Andrew Hay

Today’s interview is with Dave “Shack-Fu” Shackleford. I’ve known Dave for more than a few years and he is one of THE guys to go to if you ever have a security related question, need a cake baked, or need a Mr. Clean stunt-double.

Q: Tell us a little about yourself.

Married with a 9-yr old, live in Atlanta GA, been in infosec for a long time, networking and sysadmin before that. Before computers, I was a professional chef.

Q: How did you get interested in information security?

I was interested in the subculture of hackers and hacking for a long time before I actually fell into the field. I started doing IT consulting while in college, then worked in telecommunications for a while. I went back to school for a 2nd degree, and one of my professors’ “day jobs” was Infosec Mgr at a Fortune 500 – he recruited me. Once I started there, I never wanted to do anything else.

Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?

I have a Bachelors in Microbiology/Psychology, another one in Computer Information Systems, and a Masters in Business Administration. I own over 3000 books, and read constantly, which I think is more important than schooling for our particular discipline. I have a slew of certs, from CISA and CISSP to MCSE and CCNA to GCIH, GCIA, GSEC, etc. All good for mental exercise, and some have been good for “selling” my consulting services or getting paid better.

Q: Do you find your Psychology Degree or your MBA to be more beneficial when communicating security concepts to those who aren’t in the trenches? Does one help more than the other?

It depends on the audience, but the psychology degree helps out in surprising ways! Having a general understanding of what makes people tick, how they’re likely to behave or react, and how to get them on board with your programs is beneficial in any discpline, not just security. In that regard, it may be somewhat more useful overall. However, in the average consulting engagement or internal security project, you’re dealing with business or IT folks, and the MBA helps a lot in the latter case. Presenting security as a business case in its own right tends to be more successful, I find.

Q: What did you want to be when you grew up? Would you rather be doing that?

I wanted to be a doctor – I originally studied genetic engineering. I still have a deep fascination with genetics and biology, but I found my passion in IT, particularly security.

Q: What projects (if any) are you working on right now?

Writing a whitepaper series on virtualization security and incident response. Putting together a few conference speaking abstracts. Working on a few SANS projects, of course.

Q: You’re always busy working on something. How do you find a way to balance your time and family life?

I’m pretty lucky – my career is also one of my major passions in life, so I don’t feel like I’m working half the time, truth be told. I’m a great example of someone who gets into trouble when I’m bored, so keeping me occupied is a good thing. However, I have a few ways to balance things. First, I do something outside or away from the computer every day. Usually, it’s something fitness-oriented, but not always. I work from home, so I’m deeply involved in my daughter’s life, from taking her to school every morning to going to see her gymnastics practices in the evening, but weekdays are tough just like most working families’ lives are. The weekends rock though – we always have some great family activities, from going to museums or movies to hiking and camping. We also do a lot of world travel together, with at least one or two trips outside the country every year. Finally, and this is good advice for anyone that’s married – find some time for you and your spouse. Turn off the blinking thing with the email and the Internet, and go let loose for a bit. My wife and I take several weekend trips every year while my daughter stays with the grandparents, and it’s good for all of us. Vegas is a good choice.

Q: What is your favorite security conference (and why)?

A tie between Shmoo and Defcon. Defcon wins, though – I like Vegas more than DC, and warm weather more than cold. Lots of people I know are at Defcon, so I can catch up with friends and relax a little bit. I hate “stuffy” conferences.

Q: What do you like to do when you’re not “doing security”?

I do “adventure races” – kayaking, mountain biking, running, etc. I’m a total fitness nut. I’m also a musician, been playing piano for 30 years and learning guitar.

Q: What area of information security would you say is your strongest?

Incident Response and Intrusion Detection. Next would be risk management and compliance…I know, it’s pretty diverse.

Q: What about your weakest?

Reverse engineering. Never had a reason to do it for a job or otherwise.

Q: What advice can you give to people who want to get into the information security field?

Don’t get in because it seems “cool” – you need to love it intrinsically, and lots of it is boring and repetitive. Also, spend some time in other areas first. Learn programming, networking, etc.

Q: How can people get a hold of you (e.g. blog, twitter, etc.)

Blog is www.daveshackleford.com, Twitter ID is daveshackleford. LinkedIn works well too.

