Posts

Episode 109 Show Notes – Information Security @ Home

/in /by

This is Episode 109, and we’re continuing our Information Security @ Home series.

We’re smack dab in the middle of the holiday season. Lots of people are going to receive neat, new electronic gadgets as Christmas gifts. Who doesn’t like cool new gadgets?! Your refrigerator can order milk before you’re out of milk, your dishwasher can send you messages when the dishes are done, your television can remind you it’s time to veg out on the couch for the latest episode of The Undoing, and your doorbell can show you who’s at the door while you’re away. We LOVE gadgets! (even if they end up killing us)

But wait! What about information security? What about privacy? What about safety?

Herein lies some problems. Problems that we (infosec folks) want to help you avoid.

Information security is an afterthought, if it’s ever a thought at all! We continue to connect more devices, install more apps, and stream more things. Home networks become more complex, and most people don’t even know what they’re trying to protect. This is your home network, and it’s your responsibility to use it responsibly. Nobody cares about the protection of you and your family more than you. It’s time to step up and learn some basics before this gets any more out of hand. (it’s already out of hand, but it’s not too late)

So…

In case you didn’t know, we’re less than 16 days from Christmas!

…and less than 23 days left in 2020!

I’m not sure what I’m more excited for at this point, Christmas or 2021. 2020 can suck it. Well, I guess it already has. Here’s to an awesome end to an ______ year!

I’ll (Evan) be leading the discussion this week, and these are my notes.

SHOW NOTES – Episode 109

Date: Wednesday December 9th, 2020

Episode 109 Topics

  • Opening
  • Catching Up
  • Information Security @ Home
    • Picking up where we left off in episode 108
    • Demonstration – The router/firewall
      • Finding your router.
      • Logging into your router.
      • Changing the default password.
      • Poking around a little bit.
    • What’s on your network anyway? You can’t possibly protect the things you don’t know you have.
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hey oh! Welcome to episode 109 of the UNSECURITY Podcast. We’re glad you’ve joined us. The date is December 9th, 2020 and I’m your host Evan Francen. Joining me is my pal and co-worker, Brad Nigh. Good morning Brad!

[Brad] Cue Brad.

[Evan] It’s nice to come up for air this morning, and it’s nice to hang out with you man. How you doing?

Quick Catchup

It’s 4th quarter, I’m now a week and a half behind and it’s only getting busier. Hopefully Evan is in a better mood than episode 106.

We’ll discuss a thing or two…

Topics:

Transition

Information Security @ Home

[Evan] Last week, we got into some of the important things we should be doing at home. When I say “we” I mean everybody, security people and non-security people alike. We mentioned that step #1 should be to change the default password on your home router. We talked about it, gave some advice, and pointed people in the right direction. Today, I’d like for you and I to demonstrate how to change a router password and talk about it while we’re doing it. After this, we’ll poke around a little inside the router’s configuration. Once we’re done with that, we can move on to the next task; finding out what’s on your network.

Sound good?

[Brad] Cue Brad.

Begin discussion

Information Security @ Home Discussion

  • Picking up where we left off in episode 108
  • Demonstration – The router/firewall
    • Finding your router.
    • Logging into your router.
    • Changing the default password.
    • Poking around a little bit.
  • What’s on your network anyway?
    • Why is this important?
    • What you should do next…

Transition

[Evan] Alright. Good stuff. Hopefully our listeners learned a thing or two. For those who already knew this stuff, hopefully they’ll share with others.

That’s that. On to some news…

News

[Evan] Crazy stuff going on in this industry. What’s new? Well, here’s a few things that caught our eye this week:

[Evan] That’s a lot of news for one day, and that’s only the tip of the iceberg.

Wrapping Up – Shout outs

[Evan] That’s it for episode 109. Thank you to all our listeners. We dig you. Also, thank you Brad! Who you got a shoutout for today?

[Brad] We’ll see.

[Evan] Next week, we’ll continue the Information Security @ Home discussion. We’ll dig in a little more on identifying system on your home network and talk about patching. In the meantime, send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and this other guy is on Twitter at @BradNigh. Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more things we do when we do what we do.

That’s it! Talk to you all again next week!

Episode 108 Show Notes – Information Security @ Home

/in /by

NOTE: We’ll be a day late this week, recording on Wednesday. Work stuff and personal stuff, you probably know what it’s like.

It’s time for episode 108 of the UNSECURITY Podcast!

Brad and I (Evan) hope you had a wonderful Thanksgiving (assuming you’re in the U.S.). 2020 is a funky year to say the least. So many things that were “normal” before, aren’t so normal anymore. Despite the craziness of this year, we still found MANY things to be thankful for:

  • Our faith, and knowing that everything is going to be OK (eventually).
  • Our family.
  • Our friends.
  • Our co-workers.
  • Our community (the infosec community and our home community).
  • The people we serve.

While acknowledging that some of us have suffered significant losses this year, there’s always something to be thankful for. If you ever need support in dealing with loss or you’re just struggling, reach out to people around you. Here are some resources you might find helpful:

Love truly heals.

Some of us had a couple days off work last week. Monday we jumped right back in. The emails were still there (and maybe more of them), the projects are still in full swing, reports are still due, etc., etc. Assuming you recovered from the Monday onslaught, here we are! It’s Wednesday, and it’s time for episode 108!

Brad’s back, he’s leading the discussion today, and these are his notes. Welcome back Brad!

SHOW NOTES – Episode 108

Date: Wednesday December 2nd, 2020

Episode 108 Topics

  • Opening
  • Catching Up
    • What’s new?
    • Thanksgiving hangover?
  • Information Security @ Home
    • Picking up where we left off in episode 106
    • Why is this a big deal (personally and for employers)
    • What can we do about it?
    • Intro to what Brad and Evan do.
  • News
  • Wrapping Up – Shout outs
Opening

[Brad] Hey there! Thank you for tuning in to this episode the UNSECURITY Podcast. This is episode 108, the date is December 2nd, 2020, and I’m your host, Brad Nigh. Joining me as usual is my good friend and co-worker, Evan Francen. Good morning Evan.

[Evan] Cue Evan.

[Brad] This will be first time I actually get to talk to you about why yesterday was my first day back since 11/17.  I have no idea what you’ve been up to because I was basically totally offline.

Quick Catchup

It’s 4th quarter, I’m now a week and a half behind and it’s only getting busier. Hopefully Evan is in a better mood than episode 106.

We’ll discuss a thing or two…

Topics:

  • 4th quarter is notoriously busy, like VERY busy, for us. Everyone is running at 100% capacity right now, which is good, but also stressful.
  • What’s going on at work? Any cool developments or announcements? Heck yeah there are!
  • Security Sh*t Show – no show last week. It was Thanksgiving!
  • Back to book writing…

Transition

Information Security @ Home

[Brad] Well, we had planned to do this last week, but 2020 won’t stop 2020’ing.

[Brad] We are going to go into more details about some of the things we do, hopefully without giving away too much, to try and help others. I feel like this could end up just about anywhere, so it should be fun!

Begin discussion

Topic Ideas:

  • Picking up where we left off in episode 106
  • Why is this a big deal (personally and for employers)
  • What can we do about it?
  • Intro to what Brad and Evan do.
  • Maybe we’ll show some examples and stuff while we’re here.

Transition

[Brad] Alright. That’s that. On to some news…

News

[Brad] Always plenty of interesting things going on in our industry. Here’s a few stories that caught my attention recently:

Wrapping Up – Shout outs

[Brad] That’s it for episode 108. Thank you Evan! Who you got a shoutout for today?

