shower curtain door talking about recipes for some whatever thing. I’m like, why?! Why do you let a good man die while you talk about tater tot hot dish recipes?! Life sucks. Seriously, is this the end?! Is this how I’m going out?

Finally, a nurse comes in to see me again. She wants me to pee in a cup. I want to shove the cup up her… No! I stop myself. It’s the pain talking. I did shout, “when can I get some drugs”? She stopped what she was doing and gives me a puzzled look. “Wait. Nobody has given you anything yet?”. I can’t say anything because I want to cry. My wife answers for me, and before long I get some morphine. Thank you Jesus!

The pain slowly eases, and I can talk better. Why do things like this always happen to me? For one, this mother of all pains, and then forgetting to give me some drugs? Double whammy of suck.

The morphine didn’t take the pain away entirely and it didn’t last very long either. My pain probably dropped to an 8 (which is a helluva lot better than 20). Seemed like thirty minutes later, and my pain started to inch up again. Next up, the doctor wants a CT scan. OK fine, just don’t forget the drugs. The whole CT scan thing was quick, and before I know it, I’m back in my room. The pain is getting really strong again, but the nurse gives me something in my IV right away. Within five minutes I’m feeling good. Like, what the hell just happened?! I asked the nurse what she just gave me, because I want that stuff on stand-by.

I was expecting the nurse to tell me the name of some super-narcotic, but no. She gave me ibuprofen in my IV. Ibu fricken profen?! Really?! Yep. I was too amazed and exhausted to ask them why we didn’t start with this an hour or two ago. The results from the CT scan were ready, and it turned out that I had a 7mm kidney stone. The doctor suggested that we let the stone pass. Skeptically, I agreed. She thought it would pass on its own and told me if the pain comes back, take more ibuprofen. Easy enough. I LOVE Ibuprofen (now).

Before the doctor left, she mentions one more thing on the way out. She requested that I come see her at the nurse’s station after I get dressed. I asked he why. She wanted to show me something on my CT scan. My wife and I looked at each other, and we could read what the other was thinking. Why? What do you want to show us? I quickly got dressed and scurried out to the nurse’s station where the doctor was waiting for me.

She showed us a grainy looking image. In the middle of the image was my kidney. The doctor pointed at the kidney, and focused out attention on a darker part of the image. She explained that she’s concerned about a “mass” on my kidney. Apparently the mass had a diameter of 55mm. She advised that I get a CT scan with contrast soon, and that was that. She wouldn’t answer any additional questions and just referred us to our family doctor for next steps.

That’s it… Writing wasn’t really on my mind anymore, at least not on this day.

You Want to Get Into Security? – Part 3

This is a five-part series about getting and keeping job in the information security industry. There is no one way to get and keep a job in the information security industry. This is a good thing! The series doesn’t contain THE advice, it just contains advice. Big difference. Some of this information is also found in the Unsecurity book, chapter 10.

The series consists of the following articles:

This is the third installment in the aforementioned series; Landing Your First Job.

Landing Your First Job – Introduction

I have to admit, it’s been a very long time since I landed my first information security job, and it’s been more than 10 years since I’ve hunted for any job at all. This means that my advice will come from somebody who hires more than it will as someone who’s looking for a job. I think the advice is still valid, but you can judge for yourself.

My first information security job came in the early 1990s. I had the pleasure of cleaning boot sector viruses off thousands of Windows 3.0 and 3.1 computers. Back then, information security wasn’t really a thing like it is today. Even though there are more information security jobs today then there were then, I think it’s harder to get jobs now for some reason. Probably unrealistic expectations. Anyway, it’s not easy for most people to land their first information security job.

In this article I’ll give you some tips that I hope will help you get your first information security job.

Matchmaking

Getting a job is like finding a girlfriend or boyfriend on a matchmaking site. People post a profile of themselves and all the things they’re looking for in a mate. Then there’s other people who also post a profile, but they’re more active in looking for a date. These people browse profiles, sometimes for hours, looking for the right person to contact. In our analogy, the first person is the company or recruiter, and the second person is the one looking for a job.

The first objective is to get a date with someone. The ultimate objective is to go steady, or enter into a committed relationship. Dates are interviews and going steady is landing the job.

A match isn’t likely to happen if either party has unrealistic expectations. Not all jobs are like an exceptionally attractive European noble with billions of dollars and a love for puppies. You might want a unicorn job, and the hiring organization might want a unicorn to work for them, but these things are extremely rare for someone who’s new to this industry. Keep your expectations in check.

The matchmaking analogy applies best to using job sites like Google, Indeed, Monster and others. As we’ll see, this is only one way you can go about finding a date, and it might not be the best.

Getting a Date

When you’re trying to get a date, you don’t want a date with just anyone do you? Hopefully not. We want to find the right person, the right job. Hopefully, you’ve done some research and prepared yourself for the job market as we outlined in our previous article. If you did the research, you’ve probably found some good job sites .

Where to find dates

There are many ways and places to land a date, and there are many places you can go to try to find an interview. Depending upon your specific circumstances and your specific preferences, choose the right path or paths for you. Here are ways people find us at FRSecure and where we might find you too:

Internships

Internships aren’t for everyone because they don’t usually pay well, if at all. Internships come in all forms. Some are paid, some are not, some require experience, some do not. Paid internships can be a challenge to find, but they’re out there. Unpaid internships are a little easier to find. A simple Google search for “where to find information security internships” will produce many leads for you; however, the best way to find an internship is through someone you know. Ask around.