Today’s interview is with the Defender of the Commonwealth, ham radio twit, and surly security guy – Ben Jackson.

Q: Tell us a little about yourself.

I’ve always referred to myself as “just another geek from Boston” as we seem to have our fair share up here. I’ve lived in Massachusetts for all my life, the first 25 or so years in Lynn, about 20 miles north of Boston, and now in New Bedford, about an hour and a half south. My family bought our first computer in 1991 when I was 11 and I have been addicted since. When my family went online in late 1994 on this then brand-spanking new thing called the “Internet” and it’s been a downward spiral ever since.

Currently I work for the Commonwealth of Massachusetts as a Senior Information Security Engineer. Laugh all you want about Government jobs, I’m lucky to work with a talented group of people and it still gives me the warm fuzzies to work in the public sector.

Q: How did you get interested in information security?

I think I can trace my beginnings with security when I was in college. First, my college had a fairly… permissive firewall ruleset on the Academic network and if you were running a Linux server on the network you got a lot of attention from folks all over the world. If you didn’t quickly learn how to secure your computer, you would soon have a lot of extra accounts. Second, at my co-op job, I was tasked with evaluating, installing, and maintaining the new centralized AV server. This caused me to start looking at BUGTRAQ and Full-Disclosure. Finally, my senior year the computer science college at my University started running a twice-yearly CTF competition and I dominated both contests. This kind of made me realize that I might have a knack for this.

Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?

I have a BS in Computer Engineering Technology from Northeastern University (Go Huskies!) and I hold GCIH and GIAC Silver certifications form SANS. A Professor at college said that in the computer field, all a College degree means is that you are willing to work at something for 5 years. I really didn’t learn much from classes in college regarding InfoSec but it did provide a lot of opportunities via my co-op assignments and extra-curricular activities. The SANS certifications were good and I recommend them. They were an excellent mix of hands-on and textbook. Getting the certifications were a two-birds-with-one-stone kind of deal for me, as not only did they show to others that I knew what I was talking about, they also proved to me that “Hey! I do know that stuff fairly well!”

Q: Do you find it difficult to “sell” information security in the public sector? What are some of the biggest barriers you encounter?

Thankfully, No. I was lucky. I came on board with my group when the new Administration came in and they took information security seriously. I am pleasantly surprised as to how many of the groups are “drinking the Kool Aid”, working with us, and baking security into their processes.

Q: What did you want to be when you grew up? Would you rather be doing that?

Easy question: I always wanted to be a firefighter. While I think that my current job has similarities, there is a slight difference between racing into a burning building and fighting a virus outbreak. I guess this is why they have a sweeter ride.

Would I rather be doing that? I guess I can call it my fall back career for another year as I think the application cut off is at 30 years old, but I don’t think they’d want someone who doesn’t enjoy heights.

Q: What projects (if any) are you working on right now?

My free time for projects took a dip 8 months ago when my wife forked our child process. I still try to find free time to muck about with fun toys. I maintain an Amateur Radio version of the Security Twits list called “Ham Twits”. I’m also in the process of trying to take some projects that have been on the back burner for far too long and breathe some life into them such as a simple windows based forensics tool.

Q: What is your favorite security conference (and why)?

DEFCON. I made it out to Las Vegas a couple times for DC12 adn DC13 and I always miss going when it rolls around. I feel it a really good mix of infosec, a social weekend, and booze.

Q: What do you like to do when you’re not “doing security”?

I am a new daddy so I’ve been slowly figuring out that role over the past year and loving every moment of it. I also am fairly active in amateur radio and enjoy a good book. Another strange hobby of mine is mess around on the telephone and calling numbers just to see what happens.

Q: What area of information security would you say is your strongest?

I’m pretty good at web application penetration testing and interpreting network traffic.

Q: What about your weakest?

Everything else? One thing I really wish I was better in is finding vulnerabilities exploits in applications that aren’t web based. SQL injection and XSS are cool, but there always seems to be some kind of heavy magic in work with shellcode and buffer overflows.

Q: What advice can you give to people who want to get into the information security field?

Learn how to write and how to explain yourself. 90% of your job in information security is to convince people your right. If you can pull this off, you’re going to save yourself hours of headaches.