[Evan] We’ll see.

[Brad] Thank you to all our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @BradNigh and Evan can be found at @evanfrancen. Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more things we do when we do what we do.

That’s it! Talk to you all again next week!

Episode 107 Show Notes – Happy Thanksgiving

/in /by

Hey there, it’s time for episode 107 of the UNSECURITY Podcast!

Just when you think you can’t get any busier…

You get busier.

Maybe if I learned to say “no” a little more often. My dilemma is 1) mostly brought on by myself and 2) is a blessing. It’s better to be busy than to have nothing to do, especially when you’re helping people. I’m grateful.

Short introduction today. Too much going on to elaborate much (for now).

On to the show notes…

This is Evan, I’ll lead the discussion today, and these are my notes…

SHOW NOTES – Episode 107

Date: Tuesday November 24th, 2020

Episode 107 Topics

  • Opening
  • Catching Up
    • What’s new?
    • “Information Security @ Home”
  • Happy Thanksgiving
    • What are your grateful for?
    • What’s different this year?
    • What’s the same?
    • Holiday shopping tips for EVERYONE
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hey there! Thank you for tuning in to this episode the UNSECURITY Podcast. This is episode 107, the date is November 24th 2020, and I’m your host, Evan Francen. Sadly, Brad won’t be joining me today. He’s out of commission fighting a bout of labyrinthitis. The prognosis is good, so we expect him to be back soon!

So, this means you’re all stuck with me. I’ll do my best to provide some value for your ears and brain.

Quick Catchup

[Evan] The catchup time is a little different without Brad, so I’ll just give you a quick recap of what I’ve been up to.

Topics:

  • 4th quarter is notoriously busy, like VERY busy, for us. Everyone is running at 100% capacity right now, which is good, but also stressful.
  • Security Sh*t Show – this is live on YouTube every week; Thursday nights at 10pm CST.
    • Last week Chris Roberts and I did the Paqui One Chip Challenge online with a couple fans.
    • We also unveiled a new sticker (see below). If you’d like one, just subscribe to the Sh*t Show YouTube channel and let us know.

  • Information security hobbies – I’ve been working on a Raspberry Pi home network security device, including Kismet, pfsense, and Pi-hole. More to come on this next week.
  • Maybe another thing or two.

Transition

Happy Thanksgiving!

[Evan] Originally, Brad and I were going to continue our discussion about information security at home, then I realized that this is Thanksgiving week! Instead of talking about our original topic, I’m going to talk about protecting yourself (and your family) from holiday shopping scams. For many Americans, Friday marks the beginning of the holiday shopping season, and it’s important for all of us to be careful! Lots of things have changed this year, it is 2020, but some things haven’t. The scammers are still scamming, and a most of the scams are the same this year as they’ve been in years past.

Some interesting stats/information:

  • 61% of Americans have already started holiday shopping (before Thanksgiving)
  • 22% of Americans start their holiday shopping on (or after) Thanksgiving
  • 15% of Americans start their holiday shopping in December
  • 2% of Americans start their holiday shopping in January (hopefully for next year)
  • Last year:
    • $730 billion was spent on holiday shopping
    • $135.5 billion was spent holiday shopping online
    • $71.3 billion was spent holiday shopping using a mobile device
  • Online holiday shopping (in terms of dollars spent) is expected to increase by 35.8%

More online shopping coupled with the fact that most of us are more distracted (than ever), means attackers could have a heyday.

Opportunity + Distraction = Success (for scammers)

Tips to protect yourself and your loved ones (we will make this into a checklist soon):

Most important – situational awareness. It’s the umbrella for all other protection activities/behaviors.

  1. Ship to a secure location – avoid shipping to places where merchandise could sit unattended and insecure for long periods.
  2. If you decide to use a mobile app for shopping, use official retailer apps only.
  3. Don’t save payment card (debit or credit) information in any shopping accounts
  4. Using Apple Pay or Google Pay for payments wherever it’s available.
  5. If you’re unfamiliar with a retailer, do your research before buying. Make sure the site and retailer are legitimate.
  6. Don’t rush to purchase at the lowest price. Slow down and think about security risks first.
  7. Never make purchases on public Wi-Fi – Never.
  8. Use a VPN when shopping (or doing anything sensitive) online.
  9. Always use strong passwords and a password manager.
  10. Check security and/or privacy policies, especially for retailers you’re unfamiliar with.
  11. A legitimate retailers will NEVER ask for your Social Security number, so don’t give it out.
  12. Make purchases with credit cards over debit cards.
  13. Make purchases with prepaid debit cards over credit cards or regular debit cards.
  14. Review all your accounts and bank statements regularly. You should be doing this all year.

Please be careful this holiday season. DO NOT let scammers steal ANY of your joy or hope!

Transition

[Evan] Alright. That’s that. On to some news…

News

[Evan] Always plenty of interesting things going on in our industry. Here’s a few stories that caught my attention recently:

Wrapping Up – Shout outs

[Evan] That’s it for episode 107. Gonna give my shout outs…

[Evan] Thank you to all our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh.

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more things we do when we do what we do.

That’s it! Talk to you all again next week!

Episode 106 Show Notes – Infosec @ Home

/in /by

Hey there, it’s time for episode 106 of the UNSECURITY Podcast!

Short introduction today. Too much going on to get too wordy for now.

We’ll just jump right in to the show notes, if you don’t mind. This is Evan, I’m leading the discussion today, and these are my notes…

SHOW NOTES – Episode 106

Date: Tuesday November 17th, 2020

Episode 106 Topics

  • Opening
  • Catching Up
  •  Information Security @ Home
    • So, what’s the big deal?
    • Taking inventory (what do you got?)
    • What do we (Brad and I) do?
    • S2Me – Today and a sneak peek in v3
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hey there! Thank you for tuning in to this episode the UNSECURITY Podcast. This is episode 106, the date is November 17th 2020, and I’m your host, Evan Francen. Joining me as usual is my good friend and co-worker, Brad Nigh. Good morning Mr. Nigh.

[Brad] Cue Brad.

[Evan] Man, I haven’t talked to you since last week on the podcast. What’s up, what’s new?

[Brad] Cue Brad.

Quick Catchup

It’s 4th quarter, so I’m guessing we’re both running pretty low on fuel. Personally, I have a cruddy attitude this morning, so this’ll be fun.

Topics:

  • Brad’s stuff. What’s he been up to, what’s he working on, and what’s a day in the life of Brad look like?
  • Great talk with Oscar Minks (last week’s guest) yesterday morning; U.S. incident response capabilities, cyberinsurance brokenness, etc.
  • Security Sh*t Show – what’s new here.
  • The book (UNSECURITY) is now in the Cybersecurity Cannon!
  • Maybe another thing or two.

Transition

Information Security @ Home

[Evan] So, this weekend, I figured I go grab another Raspberry Pi to play with. I want to build a plug and play home information security device. First thing, figure out how to compile a good inventory of everything on my home network.

This is where the story begins…

Topics:

  • So, what’s the big deal?
  • Taking inventory (what do you got?)
  • What do we (Brad and I) do?
  • Tools, devices, etc. that could help
  • S2Me – Today and a sneak peek in v3

Begin Discussion

[Evan] Great discussion. Here are some news stories.

News

[Evan] Always plenty of interesting things going on in our industry. Here’s a few stories that caught my attention recently:

Wrapping Up – Shout outs

[Evan] That’s it for episode 106. Thank you Brad! Who you got a shoutout for today?