‘Most large organizations with security teams and information security companies offer internships. Contact them directly and inquire. This will give you more control and might land you an opportunity with a company you like more.

Job Sites

Using a job site is fast and easy. It should be included in your strategy, but I caution against using job sites as your sole source for dates/interviews. These are some of the job sites you might want to check out:

  • Google – Google integrated with ZipRecruiter in 2017 and produces pretty good results. Just type a job title and the word “jobs” into Google search.
  • LinkedIn Jobs – There are plenty of jobs and some good job seeking advice on LinkedIn. You will probably want to use LinkedIn for yourself anyway as you build your career, it’s a well known and heavily used networking tool.
  • Indeed – A clean, quality job site.
  • Monster – A job site that has been around for a long time (1994). It’s still a quality site, even though it’s not as dominant as it used to be.
  • ZipRecruiter – A very popular job site, and probably one of the fastest growing.
  • CareerBuilding – A popular job site, but not one of my favorites. I have no objective reason for this site not being one of my favorites though, it just isn’t.

These are the major job sites that I know of. Whatever site(s) you use, be sure to document what jobs you’ve applied to and keep track of any/all responses. It probably doesn’t reflect very well if you apply to the same job multiple times through multiple sites.

Networking

Networking is difficult for some people because they don’t feel confident or comfortable in groups or crowds. I get it. I’m one of those people. Go to local information security events, meetups, chapter meetings, etc. to meet new people. You can network with anybody, and they don’t have to be security people. If you get good at networking, you’ll find that most people know a security person that they can put you in touch with. Getting referrals or door openers is a differentiator that could work in your favor.

Mentor

Mentors are great for many things, helping you land a job is just one of those things. Mentors will help you prep for interviews and offer wisdom throughout your career too. Everyone should have a mentor, no matter where you’re at in your career. My mentor and I met in 1995. He was my boss when I worked for Jasc Software (known for Paint Shop Pro). We’ve both moved on in our careers, but we still have a standing coffee meeting every Friday, and his support has been instrumental in my success.

Finding a mentor isn’t easy. You’ll have to take a risk and ask someone, and they might say no. A mentor could be a teacher you had in school, a boss you admire (like my mentor), a friend you respect, a family member, someone from church, or anyone in between. I suggest that you write down the names of five to ten people you respect and admire, then go ask them if they’d be willing to be your mentor. If you strike out, do some online searches for mentorship programs. They come and go all the time.

Once you feel you’re ready, be sure to return the favor by becoming a mentor for someone else.

Local Community Events

There are groups of information security people meeting all over the place, all the time. Chances are very good that there are information security groups meeting regularly in your area. These are great places to meet and learn from other information security professionals. Building relationships with others will create a wonderful support group for yourself and open doors to all sorts of opportunities, including jobs.

Where I live, in Minneapolis, there are more than fifteen information security-related groups that meet regularly. This means that I could conceivably attend fifteen or more events every month, and meet hundreds of other security professionals. Pure gold!

92A2F78B-DF88-4665-BD99-F7758134AB53

A simple search on meetup.com, will probably produce some good leads for you. The Information Systems Security Association (ISSA) has local chapters all over the world, and they welcome new visitors. Other organizations that have local chapters all over the United States (and maybe the world) include the Information Systems Audit and Control Association (ISACA), InfraGard, and the International Information Systems Security Certification Consortium (ISC2). Check them out, it’s worth it.

Prep for Dating

Alright, hopefully you’ve got some good leads now. You have a solid resume, right? If you don’t, get one.

Need help? Start with a sample resume. You can ask for one from a friend or see if you like one of these free online samples:

Now you need to plug your information into the sample/template resume. If you don’t have any experience, you might not have much to put down. Don’t let that discourage you. There are companies who put a high price on intangibles. Take where I work for example, we always hire for the intangibles first. Intangibles are the things that align with our core values, which were covered previously in Part 2.

Think we’re the only company who does this? Think again. Just last week (2/21/19) I had the honor of moderating a panel of amazing female security experts for an AnitaB.org event at the University of Minnesota. AnitaB.org is a great organization supporting women in technology. One of the questions for the panel was “What skill sets would you look for in your team?” Each of the panelists gave their answer, but none of the answers had anything to do with technology skills. All the answers were about the intangibles! Good validation for what we already knew.

Fill your resume with information about you, focusing on how you will help your employer. Include your community work (if you have any) and be sure to list these groups you’ve been attending (see above). I used to customize my resume for each job that I applied for. This would ensure that my tangible and intangible skills would align perfectly with what they were looking for

Additional tips for writing a good resume can be found online:

Above all, be sure that the resume is true to who you are. We want a company to like you for you.

Your Best Face

Alright, you got a date?!

You want to be you, but you also want to be a good fit for the culture of the organization. If you haven’t already, now’s the time to do some research. Find out everything you can about the organization and about their culture. Find out how they dress, because you don’t want to overdress or underdress for the interview. Find out what they believe in, because you’ll want to validate and compliment their mission. Find out about their successes, because you’ll want to acknowledge them and verbalize your commitment to helping them get more similar successes.

Put the address for the interview into a mapping application days before your interview. Figure out your route and how long it will take you to get there. If you don’t feel comfortable with the drive, make the drive yourself a day or two before your interview.