Q: Are you at all worried about what the state of security will be when your son starts getting “online”?

Yes and No. I worry more about trying to walk the fine line of letting him get online and not having him shoot himself in the foot (or worse, shoot me in the foot) in the process. How do you teach a youngin’ about not clicking suspicious links, disabling Flash, or mitigating the latest 0 day? Should I start working “adjusting AdBlock and NoScript settings” between ABCs and sandbox time?

Q: How can people get a hold of you (e.g. blog, twitter, etc.)

I have a blog at http://www.innismir.net and am active on Twitter on @innismir. There you can find me pontificating about InfoSec, Amateur Radio, and whatever else floats through my head. Also, just to be different from everyone else who may answer this, you can also find me on the 146.775MHz West Bridgewater, MA repeater every morning when I commute.

Today we interview Wim Remes from the land of chocolate, Jean-Claude Van Damme, and beer with fruit in it. That’s right, Belgium.

Q: Tell us a little bit about yourself.

I am a 33 year old Joe Average from Belgium. I live in Hoboken (yeah, I know there is a Hoboken in New Jersey too. I live in the real one.) near Antwerp with my wife and three kids. I have worked in IT for 12 years now and have been focusing on security for about 7 years. I’ve worked as a helpdesk operator, IT admin and consulted managers on information security management. I think this mix is what makes me understand all levels when it concerns information security: from the users who want to get their job done, over the geek who salivates over every new technology he can throw into the mix upto the CEO who’s only concerned about the numbers.

Q: How did you get interested in information security?

If I look back far enough there is this moment when my dad bought our first 486 (it had this fancy Hercules monitor). It only took me a few days to find out how to set a password on the main menu. My father went ballistic because he shelled out a lot of cash for that computer and now I was the only one who could use it. It simmered for quite a while and I didn’t actually go further in the security part of computers. When I worked for a big American company in ’99, we were involved in the whole Y2K mitigation process and I got in touch with some awesome security people in the UK and the US. I took that knowledge to my next customer and started to build up a lot of network security knowledge and in the end I became the security guy at my employer (a consulting company).

Q: What is your educational background?

I only hold a high-school degree in IT, which accounts for basically nothing. When I started I was a field engineer, but I vowed to myself to never stop learning. Since then I did a lot of studying on my own, whatever subject interested me. I actually tried to get my university degree through evening school but at that moment (working as a sysadmin) I couldn’t see the value of all the theoretical stuff I was learning. I think I’ve always looked at knowledge I can translate to or use in whatever I am doing at a particular point in time. I have however (with the necessary pressure applied) obtained several “professional” certificates. I think, from a hiring perspective, some of my employers might have judged me partially on the certificates on my resumé. I personally feel that my time in the trenches has contributed more than whatever combination of multi-coloured pins I can sting you with.

Q: What did you want to be when you grew up ? Would you rather be doing that?

I have had several dreams about what I wanted to be. Among those were being black (I was 16 and listening to gangster rap), being Asian (17, and them girls were cute !) and being rich (18 and I wanted my second hand motorcycle to be a Harley Davidson). what I really wanted to do was writing but I am not a prodigy in that department. Sure, I would love to spend my time behind a dusty typewriter and publish books and win prizes. At the point in my career where I am now, I wouldn’t trade this profession for anything in the world. I don’t think there’s anything I’d rather do right now, but never say never.

Q: What is your favorite security conference (and why)?

I have two. Accidentally those are the only two real cons I’ve attended First there is Brucon (http://www.brucon.org) which was organized for the first time in September of 2009. It is close to my heart because I volunteered there and the atmosphere we created was really special. The second one I attended in November 2009, as a speaker, was Excaliburcon. Firstly, because it was in China and I have a strong bond with that country and secondly because I was a speaker there and attending a conference in that way is a completely different experience. I met the most awesome people and came back totally charged.

Q: Did you notice any differences between the European and Chinese hunger for security knowledge whilst at Excaliburcon? What is your impression of the information security industry in Asia?