[Brad] We’ll see…

[Evan] Thank you to all our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh.

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more things we do when we do what we do.

That’s it! Talk to you all again next week!

2019 Secure360

/in /by

Almost caught up with my conference and talk summaries from a couple weeks ago!

Secure360 is arguably “the” security conference in the Twin Cities each year. 2019 was the 14thyear for the event and it was very well-attended.

About Secure360

In the words of the Upper Midwest Security Alliance (“UMSA”):

This marked the first year that the event was held at the Mystic Lake Center in Prior Lake, and it was a perfect venue. Secure360 is a two-day conference, and I showed up in the afternoon of day two for my talk. I wish I had been able to be there for more, but business kept me away until then.

My impressions were very positive. The event was well organized, and there were people everywhere. I ran into a bunch of people that I know, which made the event comfortable too. I didn’t spend any time in the vendor area because I hate being sold stuff. Walking through the vendor areas at conferences sometimes feels like trying to survive a lions den with a T-bone hanging from my neck.

Judging from the published program, the quality of speakers and the content of talks was very good.

2020’s Secure360 conference will be held at the same place on May 5thand 6th. It will mark the 15thyear, one heck of an accomplishment!

What was I doing there?

Just two things this time.

First, just like the Loffler event, this was a great opportunity to say “hi” to a bunch of people that I don’t get to see very often. I ran into some people that I haven’t seen in a very long time! Fun to catch-up.

Second, I gave another talk.

The Talk

The title was Speaking Information Security. A copy of this talk can be downloaded here (link) and it’s also available on Secure360s site.

Like the other talk earlier in the day, this one was also well-attended. This room was mostly full, which sort of surprised me. I was surprised because my session was in the last group of sessions on the 2ndday (last day) of the conference. I didn’t think people would still want to hang out. They did. Here’s what I said to them (in jest, of course).

“Ever throw a party? You know when the party is winding down, and there are those folks that just won’t leave? They keep milling around, you’re tired, and you’re trying to shoo them out the door… That’s you. You’re though folks.”

The Secure360 party was coming to an end, but these infosec party animals wanted to keep going. They were committed!

This was essentially the same talk I gave earlier in the day at Tech Fest, but I was bolder with this crowd. I might have been a little ornery because I was getting tired (3rdtalk of the week), or maybe it was because I was talking to members of my own tribe (information security people). The point of the talk was to drive home the fact that we don’t speak the same language in our industry, and to make matters worse, we don’t have any good translations either. Take slide 7 for instance (pictured below).

Information security is… What? Just about everyone in my talk was a security person, but nobody wanted to give me an answer. Why? As I continued, through the presentation, there was head nodding everywhere. Slide 20 made sense to everyone it seemed. People were taking notes anyway, and nobody spoke up in disagreement.

By the time we got to slide 31, you could see skepticism growing on some people’s faces. S2SCORE for free?! FRSecure has sold millions of dollars worth of S2SCORE assessments over the years. Why would we make it free?! The simple answer comes from our mission; to fix our broken industry. Our mission is this, not to make millions of dollars on something that everyone should have. Let’s spend more time and money on fixing things.

I asked the audience, “How many of you are skeptical?” Only a few raised their hands. To the rest, I said (in jest again), “I thought you were all security people. I’m disappointed that more of you aren’t skeptical!”Laughs (maybe just obligatory ones). To the skeptics:

Help us. Join us to make a singular information security language that ALL can speak, and ALL can speak freely.

To the obstructionists; buzz off and get out of the way.

The talk was well received. People genuinely seemed interested, and a dozen or so stayed to talk with me afterwards. Met some new people and I’m looking forward to working with some of them toward some common goals. Oh yeah, I gave away some more books too. I like giving stuff away.

Overall, Secure360 is a great conference. I highly recommend it for the quality of the content and the wonderful people everywhere, which makes for great networking opportunities. Way to go UMSA!

You Want to Get Into Security? – Part 5

/0 Comments/in /by

This is a five-part series about getting a job, keeping a job, and staying healthy as you progress in your career as an information security professional. There is no one way to do things, rather there are many. I won’t cover all advice, or THE advice, I will offer my advice. Some of the information covered in this series is also found in my book; Unsecurity, chapter 10.

The series consists of the following articles:

This is the fifth and final installment in the series; Staying Healthy. After this I’ll wrap the  entire series together, do some editing, and make this a short ebook for anyone who’s interested.

Staying Healthy – Introduction

Caveat: This is where I’m a hypocrite. I will give advice that I don’t follow myself. The (sad) fact is I’ve established habits (some good and some bad) over the years that have become very ingrained into the way I do things. Throughout this article I will share more about my experiences because it’s what I know best. From these experiences, I will offer advice that you can take or leave. If you can follow the advice in this article, you’ll be healthier.

So many of us are passionate about what we do. We love information security, we love helping people, and we can easily take things too seriously if we’re not careful.

I’ll speak for myself here for a second. I love my job, I love the people I work with everyday, and I love the people I get to serve. All this love makes my job not a job. Sounds great, doesn’t it? Sure. It would be, if I didn’t need sleep, or friends, or family, or exercise, or everything else that makes for a health lifestyle. If I were left to my own devices, you would find me dead behind a keyboard, doing what I’m always doing… work.

Thank God I’m not left to my own devices. I’ve got loving support and accountability, both of which are important to health and longevity. These things have served me well so far as I’ve survived more than 25 years in this industry. It’s not that I’m completely unhealthy, I’m just not as healthy as I should be.

Obviously, I don’t know everyone in our industry, but I can’t help thinking that I’m not all that unique. I think many of us work more hours than we should. I think many of us don’t exercise enough. I think many of us don’t eat as well as we should. I think most of us could use a little more sleep. Fine, but is this a problem?

The Problem

Our jobs come with stress. I don’t think we know if it’s more or less stress than other jobs, but I’m not all that concerned about other jobs. I’m concerned about information security jobs. Here’s some recent news and studies about our stress and health:

CISOs appear to be stressed.

CISO Burnout is Real, Survey Finds –  Based on interviews with 408 CISOs around the world. 1 in 4 CISOs suffer from physical or mental health issues due to stress. A little less tha 1 in 5 turn to alcohol or medication. More than half have trouble turning off work, meaning they’re not able to completely disconnect from work to focus on other things, healthy things.

It’s not just CISOs either. I think all security professionals struggle with stress.

The stress isn’t even isolated to information security professionals. Even the non-professionals are feeling it.

OK, so it looks like there’s plenty of stress to go around, and I don’t think it’s going to get better anytime soon. Two things would be sad to see, two things that I’m hoping you and I will avoid:

  1. Burning out, or leaving our industry because of it’s unhealthy affects.
  2. Sticking it out, not living a life of joy, then retiring in mental or physical pain.

If there’s anything I can do to help you to avoid these things, I’m committed to that!

Support

Sometimes, working as an information security professional is a lonely job. We get so focused in the tasks and challenges we face some days. The tasks and challenges can start to become a part of who we are.

I don’t know about you, but sometimes it’s difficult to pull myself out of the work that I’m doing and get back into other parts of my life. When I get home some days (or nights) and I need to unwind, I don’t know where to share my thoughts or feelings for/from the day. If I do share, I feel like the person I’m sharing with doesn’t understand what it’s really like.

I wonder if other information security professionals feel the same way.

Family

The best support structure we have in our lives is our family. I’m convinced of this. Invest your time, energy, and soul into your family relationships, starting with your spouse/partner, and then your children, if you have them. No matter what you may think, family must come first. In return, you will likely get support beyond anything you deserve.