Get to the interview at least 15 minutes early.

Eat something reasonable before you go to the interview. Pee before you get there.

The best advice I can give you in preparing for an interview is to be you. Don’t try to BS or be somebody you’re not. The person your interviewing with will probably see through your ruse, and if they don’t, you can’t feel good about starting your relationship being somebody you’re not.

Making a Commitment

You had an interview or two, or twenty. Now you get an actual job offer! Somebody wants to go steady. Yay you! Now you need to make a choice, do you take it or not? This is gut check time. My suggestion is to not take any job that you can’t commit to for at least two years, and ideally five years. Ask yourself if you could see yourself with this organization for two years or more. If the answer is no, I would say no to the offer. This takes a certain amount of discipline, and your circumstances may not permit any choosiness. Most people would take the offer anyway

The reason why I suggest staying with an organization for two years or more is because it validates your intangibles. It shows that you take commitment seriously, you are loyal, and you understand that you can’t rush experience.

You may decide to negotiate your offer, but if you’re new to the industry, you probably don’t have much to negotiate with. I’d advise against much, if any negotiation.

CONGRATS on the offer and the new job (hopefully)!

Conclusion

Getting your first job in this industry isn’t as easy as some people think. You need to work at it and you need to be creative. Make friends, make connections, and earn a good reputation. Take a pragmatic and formal approach to the process, after all, you are working for you!

Now that you landed your first information security job, how are you going to become a good (and ever-improving) information security expert?

BONUS: What is an “expert” anyway? This was a question that Brad Nigh (co-host of the UNSECURITY Podcast) asked me today during our recording of episode 16 (available 2/25). Comment below. No Googling or official definitions allowed. 😉

Writing UNSECURITY Journey – Cancun(2)

A series of posts dedicated to the journey of writing my first book, Unsecurity: Information security is failing. Breaches are epidemic. How can we fix this broken industry?

This is the sixth article in the series. The others:

See here for the full list of articles, including those that are yet to be written for this series.

Introduction

The second week in Cancun was infinitely better than the first. The second week officially started with the arrival of my wife and daughter. They were coming to spend time with me and enjoy some of the Cancun sun. My wife had a spare laptop power cord in hand, so I was finally back in full service! After writing the first 25 pages of the book on an iPhone, it was such a relief.

The Restart

It’s Saturday, and the alarm was set for 5:00am. The plan was to write all day at corner table in the resort lobby. I chose this table because it was off in a quiet corner, it was just the right height, and the chairs were comfortable. I was pumped! Last week it felt like this day was never going to come.

One thing I did a few days ago, maybe Thursday, was set goals. I also wanted to set some writing time structure that I could follow. My goal was to write 3,000 words/day and adjust as I went. This would equate to about 12 pages/day, and this seemed like a reasonable goal starting out. The structure I would follow would be 50 minutes on, followed by 10 minutes off, and I would not stop any earlier than 3pm. I had already done a lot of research for the book, so my day would be all a go for writing!

My first ever full writing day ended at 3:45pm. I hadn’t eaten anything, but I didn’t even notice my hunger until I stopped for the day. Final results; 2,732 words, or about one and a half chapters. It felt like a productive day, and it felt an incredible sense of accomplishment. Finally, something got done!

I spent the rest of day with family. Great day.

The Coffee Club

Sunday started with the same goal and the same approach as the day before. Writing started at 5am sharp. Each writing session would be 50 minutes, just as it was the day before. As I was starting the third writing session of the day, two old guys came and sat at my table, one on my left and the other on my right. Awkward. I struggled a little to maintain focus, and did my best to ignore them. These guys obviously knew each other and they began a (loud) conversation like I wasn’t there, even though I was in between them. Ten minutes later, another old guy shows up and takes his seat at the table. The conversation amongst the old men continues.

I’m doing my best to stay in the zone, but my bladder starts screaming for some relief, so I had to stop for a quick bathroom break. After relieving myself, I walk back to my writing spot when I notice that there’s a problem. This isn’t my spot anymore. There are now eight or nine old men sitting all around the table! I sit down, but I’m cramped. I struggled through the rest of the writing session, and took a break outside. I’m flustered and irritated by these rude old men. I’ll just need to fight on and keep writing. It’s the only comfortable spot around here.

Three quarters of the way through the next writing session, the old men begin to disperse. Before long, I’m alone at my table again. Awesome! During the next break, I reflect on the awkward experience, and convince myself that it must have been some kind of Sunday morning gathering. I’m hoping that tomorrow will be different, back to normal. The second day was a little better than the first in terms of the number of words  written, 3,012. I was determined to hit my goal, and I was getting better at writing too.

Monday comes, and the same old man experience. The first five minutes with these guys were frustrating. I was actually angry. Today was different though. Before long, I started listening to their conversations, and they even addressed me a couple of times. Before they left, I had introduced myself to them all, and I was actually starting to warm up to these guys. Monday was a good writing day, but I have to admit I was looking forward to seeing the guys tomorrow.

Tuesday came, and so did the old men. These guys meet each morning for their coffee club and I was in their territory. I was happy to see them, and I think they were happy to see me too. Rather than trying to write anything, I closed my laptop and fully engaged in conversations. I’m not good with names, but there were two guys that I immediately hit it off with, Bob and Lynn. Bob was a dentist for 36 years in a small Missouri town. Lynn owns a farm that is the largest producer of gladiolas in the United States. All these guys were retired and spend some number of winter weeks in Cancun each year.

