Archive

Archive for the ‘Infosec Management Tips’ Category

How to Write a Great Resume

February 16, 2015 Comments off

Lately we’ve working with people to help them improve how to present themselves. Some of the people we know well as great security consultants present themselves very poorly. This is to be understood, as most of these folks have reputations that speak much louder than resumes. But it always helps to have a version of you on paper that will wow anyone who doesn’t already know you by reputation.

I always like to see a submission knock me over with why the candidate not just qualified, but why I’d be an idiot for not hiring them. Make me want to shelve all the other resumes and call this person as fast as my fingers can dial. To do that, a resume must focus not on what the candidate did, but why I should care, then support those claims through the story of their history. 

A “perfect” resume is one where as I read over it I get more and more excited. Every new line adds to the perceived quality and relevance of the candidate. No lines leave me wondering why I care or asking if it’s a liability. There is a clear progression and/or I can see how all of the experience contributes something to the value presented.

This can only mean a document specific to whatever you’re looking for. That is, what you want to do rather than what you have done. Highlight leadership, strategy, and management experience and skill building. It doesn’t matter as much what you did (tasks, technologies, responsibilities), as how you did it, and why you were successful. But these need not be created each time for each job you apply for – that’s what the cover letter is for.

The cover letter can make or break a candidate, write a custom one each time. Often this is all a hiring manager ever reads, and it can be the quickest way to the top of the stack or the bottom of the bin. Treat this as a roadmap to your resume. Bring out specific highlights from your career that are precisely what the role calls for, in the way it’s been written. Shorten the distance between job requirements and your qualifications to near-zero. Reuse and customize your best bits from other cover letters, but make sure it is specific to the job you’re applying to.

On your resume you might lead with 3-5 bullets that highlight your best outcomes and experience. 

  • Advanced degrees, security industry presentations, OWASP or other community participation and involvement shows you are hoping to be a leader, not just in it for the money.
  • Categorize your experience through the lens of whatever you’re aspiring to so I can instantly see that you can do and have done what you will be asked to do.
  • An outcome you helped generate that ties into the story of your work history, particularly if you can relate a statistic or specific accomplishment.
  • Tell me how I will know you can do the non-technical parts of your job, like communicating to management, working in a team, hitting deadlines, etc.
  • Relate an extracurricular activity to how you can excel at your role, how it relates to security, or makes you a better employee.

Then tell a story with your professional and academic history. Expose a clear narrative, with each plot point building on the next over the course of your career, with the logical conclusion resulting in you having all the prerequisites. Make sure that the story doesn’t get confused and that it all ties into the overall plot line. Career or job changes are twists – if done correctly they strengthen the story. Be your own editor and ruthlessly cut out ancient history and tangential detail, rewrite to make the lines clear to the reader, bridge gaps or multiple short chapters so they don’t distract, and make the major points explicit rather than implied.

Having a great cover letter and resume will reduce your work, not increase it. You’ll cut the time spent looking from weeks to days. You’ll spend less time trolling craigslist, Monster, LinkedIn, and other sources. And you can land a much more competitive role (think about it, would you want to work for someone who accepts candidates who look weak?).

Can you be too secure?

July 31, 2014 Comments off

When I hear someone say “you can never be too secure,” I assume they don’t understand the implications of that statement. Perfect security can be seen as the absence of risk. This sounds like a tradeoff most people will want. But that’s not always the case. In fact in most business that’s the opposite of what you really want.

Risk is at the heart of the capitalist system. Without risk there is either no room for profit except through exploitation and collision. So businesses must take risks. If there were no risk competitors could easily enter the market and disrupt the industry.

So risk is necessary; risk is good. There is value in risk just as there is in security. Understanding and undertaking smart risks allows you to balance concerns with ambitions. Balance gives health; imbalance can lead to total collapse.

Enhance Innovation and Improve Security like Zappo’s

March 28, 2013 Comments off

Zappo’s is known for having a culture that spawns innovation. They do this in unconventional ways for an online retailer, such as asking their employees to come into the office rather than working from home all the time. But their methods seem to get pretty good results, as they’re one of the newest and most highly regarded companies. A recent article on Fortune Magazine reveals other Zappo’s productivity and innovation secrets.

But one of their innovation secrets is a great boost to security too! Zappo’s requires all employees to go through the front door. “Even though it’s more inconvenient, we believe this helps our culture because it creates more opportunities for employees to have serendipitous interactions by colliding with each other in the main lobby.” That lets you cut costs and improve physical security by letting everyone monitor for tailgaters and those who don’t belong. It’s a great way to sell security as business friendly when you need a quick win in your security program!

Infosec Management Tip: There Is No Absolutely Secure Action

August 30, 2012 Comments off

There Is No Absolutely Secure Action

It is impossible to say whether any given action is risky or not, when viewed in isolation. Everything we do has a potentially positive or negative consequence, depending on the context. In other words, adding a firewall to your network may reduce or increase risk – you can’t say without more information. But most people – and I can’t blame them for this – want things to be instant and easy. “Just tell me the right way to do something,” is the common sentiment. So if somebody comes along, for example a vendor or a consultant, and feeds that desire they’ll get a lot of attention. But there’s a lot more subtlety to security and risk reduction.