Note to those who don’t have a family or those with unhealthy family relationships. I have an extra amount of respect for you because I think your road is a little (or a lot) more difficult, and I admire your strength.

I’m not a family or marriage counselor. I only write from my own experiences on this matter. Without the support of my wife and my family, I wouldn’t be close to where I am today. My wife is my greatest cheerleader, and she make’s the stresses of my job melt away (on most days).

I can’t overemphasize the importance of family support.

Mentor

Here’s mention of a mentor again. I’ve mentioned mentorship in at least three of the articles in this series. Mentors are helpful in so many ways, and getting one is well worth your investment of time and energy. I suggest you find one.

Associations and Trade Groups

Advice from someone who has been there before comes with credibility like no other advice can. There’s something that feels good about being with your own kind too. People in good information security associations (or chapters of associations) are a valuable asset and support structure for you as you rise through the ranks. Initially, you may consume more than you give, but in time the tides will shift and it will be your time to give.

Here’s a list of information security associations from Cybersecurity Ventures. Try a couple groups out, if you don’t feel like you’re getting the support you need, try a different one.

Co-workers and Friends

My experiences have varied with confiding in co-workers and friends, and in seeking advice from them about my career. Mileage varies, and the advice falls somewhere between healthy and destructive. Sharing things with co-workers can sometimes lead to gossip and political crap that makes things worse (at least for someone). Friends sometimes just want to have fun, and will have trouble relating to my work life. Use discernment here.

No matter how tough, or how cool you think you are. You need support. Everyone does. The earlier you setup your support structure, the better.

Accountability

Supporting us doesn’t mean cheering us on and making us feel better all the time. The right type of support comes from someone who loves us. It comes from someone who wants what’s best for us. If someone really supports you, or loves you, they’ll always tell you the truth. Sometimes the truth doesn’t feel good, and neither does accountability.

Find support that will tell you the truth and hold you accountable. For me, this starts with my wife. I also have amazing management teams at FRSecure and SecurityStudio who won’t let me stray too far off the path.

Balance

Personally, this is my hardest fight. I am not a person who understands balance very well, if at all. You see, I have an addictive personality. People with addictive personalities struggle with finding balance more than other people do. This was part of what I alluding to when I mentioned earlier that I would work myself into the grave if I was left to my own devices. I am a work addict, and that’s not good. I have my other additions too which just complicates matters. This is another reason why a health support structure (or system) is critical.

Why is balance so important, if it’s not obvious?

There are (at least) two truths here:

  1. Everything in our lives requires some semblance of balance, otherwise everything falls apart.
  2. Everyone has a different balance, so be careful thinking what works for someone else will work for you.

Balance in your life between family, friends, work, play, etc. is healthy. The sooner you find your balance, the better off you will be. Make adjustments here and there, change your schedule until you get it right. Use your support structure to help you along the way.

The fact that your balance isn’t the same as someone else’s balance should come as no surprise to you. Some people are in balance working 40 hours a week, some are in balance working 60. Some people are in balance when they spend entire weekends with their family, while others work some on weekends. Be careful judging others, and be careful not to think that their balance should be yours. Your balance is your balance.

Find balance and stick to it. Don’t let someone else, even your job, disrupt your balance.

Health

Healthy habits do wonders for how you feel and perform. Your mood, your relationships, and your work all benefit greatly. Maintaining your health is important for life, let alone to your job performance and career longevity. For me this is also hard, it’s hard to find time for church, exercise, and rest. Between work, family, friends, and everything else in life, I don’t have any hours left in my week.

There are people who can live a balanced life, accomplish much, and still create the necessary margin to focus on their health. These people are to be admired and emulated to some extent, just not copied. You and I should create margin and make healthy living part of our lives too.

Spiritual

I rely on my faith every day. The name Jesus offends some people, and I’m certainly not out to offend anyone. I’m here to tell you the truth though. Jesus is the CEO of our business, and He has been since the beginning. Without faith, I think I’d be lost. There’s a long story here, but for now, just know that my faith is critical to my sanity and any of the success I enjoy (it’s a gift). When the day has gone to crap and I don’t know where to turn, I can turn to Jesus.

Now you know my faith, but there are many faiths in this world. People who have faith in something or someone larger than themselves, have something special. Genuine faith has a tendency to bring strength beyond your own, peace beyond your understanding, and courage to face battles you never thought possible. Faith also brings you into a family of other believers of the same faith, whatever faith it is you believe in. So, an added benefit to faith often includes a new support group.

Don’t neglect your spiritual health. If you have, make margin and find it (maybe again).

Physical

There are two parts to physical health, diet and exercise. Diet trumps exercise. If you don’t eat well, exercise won’t really matter as much. Slow down, eat healthy. If you need help eating healthy, get help.

Many, or most of us work in an office environment where we sit at a desk all day. This, without the countering effects of physical exercise, comes with some very negative consequences. According to the Mayo Clinic, the consequences “include obesity and a cluster of conditions — increased blood pressure, high blood sugar, excess body fat around the waist and abnormal cholesterol levels — that make up metabolic syndrome. Too much sitting overall and prolonged periods of sitting also seem to increase the risk of death from cardiovascular disease and cancer.”

Sounds pretty serious. There’s good news though. One study of more than one million people found that an hour to an hour and a half of moderately intense physical activity per day can counter the effects of too much sitting. That’s great, but this is another 60+ minutes that we have to find. More balance, and more margin.

If you have the option of working at a standing desk, this will help with the sitting problem . The point is that you and I need exercise to live a healthy life.

Mental

Mental health often comes with a stigma, and that’s very sad. This one hit close to home for me last year, when we lost someone dear to us. His suicide cast a dark cloud on all of us, and we still struggle with it sometimes. He was a good guy with so many good traits and gobs of untapped potential. On the outside, nobody could have guessed there was anything wrong. On the inside, he must have been living a hell that few of us will ever know. We will miss him, and we’ll always live with this feeling that we could have helped if only we would have known.

Here’s the deal. Mental health issues can be complex, and there is no stigma. Even if there were a stigma, who gives a crap?

If you struggle with any mental health issue, there’s a whole army of people who will run to your side and fight alongside you, for you.

If you’re not suffering with any mental health issues yourself, recognize that there are people in your circle who are. Invest in your relationships and get to know the people in your circle. When you see an opportunity to help someone, help someone. Give them love.

Don’t neglect mental health issues. They don’t just go away, and you don’t just buck up. Mental health issues can be treated, but only with treatment. If you’re struggling with your own mental health issues, please get help!

At Work

Work can be healthy or it can be unhealthy. The decision is up to you.

People falsely believe that they work for someone else, when the truth is that you work for you. You make the decision on what your profession will be, where you will work, and who you will work for. Your employer doesn’t do that. If you feel trapped, get yourself out.

I’ve witnessed two ways that work has negatively affected health in employees. One is stress and the other is a toxic work environment. You can do everything right to live a healthy life, but if your work is killing you, it’s killing you. It doesn’t matter what else you do, if you drink poison, you’re going to die.

Stress

The number one unhealthy factor at work for security professionals is stress. Our jobs already come with inherent stress. It’s just the nature of our work. Like I stated earlier, regardless of whether it feels like we live with more stress than other people, this is hard to say. It’s hard to say if our jobs come with any more stress than other peoples’ jobs, say like an accountant or janitor. It depends on the person. I know that I would absolutely stress out if I had to do accounting or clean some of the things janitors do.