Yes, absolutely. In Europe you see an absolute hunger for knowledge, apart from the very high quality conferences like hack.lu, CCC, Brucon, etc. there is a growing hackerspace scene. People are getting together and share knowledge. There is not a real teacher/student hierarchy and everybody pushes everybody forward. It’s pretty amazing actually. The same information sharing attitude is entering the corporate world as well. In China, the hunger is there absolutely but while I feel that you learn the most by discussing and juxtaposing opinions, this is not part of the Chinese culture yet.

The “teacher” enjoys a privileged position in China, students respect him/her and are not expected to question his material. When we were at Excaliburcon though, we felt that this also is changing. I had awesome discussions with several attendees and speakers. It was actually one of the goals for which we were there and I think in future editions this will shine through even more.

Q: What do you like when you’re not “doing security”?

That’s a difficult question for me. Between my job, the Eurotrash podcast, some blogging (very low profile right now) and studying all the time I try to be a decent dad and husband. I love to go out for a good meal and some entertainment and play volleyball occassionally. That’s about it.

Q: Tell us a little bit about the Eurotrash podcast.

I got my first taste of podcasting while doing the Brucon podcast, which I did together with @security4all. It was fun interviewing the speakers so I wanted to do more. At Brucon I met @daleapearson, @chrisjohnriley and @craigbalding and we kinda agreed on one thing : While there is some high quality infosec podcasts out there, there wasn’t one that focused on Europe. The reason we believed we needed one is twofold :

We have some pretty amazing talent in the infosec scene that rarely steps into the limelight and the way information security is handled here is very different. It went very quickly from there, Mirko Zorz (@helpnetsecurity) designed our logo, @xme was kind enough to host our content and our guestlists filled up nicely. Until now we did four episodes, including interviews with Didier Stevens and Mokum von Amsterdam (I’m not sure whether I can use his real name …) and a joined episode with the guys from Exotic Liability which was a blast to make. I think in 2010 we might get better at podcasting so people should consider sitting through a few more “average” episodes.

If not for us then maybe for our funny accents?

Q: What area of information security would you say is your strongest?

I see myself as pretty versatile. I focus a lot on Identity and Access Management these days and I have a passion for log management, intrusion detection and security incident and event management. I think I’m pretty good at incident handling and network security too.

Q: What about your weakest?

I sometimes wish i was more of a coder and could be able to find my own vulnerabilities in applications. Because that would make me a rockstar. But I hate coding with a vengeance. I hold my own on application security but I feel I have to spend more time on the subject to really ace it. Compliance is something I try to stay away from as much as possible.

Q: What advice can you give people who want to get into the information security field?

Engage in your local community. ISSA, ISACA, Defcon chapters. There’s plenty of awesome people there. Just talking to them will give you a lot of food for thought. Don’t be afraid to ask questions. Don’t look at cons at the ultimate place to learn. Most learning will happen on your own, fueled by the ideas you get from others. And last but not least, don’t be afraid to get your hands dirty. you have to dig deep to find the awesome stuff.

Q: How can people get hold of you?
Twitter: http://www.twitter.com/wimremes
Email: wim@eurotrashsecurity.eu
Blog: http://blog.remes-it.be (my blog is pretty dead right now, I hope to find some time in 2010 to blog more)
Phone: +32497597454

Often mistaken for an angry and embittered former member of ZZ Top, Jack Daniel is one of the most recognized faces in the Information Security industry. In honor of his 50th birthday to, we’re posting his D-List Interview today.

Q: Tell us a little about yourself.

I’m just some old dude who hasn’t grown up and somehow ended up in security. I like to build stuff, and fix stuff. Breaking stuff is fun, too- but I find building and fixing things more fun and more satisfying. I have pretty good diagnostics and troubleshooting skills, which is pretty handy for someone who likes to fix things (dramatically improves the success ratio). I also have pretty good BS detection skills, and don’t have much fear of calling people on things. And you can always ask Google about me, but some other dude hogs all the search results for my name.

Q: How did you get interested in information security?

I got “into” Information Security the same way I got into IT, management, and many other things: it started because no one else would do it. Thing were broken and no one else would fix them. Then things were compromised and no one else would fix them or prevent a recurrence. Then, being deranged as I am, I found I enjoy the challenges of InfoSec, and *some* of the people in the field.

Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?

