Today’s interview is with Ben Tomhave. I first met Ben at RSA 2009 and he made sure that I wasn’t left behind during the post-conference dinner at Fisherman’s Wharf. That fact alone is enough to get him on the list 😉

Q: Tell us a little about yourself.

Hi, my name is Ben. *waits* … was that too little? 🙂 I’m a security guy, been around the block a couple times, have an MS in InfoSec Mgmt from GWU here in DC, currently living in Northern Virginia (NoVA), where I’ll be for the foreseeable future after a recent misadventure moving to Phoenix (and back)… I’ve worked in a wide variety of IT/infosec positions throughout my career… only started a company once (security consulting), but it didn’t work out (Dot Com bubble burst)… I have a family, I practice Brazilian Jiu-jitsu (when I’m not lazy or injured), and I enjoy exercising (or not), especially with kettlebells…

Q: How did you get interested in information security?

It kind of came naturally to me… some of my earliest security memories were playing with tools like TIGER and COPS back in high school to learn about UNIX configuration, auditing, and security… going through school right as the dot-com bubble built and the Internet became the “next big thing” allowed me to find a niche looking at all the systems and data going online and realize “holy cow, this stuff is wide open, we’re so screwed!” 🙂 This led to early work doing systems and network administration, including helping desktop techs with early malware (spreading from 3.5″ disk to disk, or later via email). I’m sure it all makes sense cosmically (or is that comically?).

Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?

Yes, I went to school, and college, and grad school. Plus, I even have a certification (CISSP). I think the value comes from a variety of indirect angles. College taught me how to optimize my self-learning. It also helped develop and refine my writing skills (it’s not enough to have something to say, you also need a vehicle for delivering that message). Grad school taught me better how to do formal research, plus also introduced me to some interesting (esoteric?) business approaches, like decision trees, that I otherwise would never have heard of. Grad school also allowed me to produce original research that continues to allow me to frame infosec in ways that nobody else is doing.

Much of my useful computer skills are self-taught. I started playing around with FreeBSD 1.1 in high school, and continued on to Linux in college, and so on. It’s the typical story of tinkering, I suppose, but it’s been an effective way for me to learn. Lots of early hands-on technical experience led me to appreciate some of the problems we see between IT and management. This helped me realize in college that security was largely a matter of IT misalignment.

As for certifications… oh, sigh. I got (and maintain) the CISSP for one reason: it became a recruiter checklist item. Without it I had trouble getting my resume through to the hiring managers, since I didn’t know enough people directly in the industry. Now that I’m older and know more people, I’m not convinced that the CISSP adds much. Honestly, I find it hard to take any certification seriously that only relies on a single theory-based test. Just because you can memorize a bunch of facts
in the short-term does not mean that you will know what to do with that information when the time comes to apply your learning. For that matter, many certs don’t even promote learning, just rote memorization that gets flushed within a few short weeks.

Q: What did you want to be when you grew up? Would you rather be doing that?

I wanted to be a fighter pilot and an astronaut. I’d probably rather be flying F-16s, yes. Unfortunately, I don’t exactly have the right kind of personality to make it in the military. I should know, because I tried a couple times (my first college choice was the USAFA, which I began, but quickly abandoned).

Q: What projects (if any) are you working on right now?

As of right now, I’m technically out of work. To that end, I’m actively working to build a pipeline and portfolio of customers in order to launch my own independent consulting business. So far I have several leads, but am waiting for things to form up. If anybody is looking for outside help, whether it be for security planning or program management, high-level assessments, compliance planning or remediation, training & awareness, or a variety of other security-related work, please ping me! 🙂

In my other time, aside from the eat-sleep-work cycle, I’m working on a white paper updating my TEAM Model, and a series of blog posts to accompany that release. I’m also working on a book project (had a proposal accepted, but have decided to go another direction with the project). As usual, I have a ton of writing projects and not nearly enough time to get them all done. 2010 will be a busy year!

In my personal time (whatever that might be), I’m re-adjusting to life in NoVA after moving back here (with family in-tow) last October. The Phoenix experiment is over. Now to unpack boxes and find out where miscellaneous things disappeared to (and there are lots of misc. things missing right now, which is annoying).

Q: Can you give us a little more information on your TEAM model?