I can’t help but wonder how much stress is caused by the person who’s stressed or by a person’s ability to cope with it.

Stressful situations affect different people in different ways. What makes one person stressed out can have little or no effect on others. It doesn’t mean that there’s something wrong with one person, it just means that they’re different people. If you’re stressed at work, don’t let it continue. Look for the source and talk to someone about it. If you find the source, and it’s addressable, address it. If you can’t find the source, or can’t find relief, give serious consideration to getting out of the environment you’re in and finding a new job or a new profession.

Maybe the environment you work in doesn’t jibe with you. Maybe the culture is counter to what you believe it, even if it’s not overtly expressed, you can feel it. Maybe you’re not made for the job you do. Maybe this career isn’t the right career for you. Nobody will know the answers like you can. Tap into your support structure for help. Living through a long career, laden with stress, will take it’s toll on you and your family, and I don’t think it’s worth it.

Pro tip: Slow down.

Toxic Work Environment

Studies have shown that working in a toxic environment will negatively affect your mental health. I had a job like this once. Thank God I was able to leave after ten months, even though it felt like an eternity. These were ten of the hardest months of my life, and I wasn’t the only one who noticed. My wife could tell that I was depressed and she knew the source. I’m grateful that I had good support and other options. You can have these things too with a good support, a little creativity and some work.

If you can’t change toxic work environment you’re in, which is unlikely, then leave. Staying, even for a boatload of money, isn’t worth it. Especially when you consider that many of us possess skills that are in high demand elsewhere.

Summary

The information security industry is like no other, but it’s a great industry. Sure it’s a broken industry, but it will become more functional over time. Despite our brokenness, this is a wonderful industry filled with AMAZING people. The good people in our industry are my brothers and sisters. We fight every day to make the world a little better that it was the day before. I’m grateful for the men and women in this industry.

If you want to get into this industry, do it. If you’ve got the intangibles, we welcome you with open arms. I hope you found use in this series, and I’d love to hear your thoughts. Comment below or use the contact page to get in touch.

My best wishes for you!

You Want to Get Into Security? – Part 4

/0 Comments/in /by

This is a five-part series about getting a job, keeping a job, and staying healthy as you progress in your career as an information security professional. There is no one way to do things, rather there are many. I won’t cover all advice, or THE advice, I will offer my advice. Some of the information covered in this series is also found in my book; Unsecurity, chapter 10.

The series consists of the following articles:

This is the fourth installment in the aforementioned series; Becoming Good.

Becoming Good – Introduction

Assuming that we’re progressing through this series in order, maybe you’ve landed your first job! Your first gig! Good for you!

If you’re like most* of us, you’re going to progress in your career. Some will progress because it’s just the natural thing as a function of time and opportunity. Some will progress because they deserve it, because they’re damn good at what they do!

It’s one thing to be an information security professional, it’s an entirely different thing to be a good information security professional. I say “professional” because we get paid, and I also use it as a generic term to apply to all the various types of jobs we do in this industry. Here’s a small sampling:

  • Chief Information Security Officer
  • Chief Risk Officer
  • Penetration Tester
  • Security Researcher
  • IT Security Engineer
  • Information Assurance Analyst
  • Security Systems Administrator
  • Senior IT Security Consultant

Every position in our industry, plays a specific role in an organization and comes with specific responsibilities. The specific responsibilities may not be documented (different issue), but that doesn’t mean they don’t exist. They exist, and they’re not the same from position to position. Each role in information security requires the mastery of certain skills.

Is skills all it takes to be “good” though? The answer is NO. There’s more to it than that. Read on.

*NOTE – I use the word “most” because it’s generic. This means there are exceptions. Some (the leftovers from most) people have no desire to take on additional responsibilities in their career, they’re content right where they are. Perhaps they’ve reached the top, maybe they’re just OK with their place in the middle, or at the bottom somewhere. If you haven’t reached your potential, it’s sad to leave so much more untapped potential.

Not Good? – You’re A Problem

When you’re not good at your job, there’s a good chance someone else, or many someone elses, pay the price to compensate for your lack of goodness. Sure, information security is about managing risk, not eliminating it, but your lack of “good” leads to poor risk management, and that costs someone something.

You see, information security isn’t as much about information or security as it is about people. It’s always been about people and it will always be about people. The more you and I suck at our jobs, the more people suffer for it. Sure, we can’t eliminate suffering, but we can do our best we can to make it less likely and less impactful*. If nobody suffered, there wouldn’t ever be a need for what we do.

The less good you are, the more people will suffer (in general).

*Less likely and less impactful ring a bell? That’s risk. The likelihood of something bad happening and the impact if it did. That’s the layman’s definition of risk.

If you’ve been around long enough, you can thinks of dozens, even hundreds of examples where bad advice was given, and an organization suffered for it, and through that, customers also suffered (eventually). If you haven’t been around long enough, here’s a quick example off the top of my head:

You advise an organization to buy an SIEM solution because monitoring and alerting is a good thing to do. They spend $100K+ on the SIEM and struggle over the next 6-12 months to get it working right (operationally). Great. They don’t patch and they have no asset inventory. Two questions then, 1) was SIEM the best place to spend the $100K+, meaning was it the most significant risk, and 2) how effective do you think the SIEM is going to be when the company doesn’t even know what assets they need to protect?

Was there more harm done than good? The devil’s in the details, but yes. There was more harm than good. Money is a limited resource and constraint; therefore, it must be spent wisely. The money spent on SIEM should have been better spent on the organization’s most significant risk(s), not on a technology because it’s “a good thing to do”. The most significant risk still exists, and customers are still more likely to suffer for it.

Simplified example, but you get the gist. Good intentioned security professionals aren’t aware of the harm they cause sometimes, and this might be most obvious in the rapid growth in consulting.

Dangerous Consultants

We see them all the time, and they come in all shapes. Some are really good people with great intentions to make a difference. Some consultants are people a little less virtuous, wanting to make as much money as possible, regardless of who they help or harm. Both types of consultants can be dangerous if they’re not good. That’s the simple truth.

Read some books, passed some tests, bought a laptop, and setup a Web site. You are now an information security consultant! You’re smart. You have the best intentions. You’re likeable, and you’re inexpensive. You’re ready to advise organizations on what they should do to secure their livelihoods, right?

Mmmm. Maybe, but God I hope not.

There’s more to being good, than that. It takes more than skills and more than good intentions. More than reading books, and more than passing tests. Smart helps, but there’s still something missing.

If you’re going to be a consultant, get good first. Please.

It’s easy to convince someone who’s more ignorant than yourself that you’re an expert. Use buzzwords, look confident, talk fast, and you’re well on your way. But you’re not good (yet).

  • Good consultants don’t need buzzwords, they can explain things in plain English so that others can learn and apply concepts.
  • Good consultants are confident when they’re doing what they’re good at. A good consultant will admit when they’re not good at something, but they usually know someone who is.
  • Good consultants talk at the pace of their audience. They’re not only good information security professionals, they’re also good communicators.

I could write all day about good versus bad consultants. Probably gone too far already.

What about you? Are you already good? We’ll see. Let’s explore how to get good!

How to Get Good

One more thing before we dig in. Are you a sports person? If you are, you’ll get this a little better than those who aren’t. In sports (depending on the sport), there are players, coaches, and player/coaches. Players perform on the field, or behind the keyboard, or wherever the game is being played. Coaches mentor, teach, lead, and prepare their players for the game. Player/coaches do both; they’re typically really good coaches, but they don’t play as much as they used to.