I’m a college drop out. Life interfered, and besides, there’s too much to learn for me waste time in school (apologies to your current employer). Certs? utbCCNA (utb=used to be), MCSE/MCSE+I oros (oros=on really old stuff, as in NT). I have a CISSP to rub in peoples faces when needed. I generally refer to myself as a “reluctant CISSP”, a distinction I believe many CISSPs share.

I think the certs have helped at the time I got them, but I actually used the training and testing process as a way to learn, not just put letter after my name. Even at my age, my lack of a college degree is occasionally a stumbling block, but that’s life- there are always stumbling blocks.

Q: What did you want to be when you grew up? Would you rather be doing that?

I wanted to be a marine biologist, then a marine geologist, then I met some of them. So, no, I don’t think I would prefer those careers.

Q: What projects (if any) are you working on right now?

We’re remodeling the house, room by room, currently on the kitchen. Oh, you meant in InfoSec…

The most interesting things I’m working on are in the security community. I have been an active member of NAISG since the beginning, and am on the board of directors. NAISG is an approachable security group with chapters around the US and one overseas, and I’m trying to help the group and chapters grow. I am also working on building the Security B-Sides events, helping grow these alternative events and offer venues for topics which should be getting more exposure.

Q: What does NAISG offer that other security organizations don’t? Is it US-centric or can it flourish within other countries?

NAISG is open to anyone with an interest in security, and is notable for what isn’t, and what it doesn’t have, No cost, no prerequisites to participate, no “old boys club” nonsense, no need to drop zero day to join, and no sales pitches for presentations. Members range from small business admins, to students, to security professionals- and anyone else interested. NAISG has evolved from a local user group into an organization with chapters across the US and now one in Bangalore, India. I believe NAISG is a good fit where security information isn’t getting to people who need it. We also provide a framework and web infrastructure to ease chapter creation for those interested. more info is on our site at www.naisg.org.

Q: What is your favorite security conference (and why)?

That’s impossible, I go to many and like some things about all of them. I love Shmoocon, because it is Shmoocon, an ever-so-slightly grown-up hacker con. Great people. Good, balanced content. Not a small event, but not too big, and SOURCE Boston, because of the quality content, the speaker/audience ratios, the professional, yet informal feeling. And of course B-Sides events, because they open conversations and provide venues for talks and panels you will not hear anywhere else.

Q: Tell us a little more about B-Sides. How did it come to be?

After the “Thanks, but no thanks” notes went out for BlackHat USA 2009, several people expressed their disappointment, primarily on Twitter. It was suggested that there are always good talks turned down- and that it would be great to have an alternative venue for some of those talks. Idle chatter led to serious talks, and the idea became a reality. The event was great: the presentations rocked, the house had a great “intellectual frat house” feel, and a good time was had by all. There was a core group of people who were instrumental (Chris Nickerson, Mike Dahn, Travis Goodspeed, Jeff Espinoza, and more), and more people than I can count helped make it a success.

Before it was over, there were requests for more B-Sides events. There was one in Mountian View in December, and this year we have B-Sides scheduled for San Francisco, Austin, Boston, and Las Vegas this year- and there’s talk of on in Washington. DC. The goal is to have a fun and informative exchange of information, with none of the “rock star” nonsense of some events, and none of the tedium of many other security events. Details at www.securitybsides.com

Q: What do you like to do when you’re not “doing security”?

I like long walks on the beach…with my coon hound. Actually, I have several neglected hobbies, blacksmithing and wood carving are the two I would really like to spend more time on. And on the rare occasions when our schedules allow it, my wife and I enjoy traveling.

Q: What area of information security would you say is your strongest?

Network Security, shepherding the little packets where they belong, preventing them from going where they shouldn’t, and keeping them out of harm’s way.

Q: What about your weakest?

Anything involving code. Or databases. I am not a coder, and my hatred of databases in not unrequited.

Q: What advice can you give to people who want to get into the information security field?

Pull up your pants, put your hat on straight, and get a real job, kid.

Q: How can people get a hold of you (e.g. blog, twitter, etc.)

Twitter: http://twitter.com/jack_daniel
LinkedIn: http://www.linkedin.com/in/jackadaniel
Blog: http://blog.uncommonsensesecurity.com

Today’s interview is with Ben Tomhave. I first met Ben at RSA 2009 and he made sure that I wasn’t left behind during the post-conference dinner at Fisherman’s Wharf. That fact alone is enough to get him on the list

Q: Tell us a little about yourself.