4ED34A53-1426-453E-B00A-7C6A4DFC1A9C

My Cancun Coffee Club

Bob asked me what I was doing with my laptop, working. When I told him that I was working on a book, he seemed genuinely interested. He asked me what I was writing about, and I told him that I was writing about information security. The look on his face was priceless, partially because it’s Bob and partially because he had no idea what I was talking about. I did my best to explain, but I could tell it was going to take a while. He wanted to know more, but we didn’t have the time.

This is when I realized what the second book would be. You know, the one I’m writing right now. This thought at the time was crazy because I hadn’t even written half my first book before I’m thinking about the second one. The second book would be titled “Information Security for Normal People”, or something similar. Normal people are people like Bob. The more I thought about it, the more convinced I became. How sad would it be for a wonderful, salt of the earth, all-around good guy to lose everything to some jackass attacker? Yes, I have to write this second book. Shelve it for now.

As the week progressed, my relationship with the coffee club deepened. We got to know each other pretty well. It didn’t let it take away from writing progress because I planned it each day now. When it came time for me to leave for home, we said our good-byes, and  I promised them I would be back again next year.

Heading Home

The second week went fast, much faster than the first. I spent at least 60 hours at the keyboard, and still found time to become part of a coffee club and make great memories with my wife and daughter. The week produced a total of 21,672 words. If I would have avoided the week one drama, I think I could have had 45,000 words. Oh well, at this point I still have a month and a half to finish up the draft. I’ll just need to do it at home.

Lessons from Cancun:

  1. Prepare much better. There was no excuse for leaving my laptop cord behind. If you’re going somewhere to write, pack well and prepare for contingencies.
  2. Goal setting is important. There were days where I wanted to quit for the day, but I was short of my goal. I would not allow myself to quit on a couple of days, because of my goal.
  3. Segmented writing works well for me. The 50 minutes of focused writing followed by a 10 minute break was a good approach. It forced some discipline into my writing and inserted healthy breaks.
  4. Don’t try to force through distractions. If I don’t want distractions, go somewhere quiet. If I’m distracted, and I don’t want to go somewhere else, stop writing. It saves me frustration and I made some great new friends.

That’s it for the two-week Cancun writing trip. I’m actually starting to feel like a writer at this point in the process, and I’m excited to write at home or in my office.

You Want to Get Into Security? – Part 2

This is a five-part series about getting and keeping job in the information security industry. There is no one way to get and keep a job in the information security industry. This is a good thing! The series doesn’t contain THE advice, it just contains advice. Big difference. Some of this information is also found in the Unsecurity book, chapter 10.

The series consists of the following articles:

The Right Person – Introduction

In the last article, we concluded that there is plenty of opportunity in the information security industry, especially for jobs. The job market looks good far into the future.

Great, now what? There are two types of people asking this question, maybe three:

  • People working in the industry who want a change.
  • People not working the industry who want to explore the possibility.
  • People who don’t care one way of the other about #1 or #2.

Type 1: You might find this article interesting, but I’m not writing it specifically for you. You’ll find more benefit in the fourth and fifth articles of this series; “Becoming Good” and “Staying Healthy”.

Type 2: This is your article. I’m writing this for you, giving you the best advice I can.

Type 3: You should care. You’re either missing out on a possible opportunity for you and your family, or you know someone who could use some advice. People who don’t care about things seem like miserable people to me.

There. I’ve explicitly defined the audience and set expectations. Now, let’s get on with it. Back to our question, now what?

The ‘Now What’

If you’re still reading, you must be interested in getting an information security job, or you know someone who is. The first thing you should know is what it takes to be a security person. There are common traits that good security people have.  Rather than trying to build specific security skills, first focus on the traits you possess that will translate well into security roles.

Please don’t overlook these traits or take them for granted. They’re very important.

I’ll share the approach we use at FRSecure because it’s what I know best and it’s served us very well over the past 10 years.

FRSecure’s Approach

We hire for the intangibles, the things we can’t teach. As a business, there are three things that we must establish with each one our customers before we ever do work with them, and these three things translate directly to our Security Analysts who do all our work:

  1. Trust – People trust us and we must never betray their trust. Are you trustworthy? Do you consistently do what you say you’re going to do? Can people count on you? Do you put other people’s best interests above your own? (very important for consulting)
  2. Credibility – Directly related to trust, are you believable? Credible doesn’t mean you know everything, but it does mean that you know what you know and you’re willing to stand by your words and actions.
  3. Likeability – Nobody wants to work with a jerk, not co-workers and certainly not clients. Are you pleasant, friendly, and easy to like?

You must do well in these three things if you want to work here. Next comes our non-negotiable core values:

  • We tell the truth.
  • We are collaborative.
  • We are supportive and driven to serve.
  • We do whatever it takes.
  • We are committed to constant improvement.
  • We have balance. We work hard and play hard.
  • We all buy in to who we are, what we do, and where we’re going.

The non-negotiable traits that make people a good fit here are; truth, collaboration, support, service, doing, commitment, consistency, improvement, balance, and being bought in. These aren’t traits that we negotiate on, we live up to these values always.

