Today’s interview is with Michael Santarcangelo. Affectionately known “Santa” to his friends, Michael truly is a catalyst when it comes to changing how people think about information security. He’s helped me throughout my security career and has talked me down during my pre-exam “freak out” sessions on more than one occasion.
Q: Tell us a little about yourself.
I love to learn, connect, and share.
I am a catalyst.
I used to state, apologetically, that I was a “jack of all trades, master of none.” Then I would explain I was a renaissance man – less apologetic. But a few years ago I realized that I am a catalyst, and I no longer apologize.
I’m direct. Candid. And with a good knowledge of self, I am what you see. After watching people tell lies, play games and “work angles” early in my career, I decided against that approach. As a result, I am me.
In my practice, I connect with people, ask questions and share stories that shift thinking and create situations that inspire behavior change. I focus on the positive – acknowledging the good work of the users, amplifying their actions and revealing to them they have the power – and the responsibility – to act to protect information.
Q: How did you get interested in information security?
I asked too many questions.
I was working with Accenture (back in the days before it was Accenture) and on a project where I kept asking questions – about things like pricing spreadsheets being kept on shared drives. This was before “security” existed, so my reward for asking the question was to figure out a solution. When I did, the partners would take me out to nice dinners. It was perfect – I worked around the clock, got fed and learned.
In two years, I probably worked roughly 4-5 years worth of hours, but it was worth every minute. From there, I joined the newly formed global security team and the rest has been a great experience.
Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?
My formal training is Policy Analysis (now called policy analysis and management) from the school of Human Ecology at Cornell University. It’s hard to explain why I chose the major when I did – but looking back, it was a perfect fit for me. In fact, I think more people need to study and become human ecologists.
Human Ecology is considered a “hard social science” – the power is in the blend. The foundation is economics, statistics and other “hard science.” It’s then amplified and improved with the addition of sociology, psychology, business, personal finance and other elements that allow human ecologists to draw on multiple disciplines to solve complex problems.
This translates into the tools and experience to understand policy, economics, people and technology. Better, I can then analyze and explain what I know in an applied way – to get results matched to the situation. And I continue to learn!
As to the balance of my learning – I am curious about everything and am a lifelong learner. Every topic literally fascinates me, and I learn from anyone any everyone.
At one time was a top-rated lead instructor for the CISSP® — and even helped refine and improve a substantial portion of the Common Body of Knowledge. That experience allowed me to develop deep and broad PRACTICAL skills in the entire field of information security (spend enough years explaining leads to as many years doing). As a result, I have good knowledge of the field – especially the fundamentals — but also the realization that my niche now is to connect the right people together while focusing on the human element.
Once I earned the opportunity to join the National Speakers Association, I took the responsibility of being a professional speaker seriously. Professional speakers are hired to get results – so now I dedicate a good portion of time to mastering – and teaching others – the tradecraft of effective communication. I believe the real challenge for most security professionals is communication – and developed some seminars and support materials to be refined and improved in 2010.
As a human ecologist, I’m finally in a place to blend my skills to enhance my skills. In the process of my learning, I connect and share. The cool aspect of this is that the more I share, the more I learn.
Q: What did you want to be when you grew up? Would you rather be doing that?
I always wanted to run a business that helped people. I love what I do – and the way we’re about to do it, so I’m thrilled.
Q: What projects (if any) are you working on right now?
I am in a constant state of thinking, which means I have some projects going on. The big project is just starting – we have rented our house out (instead of selling it) and are heading out to travel North America by RV for the next few years.
We have dubbed our effort “Catalyst onTour” – as we will continue to meet our clients, literally, where they are to influence change.
Beyond traveling to meet, learn, listen and share, we have a different approach to seminars we’re going to unveil in 2010, as well as a few other ways to change the way people protect information that need a bit more time to distill and prepare.
Q: What is your favorite security conference (and why)?
I haven’t really found one that compares to the conferences I have experienced in professional speaking circles. I do enjoy the “hallway” interaction that happens at the security conferences and will advance some small suggestions for the future.
In the meantime, when we travel the country, we invite people to come to our house, enjoy a beverage and sit around the fire to catch up – real campfire chats. I hope you and I get to sit around the fire in 2010.
Q: What do you like to do when you’re not “doing security”?
First and foremost is time with my family. In that process, we like to learn, engage, share – lots of reading, museums, etc.
Q: What area of information security would you say is your strongest? What about your weakest?
As a former CISSP instructor who devoted 6+ years to developing and improving the profession, I have an unusual breadth and depth – and interest set. My strength is absolutely in applying what we know in a way that works in harmony with the power of people – the so-called elusive human element.
My weakest is programming; I understand and appreciate programming, but I’m not a coder and don’t want to be. However, that doesn’t mean I don’t like application security… since it requires people. Just don’t ask me to code or look for application vulnerabilities.
Q: You’ve spoken to people all over the country about managing risk. What, in your experience, is managements most common misconception of “risk”?
I think the biggest misconception of risk lies with security professionals – and what I call “risk reaction.” Our focus, our thought process leads to situations where we see and realize things before others, and that leads to a state where we focus on threats, vulnerabilities and risks more than others.
I think we have a lot to learn from business leaders, decision makers and influencers about the real risk of the organizations.
Q: Tell us a little bit about your book and how it ties into your philosophy on life and security.
When I wrote Into the Breach: Protect Your Business by Managing People, Information and Risk, I had started to look deeper into some of the notable breaches happening – and asked a simple question, “what if breaches are only symptoms?”
The reality is that breaches – which take a lot of attention and capture a lot of money – are only symptoms. If we continue to do what we’ve been doing, we’ll keep getting what we’ve been getting.
My book is for executives to reconsider the challenge with a strategy for their success.
The central element is that individuals must take responsibility for their actions, and be held accountable. I think this is true in life as well as security – so this book does capture some initial thinking on my approach to a lot of things.
What I enjoy is learning about how people who have implemented the guidance not only solve their “security” challenge, but how they adapt it to do more. It excites me, since that was the purpose.
I have more information about the book and a special offer here: http://www.securitycatalyst.com/into-the-breach/team-inspiration-edition/
Q: What advice can you give to people who want to get into the information security field?
Ask questions. Seek answers. Share.
This is part of the reason we started the Security Catalyst Community. And that’ll be coming back stronger in 2010 – with a mentoring component. I’m a fan of the journeyman process, and a bit leary of people who have advanced degrees in security/assurance – but lack the practical, hands-on approach marked with scars, mistakes and the essential components of learning.
To be clear: I think cert programs and advanced degrees are important.
But I evaluate practitioners and professionals on what they can do – including how they can connect with real users/people and communicate. Those that have had their feet to the fire perform better than others.
So if someone is asking for advice, I suggest they find a blend:
Q: How can people get a hold of you (e.g. blog, twitter, etc.)