I say these things because I’m a player/coach. I don’t play nearly as much or as well as I used to. It’s important for you to know that as you consider my advice.

I assume you’re here because you want to get good. So what does it take to be a good information security professional, or good at anything really? Like most things in information security, the concept is simple, but the application is hard. There are three simple ingredients; intangibles, education, and experience. Anything else is icing on the cake.

F26C0863-3086-48F9-AD47-8810E3EAD0B7

These things (or ingredients) are in the book, they were in a recent tweet (above), and they’re also here. Consistent message from me because it’s truth.

Words of caution…

It’s important that you don’t rush things. There’s enough stress in most information security jobs, and I highly recommend that you refrain from adding the stress of trying to outperform yourself. Take your time, keep moving forward, don’t take shortcuts, and you’ll be fine. I know there’s lots of opportunity out there, and I know there’s a ton of money to be made, but my best advice is DON’T RUSH. The opportunity and money will come, and you’ll be healthier for it, if you do things the right way.

Intangibles

You might recall that I also covered intangibles in the second article of this series (The Right Person). Intangibles are things that can’t be taught. You either have them or you don’t. There are moral intangibles, like the ones covered in the previous article, and their are gifts (sometimes called natural talent).

Some people are just gifted for certain things while others are not. Do what you can to find your gifts or strengths early and often. The sooner you understand what you’re gifted for, the sooner you’ll find what you’ve been built for. The information security field is broad enough to accommodate a wide variety of gifts, so don’t fret about that.

Get honest with yourself and discover what you’ve been built for, but how?

I don’t think that there is any one way that works best for everyone. Meditation works great for some, but not others. Faith works well for some, but not others. Therapy and/or counseling works well for some, but not others. I’ll share what works for me, but let me remind you that you may not get the same results. I find my honesty and gifts through faith, and I found good value in a book called StrengthsFinder. My faith provided a foundation, while StengthsFinder led me to what I’m naturally good at.

Find what your gifts are and keep seeking. No matter how good you get at knowing yourself and your gifts, you’ll still need to engage in some gotrial and error. You will learn what your gifted for over time (if you focus on it), but you’ll need to find the courage to act.

Education

I include skills with, or under, education. There are millions of opportunities to educate yourself. Some people prefer a formal college degree, some don’t. Some people prefer certifications, some don’t. Some like books, some like instructor-led courses, some prefer video. Whatever method of education works best for you, do it. Then keep doing it. You will never learn everything there is to know. Learning is awesome. DON’T EVER STOP LEARNING.

If you stop learning, you die. At least your career does.

Find the learning resources that work best for you. If you recall, I shared some learning resources in a previous article too. One learning opportunity that I invite you to personally is the FRSecure CISSP Mentor Program. It’s free, and it’s a great opportunity to  learn (and share).

Experience

This is the one ingredient that I see new information security professionals struggle with the most. It’s because this is the one ingredient that takes the most patience. People who de-emphasize the value of experience are some of the most dangerous information security people in our industry. Without experience, we lack the street smarts to know how things will really (or actually) work. Education and skills will teach us how to do stuff, but we won’t learn all the circumstances, context, and oops’ unless we’ve done it before (or been with/witnessed someone else who did).

The experience catch-22. You need experience to do something (or progress in your career), but the only way you’ll get experience is by doing the something. The experience catch-22 sucks, doesn’t it? Here are some suggestions to overcome:

  • You might need a mentor to take you under his/her wings a little.
  • Sometimes we have to take calculated risks, like doing something that we’ve never done before, but doing it in a way that will be calculated and not reckless.
  • Hate to admit it, but sometimes we (hopefully slightly) fake it until we make it too.

Combatting the experience catch-22 isn’t easy, but you can find your way over it (or around it) if your focused and determined.

Wrapping This Up

That’s it. Want to get good? Focus on you. Work on what you’re gifted at, get educated, get out there and take your lumps in the real-world. If you lack experience in something that you need experience in, go get the experience, even if it means a different job. At the end of the day, you work for you (ahead of your company).

Whatever you do, don’t ever try to be someone you’re not. You will fail, and you will fail those who believed in you.

We’ll wrap up this series in our next article. Once that article is complete, we’ll compile this series into a small ebook for you and anyone else who liked it.

Writing UNSECURITY Journey – Back Home/Kidney Stones

/0 Comments/in /by

A series of posts dedicated to the journey of writing my first book, Unsecurity: Information security is failing. Breaches are epidemic. How can we fix this broken industry?

This is the seventh article in the series. The others:

See here for the full list of articles, including those that are yet to be written for this series.

Introduction

You already know what’s coming in this article. My titles in this series aren’t very creative, are they?

It was good to be back home. The only thing that sucked was the weather. In Cancun it was sunny most days and the temperature was in the mid-to-upper 70s. At home, it was below zero and snowing. The good news was I wouldn’t be tempted to go outside much. Good writing weather!

Cancun was mostly a success, minus the first week drama. The score at the beginning of the Cancun trip was; 76 days to go before my self-imposed deadline and zero words written (sort of). I came back with a score of 62 days to go and 21,672 words written. Seemed good to me at the time. Remember though, I was a naive newbie writer, and I had no clue how long these books are supposed to be or what they’re supposed to look like.

The Routine

While I was away, I had few interruptions. At the office, I was interrupted constantly. I love being an accessible leader who’s genuinely interested in every employee who works at FRSecure and SecurityStudio. Between my need to be with our employees, the phone calls, meetings, and emails, there was no time to write anything between the hours of 8:00am and 5:00pm.

I wanted to avoid writing at home because knew it would dominate family time. Something had to give. I needed to find writing time somewhere.

The solution… I’ll get up every morning at 3:00am, get to the office by 4:00am, and write from 4:00am to 8:00am. Brilliant. I knew that I wouldn’t be able to do this every morning, but I would try anyway. If I couldn’t find the energy some mornings to get out of bed, I would just reset the alarm and find an hour or two somewhere else in the day.

Week one was essentially shot because I hadn’t figured out what I was going to do yet. It was a struggle to catch up with emails, let alone write anything. Score: 54 days to go and maybe 22,000 words done. I felt like I was starting to fall behind, but I was sure I had a solution.

Week two, Monday morning, I’m up and raring to go! Good writing session. Tuesday, same thing. Wednesday, starting to drag a little. Thursday, nope. Friday, somehow managed to get in early, but could not write anything. My brain was not having it. The 3:00am thing is going to be a real turd. Maybe I’ll try 4:00am instead.

Turns out the 4:00am each morning did the trick. Some days were better writing days than others. I tracked my progress each day by how many words I wrote. Some days I wrote 1,200(ish) words and some days I struggled to write 250 words. Here’s what I learned…

How many words you write each day doesn’t matter as much as writing each day.

Kidney Stone

Life was good, and I was trucking along, until one morning I didn’t feel right. I wasn’t sure why, but I felt like I needed to use the restroom really bad. No problem, to the restroom I would go. At this time it’s probably 5:30am, and there’s nobody else in the office yet. I didn’t feel right, but there was no reason to panic.

I tried writing, but it was a struggle because I couldn’t concentrate. I constantly felt like I needed to go to the bathroom, yet every time I went to the bathroom, nothing happened. There was no urine or bowel movement, just an unusually pronounced feeling that I needed to excrete something. As time went on, the feeling got worse, bit by bit. The time was now 9:30, and I’m getting a little more concerned.