Other bonus traits that work:

  • Humble – The best information security professionals are humble people who are willing to help others. Ego takes a back seat to building others up. If you’re full of pride and you like to feed your ego, please (for the sake of all of us) don’t become a security professional, you’ll just make everyone’s job more difficult.
  • Learner – You will never learn everything there is to learn about information security, and things change very fast. If you don’t like to learn, you’re probably not going to make it far.
  • Persistent – I swear I’ve said the same things a million times, and many of the things that I say today, I said 20 years ago. People are slowly getting some of the things we’ve been preaching for years. Persistence will serve you well in all sorts of problem-solving scenarios.
  • Aware – Another word for this would be perceptive.
  • Logical – There are reasons for just about everything. You’ll need to use logic often. Computers and other digital things are discrete, meaning everything is on or off, a one or a zero. Things can get confusing when there are millions of ones and zeros because what was black and white becomes gray. No matter, there’s logic in all of it. Human beings are a different case altogether, they’re analog.
  • Moral – You must be able to discern right from wrong, always. Integrity is a very big deal, do wrong, and you could ruin your career.
  • Comfortable with discomfort – Most information security experts are always in some degree of discomfort. If you can’t get comfortable being uncomfortable, you’ll be less happy in this business.

Love People

My favorite trait in a good security person is their love of people. The best information security professionals know that information security isn’t as much about information or security as it is about people. People from all walks, all faiths, all colors, all genders, etc., etc. Information security doesn’t discriminate, neither should it’s professionals.

If you don’t have these traits, we probably don’t want to hire you. If you do, then start researching job roles.

Job Roles

You read previously that there were more than 800 variations of different job titles in our industry. Not to make this any more overwhelming, but there are 1,000s of variations of job roles and responsibilities to fit these job titles. Start researching the roles that seem interesting to you and take note of educational and skill requirements. Keep researching until you feel comfortable and convinced about where you want to take your security journey. Research entry-level positions and research expert-level positions. See if you can draw out your career path for yourself beyond landing your first security job. Just because you draw it out doesn’t mean you can’t change it later, after you know more.

Places to review information security job roles, education, and skills:

  • LinkedIn – the site (or the app) has really good search filters, so you can look by experience level, location, type, and several other criteria.
  • Google – Google has a nice search function, with many filtering options, built right into the search engine. Just Google “information security jobs’ and you’ll see what I mean.
  • Indeed.com – A solid job site with many options.
  • CareerBuilder – Another pretty good site.

Keep researching until you feel like you know what want, or at least you think you know what you want. If you get it wrong, not a huge deal. Like most things, you can adjust later.

Bonus: A Mentor

Navigating the waters of the information security industry is always better with someone who’s been there, done that. If you know someone who’s been in the industry for a while, ask them if they’d be willing to be a mentor for you. If you don’t know anyone, ask around. If that still doesn’t yield any results, you can try other resources like your local Information Systems Security Association (ISSA) or International Information Systems Security Certification Consortium (ISC2) chapter. There are always good and helpful security pros at the chapter meetings. Another resource that I just ran across recently is MentorCruise. I’ve never used this service before, and I don’t personally know anyone who has. I can’t really recommend it, but I can’t not recommend it either. Worth checking out.

A good mentor makes a big difference. I’ve always had a mentor.

Skills

Now you know what traits are important (sort of), you know what role you want (sort of), and you know what skills you need (sort of). You won’t be certain of any of these things until you get going, if ever.

You don’t have to be a technical genius to get a security job. You don’t even need have strong technical skills. Some people disagree with me on this, but it’s usually because we’re not saying the same thing. Let me explain.

People who are new to our industry, and even some who are already in our industry, are easily confused by the words and terms that we use. Don’t let the confusion lead to intimidation and don’t become too easily discouraged. Take the terms “information security” and “cybersecurity” for instance.

Information Security and Cybersecurity

You will encounter times when the term information security and the word cybersecurity are used interchangeably. They are two different things, and this is important to know. Information security deals with administrative (people and process), physical and technical controls (or safeguards), whereas cybersecurity only deals with technical controls. Further proof of this is the definition of the word “cyber” by itself:

relating to electronic communication networks and virtual reality.

So, when I say you don’t need to be a technical genius, I’m talking about for the information security field. Cybersecurity jobs are ones where more technical acumen is required. It’s important for you to understand this. The misconception that you must be a “techie” or a “geek” to get into this industry is false and shuts the door on good people. There are many jobs in our industry that don’t require an in depth, expert-level understanding of technology. Having said that, you will need to learn basic technical concepts.

The advice I received from my mentor when I first started out in technology (before information security was formally a thing) was to read anything and everything I could get my hands on about the subjects I was interested in. This is good advice.

My advice to you is to follow industry news, read books, take courses, and learn everything you can. Learn, learn, learn, but DON’T RUSH. Rushing yourself creates undue pressure and steals the enjoyment. Everyone has their own healthy pace. Find yours and commit to it.

Resources

Here are some resources that I use, or have used in the past. This is not an all-inclusive list, so don’t get bent out of shape if your favorite isn’t listed, OK?

Industry News Sources

Books

Courses (FREE)

Conclusion

The order you go in, and the specific path you take will be up to you. There is no one way. You’ll notice that I didn’t mention degree programs in this article. This doesn’t mean that I don’t believe in them. Most degree programs have job placement and job assistance services included; therefore, many of these students will get what they need to land a job. Although degree programs are good, you don’t have to have a cybersecurity or information security degree to get a job with us.