Hi, my name is Ben. *waits* … was that too little? I’m a security guy, been around the block a couple times, have an MS in InfoSec Mgmt from GWU here in DC, currently living in Northern Virginia (NoVA), where I’ll be for the foreseeable future after a recent misadventure moving to Phoenix (and back)… I’ve worked in a wide variety of IT/infosec positions throughout my career… only started a company once (security consulting), but it didn’t work out (Dot Com bubble burst)… I have a family, I practice Brazilian Jiu-jitsu (when I’m not lazy or injured), and I enjoy exercising (or not), especially with kettlebells…

Q: How did you get interested in information security?

It kind of came naturally to me… some of my earliest security memories were playing with tools like TIGER and COPS back in high school to learn about UNIX configuration, auditing, and security… going through school right as the dot-com bubble built and the Internet became the “next big thing” allowed me to find a niche looking at all the systems and data going online and realize “holy cow, this stuff is wide open, we’re so screwed!” This led to early work doing systems and network administration, including helping desktop techs with early malware (spreading from 3.5″ disk to disk, or later via email). I’m sure it all makes sense cosmically (or is that comically?).

Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?

Yes, I went to school, and college, and grad school. Plus, I even have a certification (CISSP). I think the value comes from a variety of indirect angles. College taught me how to optimize my self-learning. It also helped develop and refine my writing skills (it’s not enough to have something to say, you also need a vehicle for delivering that message). Grad school taught me better how to do formal research, plus also introduced me to some interesting (esoteric?) business approaches, like decision trees, that I otherwise would never have heard of. Grad school also allowed me to produce original research that continues to allow me to frame infosec in ways that nobody else is doing.

Much of my useful computer skills are self-taught. I started playing around with FreeBSD 1.1 in high school, and continued on to Linux in college, and so on. It’s the typical story of tinkering, I suppose, but it’s been an effective way for me to learn. Lots of early hands-on technical experience led me to appreciate some of the problems we see between IT and management. This helped me realize in college that security was largely a matter of IT misalignment.

As for certifications… oh, sigh. I got (and maintain) the CISSP for one reason: it became a recruiter checklist item. Without it I had trouble getting my resume through to the hiring managers, since I didn’t know enough people directly in the industry. Now that I’m older and know more people, I’m not convinced that the CISSP adds much. Honestly, I find it hard to take any certification seriously that only relies on a single theory-based test. Just because you can memorize a bunch of facts
in the short-term does not mean that you will know what to do with that information when the time comes to apply your learning. For that matter, many certs don’t even promote learning, just rote memorization that gets flushed within a few short weeks.

Q: What did you want to be when you grew up? Would you rather be doing that?

I wanted to be a fighter pilot and an astronaut. I’d probably rather be flying F-16s, yes. Unfortunately, I don’t exactly have the right kind of personality to make it in the military. I should know, because I tried a couple times (my first college choice was the USAFA, which I began, but quickly abandoned).

Q: What projects (if any) are you working on right now?

As of right now, I’m technically out of work. To that end, I’m actively working to build a pipeline and portfolio of customers in order to launch my own independent consulting business. So far I have several leads, but am waiting for things to form up. If anybody is looking for outside help, whether it be for security planning or program management, high-level assessments, compliance planning or remediation, training & awareness, or a variety of other security-related work, please ping me!

In my other time, aside from the eat-sleep-work cycle, I’m working on a white paper updating my TEAM Model, and a series of blog posts to accompany that release. I’m also working on a book project (had a proposal accepted, but have decided to go another direction with the project). As usual, I have a ton of writing projects and not nearly enough time to get them all done. 2010 will be a busy year!

In my personal time (whatever that might be), I’m re-adjusting to life in NoVA after moving back here (with family in-tow) last October. The Phoenix experiment is over. Now to unpack boxes and find out where miscellaneous things disappeared to (and there are lots of misc. things missing right now, which is annoying).

Q: Can you give us a little more information on your TEAM model?