Fortunately a larger and larger group of people are realizing that there is no one right or wrong way to do things. Over the last couple of years there has been a backlash against so-called best practices. Best for whom: The security organization? The company’s budget? The vendors who talk most about them? And if I can’t actually put this guidance into practice without hundreds of hours of work then are the guidelines themselves even effective at helping me reduce risk?

And who comes up with this conventional wisdom anyway – is there a group that just sits around and thinks up the absolute best way to do things? Most of the so-called best practices are simply the thing that most people do, whether it works or not. To get a guideline that is a best practice for anyone and everyone, it has to be so watered down that it is meaningless. Then trying to actually implement it there are more ways to get it wrong than right.

To circle back to the original point, everything you do could be a double-edged sword. You’ve got to think smartly and make good decisions about what is right and wrong in your circumstance. For more on that train of thought, see the tip on Principles and Decision Making.

This is part of a series of short tips for Information Security Managers, where Stratigos Security will provide you with some of the benefits of our experience working with others like you. If you like what you read, come back for more!

Infosec Management Tip: Principles Are More Important Than Tactics

August 27, 2012 Comments off

Principles Are More Important Than Tactics

Security doesn’t come from the specific things you do. It comes from an overall approach to doing everything. In that sense, the principles that underpin your decisions and actions matter more than the decisions and actions themselves. Those statements may seem inscrutable or contradictory so I owe you further explanation.

Process and procedure can never be made so that they will, in isolation, provide optimum security. Even for very well thought out, nearly comprehensive tactics unplanned events will always come up. You’ll have to make decisions when there’s no written plan and no precedent. When you’re making those decisions you need to weigh all the factors you can take into account and move forward based on your judgement. Your judgement here is a point-in-time reflection of your principles. If your principles fail you, so will your judgement and you’d have to get lucky for your decision to be the right one.

In most organizations, processes and procedures leave a lot of room for decision making. It’s not just the occasional judgement call that has to be made, these usually happen on a daily basis at most levels of the organization. So strong tactics but poor principles will compound over time and erode even the best security program.

Instead, focus on coming up with strong principles, and make sure everyone knows them. Clear communication, understanding and internalization is key to having principles, not just tactics. This way whenever any decision is made, there’s a good chance that the judgement behind it is sound. This also, by the way, will push decision-making down in the organization, freeing up management to tackle larger and more strategic issues and critical problems.

This is part of a series of short tips for Information Security Managers, where Stratigos Security will provide you with some of the benefits of our experience working with others like you. If you like what you read, come back for more!

Infosec Management Tip: Business Is About Taking Risks

August 23, 2012 Comments off

Business is About Taking Risks

One of the fundamental things that drives our economy is risk-taking. That’s the natural inclination of the most successful business people I’ve met. There’s risk in both going in a new direction – what you might call “venture risk” – that separates the promising businesses from the failing.

Let’s look at an example to better illustrate the point. Suppose we have two otherwise identical chair makers, making identical chairs. One day they overhear someone mentioning that having a cup holder built into the chair would be a good thing. That’s never been done before, so there’s a risk in making something different. Now one maker takes a venture risk and builds his next line of chairs with a cup holder and it’s a hit, selling twice as many as before and even commanding a premium. The risk-averse chair maker sticks with the old design and sees a drop off in sales. The venture risk-seeking businessman wins. Enough of these successful venture risk decisions and he drives the other chair maker out of business.

(By the way, this is a principal criticism of  the labor theory of value popularized by Karl Marx and which underpins Socialism. Also for more on risk-averse behavior check out the awesome TED presentation where Laurie Santos shows our behavior can be just as irrational as Capuchin monkeys.)

But thinking back on the same situation, it’s possible to see that the risk-averse chair maker is also taking a risk. His risk is that failure to innovate will drive his company out of business. Now, his is actually what we would see traditionally as the safer bet. But expanding on the scenario just a little bit it’s possible to show that the status-quo is actually riskier. All you have to do is assume that some day a better chair will be created and put into production. This virtual certainty also virtually guarantees that the risk-averse chair maker will eventually go broke.

Most businesses today are a far cry from this idealized chair maker – even the chair making industry. But the vignette translates well to the highly risk-averse attitudes of many CISOs and other information security professionals today. They try to eliminate all security risk, but in doing so they virtually doom the enterprise to certain failure. That’s why they’re often perceived as ineffective. Instead, CISOs should help their companies make smart decisions and help protect against security, privacy and compliance threats when taking venture risks.

Hat tip to Andy Ellis, CISO of Akamai, whose keynote at Hack In The Box Amsterdam partially inspired this post. You’re a smart man, Andy.

This is part of a series of short tips for Information Security Managers, where Stratigos Security will provide you with some of the benefits of our experience working with others like you. If you like what you read, come back for more!