If you want to get a job in the information security industry, you can. I hope you have the right traits, and I hope you’ll help fix problems in our industry and won’t add to them. Many of us who work in this industry take our jobs very seriously and we welcome new recruits. Don’t take shortcuts and do the right thing (always), and you’ll do great. If you run into a jerk along the way, ignore them. They’ve got personal problems that you won’t be able to solve anyway.

Good Luck! Next is Landing Your First Job.

Writing UNSECURITY Journey – Cancun(1)

A series of posts dedicated to the journey of writing my first book, Unsecurity: Information security is failing. Breaches are epidemic. How can we fix this broken industry?

This is the fifth article in the series. The others:

See here for the full list of articles in this series, including those that are planned in the future.

Introduction

This article is longer than the others. There’s some drama in this one.

If you don’t recall, or if you’re just joining the conversation now, my plan called for a two-week writing trip to Cancun in January 2018. Life sucks, right?! The challenge was convincing my co-workers that I was going to Cancun to write a book, not to go on vacation. They said they believed me, but you could see the skepticism on their faces. I had to come back with a finished book, or at least solid progress on one if I was going to convince them. This was added pressure that I didn’t need, but I was up for proving them wrong.

The plan was for me to be in Cancun for one week by myself, doing nothing but writing. I would be joined by my wife and my 13 year-old daughter for the second week. On the second week, I would write all day and spend the evenings with my family. A good plan, I thought.

The Outline

I didn’t want to wait for the trip before I started doing something with the book. So, months before leaving, I started the outline. At the time, there was no title and all I had was the idea. The book was supposed to be about what’s broken in the information security industry. If you know this industry, you know that there’s no shortage of topics that I could have chosen to write about. The fact is, there are many things that are broken, depending upon your perspective and experience. I needed to figure out how to take all the things that I think are broken and organize them logically into chunks, which would later become chapters.

I open Microsoft Word and stare at the screen. Ten minutes pass. What’s wrong with me?! OK, break time.

While on my well-deserved break, I convinced myself that I needed to write something. Write anything! This is where it all started. I just wrote anything and everything that came to mind about the frustrations I have with the information security industry and what seems broken to me.

I think the experts call this brainstorming.

I drew upon the experiences of my past, and kept typing words, with no attention given to context or structure. The document started to fill with topics. Slowly, out of the topics emerged themes. Once thoughts started to flow, I was surprised by how easy the thoughts went from brain to document. After an hour, I even added some pictures that I downloaded from the Internet. The pictures with the smattering of unorganized words in a Word document started to become my outline. I did something. Yay me!

Here’s the first brainstorming document. Impressed?

Over the course of the next few months, and before leaving for Cancun, I made numerous changes to the outline. I didn’t do any heavy writing, just revisiting the outline once a week and tweaking it here and there.

Before I knew it, it was time to leave, and it was time to get serious about writing this book!

Can’t Believe I Forgot

This was a week that I won’t forget. Read on, and you’ll know why.

I arrived in Cancun on Saturday, January 6th. We rented someone’s condo lockoff at the Royal Sands. I’m a regular guy, so a four-star resort is not an everyday experience for me. The Royal Sands is an impressive place, and I had to check it all out. I already knew that I wasn’t going to get much writing done on this first day in Mexican paradise, and I needed to get comfortable with my new surroundings first. I spent the day getting oriented. The weather was perfect, the resort was very comfortable, and I didn’t know anybody. This was going to be the perfect place to get comfortable and write. I was feeling good!

Just one thing to do before I turned in for the day. I needed to complete some tasks for a large bank client of ours. Once I completed these simple tasks, I planned to get some rest. I would get up early the next morning and get busy. No problem. I break out my laptop and get to work. Thirty minutes in, I notice that my laptop could use a charge. Easy enough. I grab my computer bag and stick my hand in the pocket where I always keep my power cord, and…

I FORGOT MY POWER CORD!!!

Who does this? Turns out I do. I’m notorious for leaving power cords behind, and my wife even reminded me before I left. Ugh. At first, a little panic. The panic didn’t last long though. Cancun is a big town, and I’m sure I can find a power cord somewhere. In the morning, I’ll just check with the front desk.

Finished up my bank work, then sat outside in the warm ocean air before I turned in for the night. It was a good day.

The Hunt

It’s Sunday. I’m settled, and I’m excited to get focused on what I came here for, writing! Quick shower, short walk on the beach, and a visit with the kind people at the front desk was in order. I asked the concierge if he knew where I could find a laptop charging cable. He had no idea. OK, not a good start. I asked if the resort had any laptop power cables that were left behind by other guests. Nope. I try my first inquiry again. After some back and forth, he tells me that there’s an Office Depot in town. Cool, they’re sure to have a cord! I whipped out my iPhone and found it. It’s only 10 miles away.

Take the R2 bus for 12 pesos, 30 minute ride, and I’m there.

I’m starting to feel a sense of relief and excitement as I walk in the store confident that they’ll have what I’m looking for. I had trouble communicating with the store employees because I don’t speak Spanish and they didn’t speak English. This just meant that I roamed around the store for awhile. Then voila! I’m in luck, a universal laptop charger with an assortment of attachments! I grab the goods for a closer inspection. The closer look revealed that this universal charger wasn’t all that “universal”. It didn’t contain my attachment, so it wouldn’t work. At the time I was using a Lenovo laptop with a rectangular male end. No dice.