Things progressed much faster, and by 11:00am, I’m laying on the bathroom floor. Wasn’t panicking before, that’s changed. Something is seriously wrong. Thankfully my wife was in the office at the time, so I told her about my problem. I told her that I need to go to the doctor right away. I don’t know what’s wrong, but I know that it hurts like a sumbich. She knows I have a high pain tolerance, so this is very unusual. She immediately gets the car while I get my jacket.

We’re in the car on the way to the nearest clinic, 15 minutes away. She keeps asking me if I’m OK, and I don’t want to talk. I want the pain to go away, and I’m in full on “GIVE ME ANYTHING TO TAKE THIS PAIN AWAY RIGHT NOW” mode. After an eternity, we arrive at the clinic. We get in to see a doctor quickly and the doctor starts asking me a bunch of questions. I don’t want to answer any questions! The pain is unbearable, and I want her to 1) give me something to make me feel better or 2) shoot me. She tells us she thinks I have a kidney stone, and that I have to go to a hospital.

That’s it?! No drugs? No gun?! Just go to a damn hospital?! Useless. I’m pissed. I’m angry. I feel like an alien is going to come popping out of my stomach or my ass or my back at anytime (I can’t tell which). I’m obviously dying, and now I’m told to get back into a car and endure another 20 minutes of hell before I eventually get to the emergency room. Fine. Whatever. I’ll do anything right now.

Another eternity passes. Two eternities in one day if your keeping score. We arrive at the emergency room, and more questions! The nurses want to ask me questions, and I don’t want to talk to anyone. I want drugs or a bullet. That’s it. My wife intervenes (she’s an angel) and eventually I end up in a bed. Still dying, but dying harder now. How can I possibly be dying harder? This is crazy! Why God?! What did I do to deserve a living death like this?

We’re in this room with a curtain thing that separates my bare bottom in a scratchy gown from the rest of the world. A nurse or doctor (I can’t tell because I’m having trouble seeing now, I think) comes in and she wants to ask me questions too! Seriously, stop with the flipping questions already, and get down to business! I look at my wife in desperation. She tells the doctor I don’t want to talk and she answers for me. Out of all the questions that were asked, I heard one that I actually wanted to answer. The doctor asked what my pain level was on a scale of 1 – 10, 10 being the worst. I blurt out, “it’s a 20!”. Even that answer was hard to muster between my panting and dry heaving. Oh yeah, the pain is making me dry heave now.

Seriously, I’m dyyyyyyyiiiiiiiinnnnnnnggggggggg. The doctor leaves for some reason or another, an now I can’t lay down. I’m pacing the room, stopping to lean head first against a wall every now and then. While I’m pacing and trying to find some way to move in a manner that will give me some relief, I can overhear the nurses outside my shower curtain door talking about recipes for some whatever thing. I’m like, why?! Why do you let a good man die while you talk about tater tot hot dish recipes?! Life sucks. Seriously, is this the end?! Is this how I’m going out?

Finally, a nurse comes in to see me again. She wants me to pee in a cup. I want to shove the cup up her… No! I stop myself. It’s the pain talking. I did shout, “when can I get some drugs”? She stopped what she was doing and gives me a puzzled look. “Wait. Nobody has given you anything yet?”. I can’t say anything because I want to cry. My wife answers for me, and before long I get some morphine. Thank you Jesus!

The pain slowly eases, and I can talk better. Why do things like this always happen to me? For one, this mother of all pains, and then forgetting to give me some drugs? Double whammy of suck.

The morphine didn’t take the pain away entirely and it didn’t last very long either. My pain probably dropped to an 8 (which is a helluva lot better than 20). Seemed like thirty minutes later, and my pain started to inch up again. Next up, the doctor wants a CT scan. OK fine, just don’t forget the drugs. The whole CT scan thing was quick, and before I know it, I’m back in my room. The pain is getting really strong again, but the nurse gives me something in my IV right away. Within five minutes I’m feeling good. Like, what the hell just happened?! I asked the nurse what she just gave me, because I want that stuff on stand-by.

I was expecting the nurse to tell me the name of some super-narcotic, but no. She gave me ibuprofen in my IV. Ibu fricken profen?! Really?! Yep. I was too amazed and exhausted to ask them why we didn’t start with this an hour or two ago. The results from the CT scan were ready, and it turned out that I had a 7mm kidney stone. The doctor suggested that we let the stone pass. Skeptically, I agreed. She thought it would pass on its own and told me if the pain comes back, take more ibuprofen. Easy enough. I LOVE Ibuprofen (now).

Before the doctor left, she mentions one more thing on the way out. She requested that I come see her at the nurse’s station after I get dressed. I asked he why. She wanted to show me something on my CT scan. My wife and I looked at each other, and we could read what the other was thinking. Why? What do you want to show us? I quickly got dressed and scurried out to the nurse’s station where the doctor was waiting for me.

She showed us a grainy looking image. In the middle of the image was my kidney. The doctor pointed at the kidney, and focused out attention on a darker part of the image. She explained that she’s concerned about a “mass” on my kidney. Apparently the mass had a diameter of 55mm. She advised that I get a CT scan with contrast soon, and that was that. She wouldn’t answer any additional questions and just referred us to our family doctor for next steps.

That’s it… Writing wasn’t really on my mind anymore, at least not on this day.

You Want to Get Into Security? – Part 3

/0 Comments/in /by

This is a five-part series about getting and keeping job in the information security industry. There is no one way to get and keep a job in the information security industry. This is a good thing! The series doesn’t contain THE advice, it just contains advice. Big difference. Some of this information is also found in the Unsecurity book, chapter 10.

The series consists of the following articles:

This is the third installment in the aforementioned series; Landing Your First Job.

Landing Your First Job – Introduction

I have to admit, it’s been a very long time since I landed my first information security job, and it’s been more than 10 years since I’ve hunted for any job at all. This means that my advice will come from somebody who hires more than it will as someone who’s looking for a job. I think the advice is still valid, but you can judge for yourself.

My first information security job came in the early 1990s. I had the pleasure of cleaning boot sector viruses off thousands of Windows 3.0 and 3.1 computers. Back then, information security wasn’t really a thing like it is today. Even though there are more information security jobs today then there were then, I think it’s harder to get jobs now for some reason. Probably unrealistic expectations. Anyway, it’s not easy for most people to land their first information security job.

In this article I’ll give you some tips that I hope will help you get your first information security job.

Matchmaking

Getting a job is like finding a girlfriend or boyfriend on a matchmaking site. People post a profile of themselves and all the things they’re looking for in a mate. Then there’s other people who also post a profile, but they’re more active in looking for a date. These people browse profiles, sometimes for hours, looking for the right person to contact. In our analogy, the first person is the company or recruiter, and the second person is the one looking for a job.

The first objective is to get a date with someone. The ultimate objective is to go steady, or enter into a committed relationship. Dates are interviews and going steady is landing the job.

A match isn’t likely to happen if either party has unrealistic expectations. Not all jobs are like an exceptionally attractive European noble with billions of dollars and a love for puppies. You might want a unicorn job, and the hiring organization might want a unicorn to work for them, but these things are extremely rare for someone who’s new to this industry. Keep your expectations in check.

The matchmaking analogy applies best to using job sites like Google, Indeed, Monster and others. As we’ll see, this is only one way you can go about finding a date, and it might not be the best.

Getting a Date

When you’re trying to get a date, you don’t want a date with just anyone do you? Hopefully not. We want to find the right person, the right job. Hopefully, you’ve done some research and prepared yourself for the job market as we outlined in our previous article. If you did the research, you’ve probably found some good job sites .