The TEAM Model was created in 2005-2006 as part of my masters research. The initial research inquiry was to find an all-encompassing model or framework that could be used to build and manage a complete security program. Through my research, I identified models, frameworks, and methodologies (according to a fixed definition). After identifying numerous methods, it became apparent that nothing comprehensive existed.

As such, I shifted focus to writing a model that could be applied to almost any organization to describe a security program (or, “enterprise assurance management”). The TEAM Model v1 brought together risk management, operational security, and audit management into one requirements-driven model. TEAM v2, currently under revision (I’m working on a white paper for it), genericizes things a bit further in order to make sure that areas like appsec and metrics also have a role.

The research really grew out of a frustration of dealing with competing frameworks and methodologies, all pushed as “the solution” for whatever your infosec needs might be. In 2004-2005 it was very common to see ISACA pushing COBIT, BSi pushing ISO 17799 (now 27001/27002), and SOX folks pushing COSO (to name a few). Unfortunately, comparing them was folly because they all had different objectives and missions. The deltas were huge, which made it a pain to try and implement “once”. Of course, in looking at them in-depth, it was silly to do them all overlapping instead of trying to optimize their strengths under a larger program approach. Hence, the TEAM Model was developed to harmonize areas that had traditionally been setup as being in competition with each other.

Q: What is your favorite security conference (and why)?

I’m more of an RSA Conference kind of guy. I enjoy the more commercial-oriented environment. Though it’s hard not to like the fun of Black Hat and DEFCON. I also need to give a shout-out to CIScon in Helena, MT. It might be small, but the quality is very high.

Q: What do you like to do when you’re not “doing security”?

Is this a family show? 🙂 Just kidding… my interests are varied, my time limited… quality time with the family is always nice. I also practice Gracie Jiu-jitsu, which is a lot of fun. Beyond that, reading, writing, and just generally slacking off.

Q: What area of information security would you say is your strongest?

I am, quite intentionally, a generalist. My experience has depth in several areas, including architecture, compliance, risk management, security program management, incident response management, and proactive security programs. I’m sure some who read this will roll their eyes and moan about how worthless generalists are, but I see it as a vital role that bridges the gap between techies and business, even within the security community.

Q: What about your weakest?

I have no real experience with malware research and analysis. It’s an area that never really interested me. I find malware incredibly annoying, but I’m far more interested in the human factors that drive that underground industry than I am in the code itself.

Q: What advice can you give to people who want to get into the information security field?

I honestly don’t think people should look to go into a dedicated security role/profession. We need people with security knowledge and skills working within all aspects of the business. The best thing someone could do with interest in infosec is study it on the side while finding ways to integrate it into their daily operations in whatever role they’ve been assigned. This advice holds especially true for people on the business or legal sides of the house.

Q: So it sounds like you advocate being more of a generalist in the field. Do you think that most people in our professional have “career tunnel vision” when it comes to information security?

There are a couple primary perspectives on generalization vs specialization. On the one hand, no matter what you think may be your specialty in infosec, you have to maintain a relatively broad, general level of skill across the board just to be able to understand what happens within the industry and community. On the other hand, many argue that eventual specialization is inevitable because the industry is simply too broad to cover it’s full breadth while having any degree of reasonable depth in any one topic.

I certainly see merit in both arguments, but also believe that both sides have a place. The higher you get in the people stack, the more generalist you have to be. If you’re a front-line engineer, analyst, or consultant, then you have the luxury of being specialized. Many people are happy with their specialties, and thus stay with tracks that allow them to work in that one area, becoming SMEs to a degree that some of us will never achieve.

On the flip side, someone has to manage organizations; someone has to see where all the pieces fit together; someone has to have a vision for a better tomorrow; someone has to be able to build bridges between SMEs in different areas, identifying cross-over, areas for collaboration, and ways to optimize effectiveness and efficiency. You simply cannot do this with a narrow view of infosec.

In terms of tunnel vision, again, some people have the luxury of working with blinders while others don’t. The challenge is in making sure that contributions from these focused people are not taking out of context, and that they’re not allowed to dictate to the broad community based on a narrow vision that can’t be, or isn’t, adequately generalized.

Q: How can people get a hold of you (e.g. blog, twitter, etc.)

Blog: www.secureconsulting.net
Twitter: twitter.com/falconsview
Google me