What now? Well, I’m thinking that this can’t possibly be the only store in Cancun with computer accessories, and I was right. My trusty iPhone revealed that there’s an Office Max, a Walmart, a RadioShack (yes, Radio Shack), an Ofix, and a Sanborns. Plenty of options. I just need to walk. Lord knows, I can use the exercise. First stop Walmart, on the way I pass a scary looking jail or prison, no dice. Next, RadioShack, nope. Ofix wasn’t open. Sanborns had some computers, but no cords. Another RadioShack, and I’ve struck out. In all, I’ve walked 9 – 10 miles and I have nothing to show for it. My mind is racing because I have writing to do dammit!

I decide to do what I always do when I’m at my wit’s end. I called my wife. After discussing the situation, we figured we had two options. I could buy a new laptop or we could (maybe) ship my power cord from Minnesota to Cancun. We decide to check on whether latter. Twenty minutes later, my wife calls to tell me that FedEx can get my cord to me by Tuesday morning for $83. OK, deal. Between this time and Tuesday, I figure I’ll write thoughts on paper and conduct as much research as I can on my iPhone. I needed a haircut, so I’ll knock that out too in my new spare time.

On the walk back to the resort, I called a friend, just to chat. I shared my dilemma with him, and he had a seemingly brilliant idea. Isn’t there a Dragon dictation app for iPhone? My heart jumps, is there?! I open my iPhone’s App Store, do a quick search, and YES, yes there is an app! There’s an app called Dragon Anywhere. Sweet, I’ll just dictate my book while I wait for my new cord to arrive. I install the app, pay the fee to open all the features, and I’m in business.

Or so it seemed.

I don’t know if you’ve tried dictating a book on an iPhone, but it’s painful. I couldn’t get it to work well. I don’t think it’s the app, I think it’s me. Training the app, and my training for using the app, were both pains in the butt. In addition to my troubles using the app, I couldn’t get over the awkward feeling of talking to my phone without a person on the other end. I was not digging this at all, but I’d just have to fight through it. Maybe it would get easier.

I finally got back to the resort late in the afternoon, and I was tired. No writing on Saturday. A great workout on Sunday, but very little writing done. This is not going according to plan.

Painfully Waiting

It’s Monday morning. I have some expectations, and I have some hope. I expect to get my power cord the next day. Today I’ll spend my time muscling through the best I can with paper and an iPhone. I spend the morning writing thoughts in my notebook, doing research on my iPhone, and talking to a stupid blinking cursor that hated me. My frustration was mounting, but I had hope. By noon, I’d already had enough. I needed a break.

I took the bus downtown to get a haircut. I found this place called La Cueva del Lobo (The Cave of the Wolf). It was listed online and it looked like a decent place. The reviews were good, so I went. My barber didn’t speak a lick of English, so I used my phone to translate what I wanted. Oh my…

THE BEST SHAVE AND A HAIRCUT EVER!!!

I’m not a high-end barber or spa guy, I’m a give me a quick haircut and get me out of here guy. All I wanted was a quick trim, and what I got was so much more. The visit to this small barber shop in Cancun was an incredible experience. My barber’s name was Jose Luis, and this guy takes his craft seriously! It’s hard to put this experience into words. I knew that I didn’t want it to end, but it did. Is this weird?

Despite the fact that my haircut was magical, I still wasn’t making much progress on the book. Writing was painfully slow without my laptop. I tracked my FedEx package all day, and my spirits were raised with each new update. The updates showed my cord getting closer and closer. I went to bed this night confident that I’d be running at full speed sometime the next day.

Tuesday arrives. It’s another beautiful day. I continued my slow progress while checking the FedEx tracking for my package every hour. This was an uneventful day. Then 3:30 in the afternoon came. This is when I got the ominous message from FedEx. The status on my package had been updated with a bright red bold “Clearance delay” message. According to the update from FedEx, my power cord is in Cancun, but it’s held up in the “clearance process”. I have no scheduled delivery date anymore, so I’m not sure what to think.

After getting over the disappointment, I convince myself that it can’t take long for a power cord to clear Mexican customs, can it? Hope returns. Tuesday passes, no cord.

Wednesday arrives. Same status. I’m now wishing that I would have bought a new laptop during my forced tour of Cancun on Sunday. I could go get one now, but the cord could clear customs at any moment, plus my wife arrives in two days. This is a pickle. Called FedEx, they’re completely useless in this situation.

Wednesday passes, no cord. I hate writing on an iPhone and a notebook. 4-1/2 days gone, 15 pages written, all on an iPhone, using my teeny keyboard and a dumb dictation app that keeps misspelling every other word.

Thursday arrives. Same status. My power cord is still held up in the clearance process! It’s hard to express my anger. Checked the package status all day, same stupid message. At this point, I hate FedEx, I hate Mexican customs people, I hate writing, I hate my neighbors, I hate the sun, I hate ocean waves, I hate everything. Believe it or not, I’m a positive guy. Eventually I get over it. My wife arrives in less than 24 hours. She’ll rescue me again, this time with a power cord.

Thursday ends. Friday arrives. I’m juiced! My wife will arrive today! She’ll bring her pretty self and she’ll bring me a power cord! She arrived in the afternoon, with a power cord in hand. All seemed right with my world again.