Where to find dates

There are many ways and places to land a date, and there are many places you can go to try to find an interview. Depending upon your specific circumstances and your specific preferences, choose the right path or paths for you. Here are ways people find us at FRSecure and where we might find you too:

Internships

Internships aren’t for everyone because they don’t usually pay well, if at all. Internships come in all forms. Some are paid, some are not, some require experience, some do not. Paid internships can be a challenge to find, but they’re out there. Unpaid internships are a little easier to find. A simple Google search for “where to find information security internships” will produce many leads for you; however, the best way to find an internship is through someone you know. Ask around.

‘Most large organizations with security teams and information security companies offer internships. Contact them directly and inquire. This will give you more control and might land you an opportunity with a company you like more.

Job Sites

Using a job site is fast and easy. It should be included in your strategy, but I caution against using job sites as your sole source for dates/interviews. These are some of the job sites you might want to check out:

  • Google – Google integrated with ZipRecruiter in 2017 and produces pretty good results. Just type a job title and the word “jobs” into Google search.
  • LinkedIn Jobs – There are plenty of jobs and some good job seeking advice on LinkedIn. You will probably want to use LinkedIn for yourself anyway as you build your career, it’s a well known and heavily used networking tool.
  • Indeed – A clean, quality job site.
  • Monster – A job site that has been around for a long time (1994). It’s still a quality site, even though it’s not as dominant as it used to be.
  • ZipRecruiter – A very popular job site, and probably one of the fastest growing.
  • CareerBuilding – A popular job site, but not one of my favorites. I have no objective reason for this site not being one of my favorites though, it just isn’t.

These are the major job sites that I know of. Whatever site(s) you use, be sure to document what jobs you’ve applied to and keep track of any/all responses. It probably doesn’t reflect very well if you apply to the same job multiple times through multiple sites.

Networking

Networking is difficult for some people because they don’t feel confident or comfortable in groups or crowds. I get it. I’m one of those people. Go to local information security events, meetups, chapter meetings, etc. to meet new people. You can network with anybody, and they don’t have to be security people. If you get good at networking, you’ll find that most people know a security person that they can put you in touch with. Getting referrals or door openers is a differentiator that could work in your favor.

Mentor

Mentors are great for many things, helping you land a job is just one of those things. Mentors will help you prep for interviews and offer wisdom throughout your career too. Everyone should have a mentor, no matter where you’re at in your career. My mentor and I met in 1995. He was my boss when I worked for Jasc Software (known for Paint Shop Pro). We’ve both moved on in our careers, but we still have a standing coffee meeting every Friday, and his support has been instrumental in my success.

Finding a mentor isn’t easy. You’ll have to take a risk and ask someone, and they might say no. A mentor could be a teacher you had in school, a boss you admire (like my mentor), a friend you respect, a family member, someone from church, or anyone in between. I suggest that you write down the names of five to ten people you respect and admire, then go ask them if they’d be willing to be your mentor. If you strike out, do some online searches for mentorship programs. They come and go all the time.

Once you feel you’re ready, be sure to return the favor by becoming a mentor for someone else.

Local Community Events

There are groups of information security people meeting all over the place, all the time. Chances are very good that there are information security groups meeting regularly in your area. These are great places to meet and learn from other information security professionals. Building relationships with others will create a wonderful support group for yourself and open doors to all sorts of opportunities, including jobs.

Where I live, in Minneapolis, there are more than fifteen information security-related groups that meet regularly. This means that I could conceivably attend fifteen or more events every month, and meet hundreds of other security professionals. Pure gold!

92A2F78B-DF88-4665-BD99-F7758134AB53

A simple search on meetup.com, will probably produce some good leads for you. The Information Systems Security Association (ISSA) has local chapters all over the world, and they welcome new visitors. Other organizations that have local chapters all over the United States (and maybe the world) include the Information Systems Audit and Control Association (ISACA), InfraGard, and the International Information Systems Security Certification Consortium (ISC2). Check them out, it’s worth it.

Prep for Dating

Alright, hopefully you’ve got some good leads now. You have a solid resume, right? If you don’t, get one.

Need help? Start with a sample resume. You can ask for one from a friend or see if you like one of these free online samples:

Now you need to plug your information into the sample/template resume. If you don’t have any experience, you might not have much to put down. Don’t let that discourage you. There are companies who put a high price on intangibles. Take where I work for example, we always hire for the intangibles first. Intangibles are the things that align with our core values, which were covered previously in Part 2.

Think we’re the only company who does this? Think again. Just last week (2/21/19) I had the honor of moderating a panel of amazing female security experts for an AnitaB.org event at the University of Minnesota. AnitaB.org is a great organization supporting women in technology. One of the questions for the panel was “What skill sets would you look for in your team?” Each of the panelists gave their answer, but none of the answers had anything to do with technology skills. All the answers were about the intangibles! Good validation for what we already knew.

Fill your resume with information about you, focusing on how you will help your employer. Include your community work (if you have any) and be sure to list these groups you’ve been attending (see above). I used to customize my resume for each job that I applied for. This would ensure that my tangible and intangible skills would align perfectly with what they were looking for

Additional tips for writing a good resume can be found online:

Above all, be sure that the resume is true to who you are. We want a company to like you for you.

Your Best Face

Alright, you got a date?!

You want to be you, but you also want to be a good fit for the culture of the organization. If you haven’t already, now’s the time to do some research. Find out everything you can about the organization and about their culture. Find out how they dress, because you don’t want to overdress or underdress for the interview. Find out what they believe in, because you’ll want to validate and compliment their mission. Find out about their successes, because you’ll want to acknowledge them and verbalize your commitment to helping them get more similar successes.

Put the address for the interview into a mapping application days before your interview. Figure out your route and how long it will take you to get there. If you don’t feel comfortable with the drive, make the drive yourself a day or two before your interview.

Get to the interview at least 15 minutes early.

Eat something reasonable before you go to the interview. Pee before you get there.

The best advice I can give you in preparing for an interview is to be you. Don’t try to BS or be somebody you’re not. The person your interviewing with will probably see through your ruse, and if they don’t, you can’t feel good about starting your relationship being somebody you’re not.

Making a Commitment

You had an interview or two, or twenty. Now you get an actual job offer! Somebody wants to go steady. Yay you! Now you need to make a choice, do you take it or not? This is gut check time. My suggestion is to not take any job that you can’t commit to for at least two years, and ideally five years. Ask yourself if you could see yourself with this organization for two years or more. If the answer is no, I would say no to the offer. This takes a certain amount of discipline, and your circumstances may not permit any choosiness. Most people would take the offer anyway

The reason why I suggest staying with an organization for two years or more is because it validates your intangibles. It shows that you take commitment seriously, you are loyal, and you understand that you can’t rush experience.

You may decide to negotiate your offer, but if you’re new to the industry, you probably don’t have much to negotiate with. I’d advise against much, if any negotiation.

CONGRATS on the offer and the new job (hopefully)!

Conclusion

Getting your first job in this industry isn’t as easy as some people think. You need to work at it and you need to be creative. Make friends, make connections, and earn a good reputation. Take a pragmatic and formal approach to the process, after all, you are working for you!

Now that you landed your first information security job, how are you going to become a good (and ever-improving) information security expert?

BONUS: What is an “expert” anyway? This was a question that Brad Nigh (co-host of the UNSECURITY Podcast) asked me today during our recording of episode 16 (available 2/25). Comment below. No Googling or official definitions allowed. 😉