The TEAM Model was created in 2005-2006 as part of my masters research. The initial research inquiry was to find an all-encompassing model or framework that could be used to build and manage a complete security program. Through my research, I identified models, frameworks, and methodologies (according to a fixed definition). After identifying numerous methods, it became apparent that nothing comprehensive existed.

As such, I shifted focus to writing a model that could be applied to almost any organization to describe a security program (or, “enterprise assurance management”). The TEAM Model v1 brought together risk management, operational security, and audit management into one requirements-driven model. TEAM v2, currently under revision (I’m working on a white paper for it), genericizes things a bit further in order to make sure that areas like appsec and metrics also have a role.

The research really grew out of a frustration of dealing with competing frameworks and methodologies, all pushed as “the solution” for whatever your infosec needs might be. In 2004-2005 it was very common to see ISACA pushing COBIT, BSi pushing ISO 17799 (now 27001/27002), and SOX folks pushing COSO (to name a few). Unfortunately, comparing them was folly because they all had different objectives and missions. The deltas were huge, which made it a pain to try and implement “once”. Of course, in looking at them in-depth, it was silly to do them all overlapping instead of trying to optimize their strengths under a larger program approach. Hence, the TEAM Model was developed to harmonize areas that had traditionally been setup as being in competition with each other.

Q: What is your favorite security conference (and why)?

I’m more of an RSA Conference kind of guy. I enjoy the more commercial-oriented environment. Though it’s hard not to like the fun of Black Hat and DEFCON. I also need to give a shout-out to CIScon in Helena, MT. It might be small, but the quality is very high.

Q: What do you like to do when you’re not “doing security”?

Is this a family show? Just kidding… my interests are varied, my time limited… quality time with the family is always nice. I also practice Gracie Jiu-jitsu, which is a lot of fun. Beyond that, reading, writing, and just generally slacking off.

Q: What area of information security would you say is your strongest?

I am, quite intentionally, a generalist. My experience has depth in several areas, including architecture, compliance, risk management, security program management, incident response management, and proactive security programs. I’m sure some who read this will roll their eyes and moan about how worthless generalists are, but I see it as a vital role that bridges the gap between techies and business, even within the security community.

Q: What about your weakest?

I have no real experience with malware research and analysis. It’s an area that never really interested me. I find malware incredibly annoying, but I’m far more interested in the human factors that drive that underground industry than I am in the code itself.

Q: What advice can you give to people who want to get into the information security field?

I honestly don’t think people should look to go into a dedicated security role/profession. We need people with security knowledge and skills working within all aspects of the business. The best thing someone could do with interest in infosec is study it on the side while finding ways to integrate it into their daily operations in whatever role they’ve been assigned. This advice holds especially true for people on the business or legal sides of the house.

Q: So it sounds like you advocate being more of a generalist in the field. Do you think that most people in our professional have “career tunnel vision” when it comes to information security?

There are a couple primary perspectives on generalization vs specialization. On the one hand, no matter what you think may be your specialty in infosec, you have to maintain a relatively broad, general level of skill across the board just to be able to understand what happens within the industry and community. On the other hand, many argue that eventual specialization is inevitable because the industry is simply too broad to cover it’s full breadth while having any degree of reasonable depth in any one topic.

I certainly see merit in both arguments, but also believe that both sides have a place. The higher you get in the people stack, the more generalist you have to be. If you’re a front-line engineer, analyst, or consultant, then you have the luxury of being specialized. Many people are happy with their specialties, and thus stay with tracks that allow them to work in that one area, becoming SMEs to a degree that some of us will never achieve.

On the flip side, someone has to manage organizations; someone has to see where all the pieces fit together; someone has to have a vision for a better tomorrow; someone has to be able to build bridges between SMEs in different areas, identifying cross-over, areas for collaboration, and ways to optimize effectiveness and efficiency. You simply cannot do this with a narrow view of infosec.

In terms of tunnel vision, again, some people have the luxury of working with blinders while others don’t. The challenge is in making sure that contributions from these focused people are not taking out of context, and that they’re not allowed to dictate to the broad community based on a narrow vision that can’t be, or isn’t, adequately generalized.

Q: How can people get a hold of you (e.g. blog, twitter, etc.)

Blog: www.secureconsulting.net
Twitter: twitter.com/falconsview
Google me