Week one was over. Progress: 25 pages on an iPhone. Package still stuck in customs. On to next week…

You Want to Get Into Security? – Part 1

This is a five-part series about getting and keeping job in the information security industry. There is no one way to get and keep a job in the information security industry. This is a good thing! The series doesn’t contain THE advice, it just contains advice. Big difference. Some of this information is also found in the Unsecurity book, chapter 10.

The series consists of the following articles:

Abundance of Opportunity – Introduction

First, a little background.

1992. That was the year I started my career in information security. We didn’t really call it information security back then, but it’s (mostly) what it was. There didn’t seem to be much specialization then. Most of us just did what had to be done to keep the business running. Certifications weren’t very popular yet, and there wasn’t a call for security-certified personnel. The first Microsoft Certified Systems Engineers (MCSEs) were named in 1993, and so were the first Certified Information Systems Security Professional’s (CISSPs). The information security industry was just starting to become a mainstream thing.

Today the information security industry is still young and relatively immature. This is especially true when we compare it with other service-related industries. For instance, the American Institute of Certified Public Accountants (AICPA) traces its roots back to 1887, and the American Bar Association was founded in 1878.

The information security industry is also complex. With each passing day, the industry seems to grow in it’s complexity, which is sad because I’m a firm believer that complexity is the enemy of security. The complexity leads to confusion. In fact, confusion reigns. It reigns despite the fact that some among us are too proud to admit it. The confusion creates chaos, and out of the chaos comes opportunity. Opportunities for investors, security product peddlers, consulting companies, and many others.

One opportunity in particular, and the one that we’re most interested in here, is the abundance of well-paying jobs. Like, lots of jobs.

Information security professionals, people like me, are in very high demand. Jobs are everywhere (for certain disciplines), the money is good, and future employment prospects are sky-high. A very frequent question that I get is, “How can I get an information security job?”. I could just tell you what I think, but I would be remiss if I didn’t put things into context for you.

Before you start enrolling in classes, updating your resume, and applying for jobs, you should know more about what you could be getting yourself into. One central theme throughout this series is to slow down. Don’t rush things.

Abundance of Opportunity.

When some people hear the word “opportunity”, they rush head on. They’ll rush without even knowing what the opportunity is. If you’re considering a new career in information security, or a career change, you should know more about the opportunities. If I were you, I’d be asking a few questions.first.

How much opportunity is there?

Do some research! Wait a second. Did you want me to do this for you?!

Fine. Here’s what I’ve found.

There’s a general consensus that the informations security industry is very talent poor, meaning that we’re hurting for more information security professionals. There are thousands of information security positions open right now. In fact, Cyber Seek estimates that there are 315,735 open positions in the United States alone. Here are some additional details about our talent shortage:

Seems like there are plenty of job openings, so that shouldn’t be a problem. Basic supply and demand would indicate that the pay must be pretty good then. It is.

*NOTE: The CISO position is the top of the corporate ladder for information security professionals. Two things to think about. First, you may choose a path of specialization in our industry and never become a CISO. This is not necessarily a career-limiting decision. There are non-CISOs that I know personally who have a tremendous impact and make more salary than the range cited above. Second, it takes a while (or should) to become a CISO. If you’re newly employed in this industry, it may take you more than 10 years to earn such a role. Keyword is “earn”. Please don’t take a role that you haven’t earned. Doing so hurts your career, your employer, and the rest of us in this industry. Wishful thinking…

Here’s another thing that I’ve learned about jobs in our industry, job titles matter. Not only do titles matter, there are a ton of them to choose from. In 2015, Lenny Zeltser identified 822 variations of information security job titles. This is probably a function of the industry’s immaturity and complexity. The job title you target or obtain will likely matter though. According to Nate Swanner at Dice.com, “If you want a decent cyber security salary, presenting yourself as an ‘engineer’ is your best bet: It’s a title that tends to pay on the higher end of the tech pro salary spectrum.”

If salary is your thing, there’s another factor to consider. Location. Some metro areas have a higher demand for security talent and some metro areas have a higher cost of living. Two important factors to consider. The metro areas with the highest paying information security jobs are Charlotte, North Carolina, Chicago, Illinois, and San Francisco, California. 

The graphic below is taken from the Cyber Seek website, and it shows the talent demand on a state-by-state basis.

6C3B2611-D130-486B-B236-49339BC3C684

To summarize, there are opportunities just about everywhere. More experience will mean more pay. Physical location and job titles should be taken into consideration too because certain locations and certain titles might mean more opportunity and/or salary.

If you have no experience, you might not have much choice in job title, location or pay. You will probably have to take what you can get. The information that I’ve presented to you thus far should be considered as you decide what path you’ll take in your information security career journey. It’s exciting to be someone who’s just starting out because you’ll have so many options along the way!

What’s the starting salary, and can I afford it?

This will depend on some additional factors such as how much (if any) experience you have, your education level, the type of organization that you choose to work for, and the industry your potential employer operates within. In general, the entry-level salary range is $38,000 – $68,000 for someone with no experience and without a degree. That’s a wide range because there are a wide range of different opportunities available.

The entry-level salary range for someone who has a few security skills (but not much) and a Bachelors degree is $49,214 – $92,285, with a median of $65,338. Again, this is a wide range for the same reason that I cited previously.  If you have more experience and/or education, you might expect more salary.

Now that you know more about the abundance of opportunity, we’ll get honest with ourselves and see if you’re the right person for the job. We’ll tackle this in the next article. Coming soon!