Infosec Management Tip: Prioritize Based on the Business

July 23, 2012 Comments off

Prioritize Based on the Business

A lot of data isn’t worth what we spend to protect it. What’s worth protecting and what’s just not? That’s not a decision IT and IT Security should be making. Instead, count on the business to help you prioritize. This goes along with our tip to cultivate understanding between the business and Infosec. Prioritize security controls that play into what the business needs and leave the others for later. (And document this decision for the auditors!)

Example: If you’re working for Coca-Cola and you say to your Chief Taste Magician (or whatever his title would be) that you want to help him protect the secret formula he probably won’t care. Anybody with access to a mass spectrometer and a basic understanding of how to read the printout can figure out the formula. But he is going to care about patenting the technology they’re developing to get the soda fountain mouth-feel into a plastic bottle. That’s his priority for the Taste Lab and it should be yours too.

This is part of a series of short tips for Information Security Managers, where Stratigos Security will provide you with some of the benefits of our experience working with others like you. If you like what you read, come back for more!

Infosec Management Tip: Beware Security Fads

July 20, 2012 Comments off

Tools are a Means, Not an End
One of the biggest shames of our industry right now is that “silver bullet” tools have such a hold on media and mind share. Organizations typically try to deploy the latest product in isolation, without understanding what’s causing the issues they’re seeing. But tools used this way are bound to fail, raid the corporate budget, tie up valuable resources and just obscure the symptoms of the problem for a while longer. Organizations can only fix what’s broken by understanding the problems clearly and developing a solution using proven methods that fixes them. Only then should you start thinking about what tool fits into the solution.

Example: A lot of companies have asked about “tuning” their latest flashy box that’s not working right. But when you get talking to them, you find that the problem isn’t with the product it’s somewhere else. Even if the product was at 100% efficiency, you still wouldn’t be able to solve the problem. One company had spent tens of millions of dollars on SIEM and other tools, but were using business school interns to run the SOC and didn’t have any plan for handling incidents! Another company had a DLP device that sat on the shelf for 2 years, and they hadn’t even clearly defined what data they cared about or where it should and shouldn’t be. Tuning in those situations would only be an expensive way of buying false assurance.

This is part of a series of short tips for Information Security Managers, where Stratigos Security will provide you with some of the benefits of our experience working with others like you. If you like what you read, come back for more!

Infosec Management Tip: Focus on Fundamentals

July 18, 2012 Comments off

Focus on Fundamentals
The basics take attention, consistency, time and iterative improvements. And they’re very effective! But too often we get distracted by other things to do what’s needed. Instead, planning and project management can go a long way towards actually putting the fundamentals into place. Automating and making the basics a part of a routine can free you up to think about other issues and allow you to take action when you find something that really does need attention. And these things usually turn out to be very effective and cost efficient.

Example: I’ve audited a few places with very good security. And they’re the ones who start by giving their IT department the authority to operate (solid, board-approved policies), have standardized processes for things that are followed (formal procedures and light audits), hardening their systems (limited user, no default accounts or passwords), having good network limitations and visibility (segmentation with ACLs and open source IDS sensors that are watched), solid patch management (quarterly cycles with emergency processes, including servers and workstations, not just the OS but also client-side third party software), and good security awareness (human-based training, awareness at the executive level, regular testing and improving based on the results). These are all things that take consistency and improvement over time, rather than expensive tools and huge one-time projects.

This is part of a series of short tips for Information Security Managers, where Stratigos Security will provide you with some of the benefits of our experience working with others like you. If you like what you read, come back for more!

Infosec Management Tip: Cultivate Understanding

July 16, 2012 Comments off

Cultivate Understanding
This is the opposite of running around trying to inform everybody of what you think is the biggest problem. It means getting with them to understand what their problems are, where their risk prioritization is and then find out where your concerns fit in there. Maybe they’re already aware of the threat and aren’t concerned; or maybe they have a way to mitigate it you hadn’t thought of; or maybe they need to listen, but don’t trust Infosec yet. By bringing the business into the Infosec decision making process, there’s more trust, more chance they’ll listen when you talk, more chance you’ll have the right answer for their needs and usually that all means more budget, plus more willingness to go along with what you want!

Example: I know of a company that was going into China to open R&D centers. The CISO was trying to say “no we shouldn’t, it’s too risky because somebody could steal our IP.” But the business knew this – their strategy around it was to lean on other assets like brand reputation (which is actually fairly well protected in China) to prevent against that. In other words, lost IP wouldn’t necessarily translate into lost revenue or profits. In another company the BOD wanted to have their updates and formal reports delivered to an iPad. The CISO worked with Finance to say yes because the costs of securing the digital distribution were less and results better than securing the hard copies. IT and Security helped save money, reduce risk and got a high visibility win for the company.

This is part of a series of short tips for Information Security Managers, where Stratigos Security will provide you with some of the benefits of our experience working with companies large and small. If you like what you read, come back for more!