Today’s interview is with Ben Tomhave. I first met Ben at RSA 2009 and he made sure that I wasn’t left behind during the post-conference dinner at Fisherman’s Wharf. That fact alone is enough to get him on the list 😉

Q: Tell us a little about yourself.

Hi, my name is Ben. *waits* … was that too little? 🙂 I’m a security guy, been around the block a couple times, have an MS in InfoSec Mgmt from GWU here in DC, currently living in Northern Virginia (NoVA), where I’ll be for the foreseeable future after a recent misadventure moving to Phoenix (and back)… I’ve worked in a wide variety of IT/infosec positions throughout my career… only started a company once (security consulting), but it didn’t work out (Dot Com bubble burst)… I have a family, I practice Brazilian Jiu-jitsu (when I’m not lazy or injured), and I enjoy exercising (or not), especially with kettlebells…

Q: How did you get interested in information security?

It kind of came naturally to me… some of my earliest security memories were playing with tools like TIGER and COPS back in high school to learn about UNIX configuration, auditing, and security… going through school right as the dot-com bubble built and the Internet became the “next big thing” allowed me to find a niche looking at all the systems and data going online and realize “holy cow, this stuff is wide open, we’re so screwed!” 🙂 This led to early work doing systems and network administration, including helping desktop techs with early malware (spreading from 3.5″ disk to disk, or later via email). I’m sure it all makes sense cosmically (or is that comically?).

Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?

Yes, I went to school, and college, and grad school. Plus, I even have a certification (CISSP). I think the value comes from a variety of indirect angles. College taught me how to optimize my self-learning. It also helped develop and refine my writing skills (it’s not enough to have something to say, you also need a vehicle for delivering that message). Grad school taught me better how to do formal research, plus also introduced me to some interesting (esoteric?) business approaches, like decision trees, that I otherwise would never have heard of. Grad school also allowed me to produce original research that continues to allow me to frame infosec in ways that nobody else is doing.

Much of my useful computer skills are self-taught. I started playing around with FreeBSD 1.1 in high school, and continued on to Linux in college, and so on. It’s the typical story of tinkering, I suppose, but it’s been an effective way for me to learn. Lots of early hands-on technical experience led me to appreciate some of the problems we see between IT and management. This helped me realize in college that security was largely a matter of IT misalignment.

As for certifications… oh, sigh. I got (and maintain) the CISSP for one reason: it became a recruiter checklist item. Without it I had trouble getting my resume through to the hiring managers, since I didn’t know enough people directly in the industry. Now that I’m older and know more people, I’m not convinced that the CISSP adds much. Honestly, I find it hard to take any certification seriously that only relies on a single theory-based test. Just because you can memorize a bunch of facts
in the short-term does not mean that you will know what to do with that information when the time comes to apply your learning. For that matter, many certs don’t even promote learning, just rote memorization that gets flushed within a few short weeks.

Q: What did you want to be when you grew up? Would you rather be doing that?

I wanted to be a fighter pilot and an astronaut. I’d probably rather be flying F-16s, yes. Unfortunately, I don’t exactly have the right kind of personality to make it in the military. I should know, because I tried a couple times (my first college choice was the USAFA, which I began, but quickly abandoned).

Q: What projects (if any) are you working on right now?

As of right now, I’m technically out of work. To that end, I’m actively working to build a pipeline and portfolio of customers in order to launch my own independent consulting business. So far I have several leads, but am waiting for things to form up. If anybody is looking for outside help, whether it be for security planning or program management, high-level assessments, compliance planning or remediation, training & awareness, or a variety of other security-related work, please ping me! 🙂

In my other time, aside from the eat-sleep-work cycle, I’m working on a white paper updating my TEAM Model, and a series of blog posts to accompany that release. I’m also working on a book project (had a proposal accepted, but have decided to go another direction with the project). As usual, I have a ton of writing projects and not nearly enough time to get them all done. 2010 will be a busy year!

In my personal time (whatever that might be), I’m re-adjusting to life in NoVA after moving back here (with family in-tow) last October. The Phoenix experiment is over. Now to unpack boxes and find out where miscellaneous things disappeared to (and there are lots of misc. things missing right now, which is annoying).

Q: Can you give us a little more information on your TEAM model?

The TEAM Model was created in 2005-2006 as part of my masters research. The initial research inquiry was to find an all-encompassing model or framework that could be used to build and manage a complete security program. Through my research, I identified models, frameworks, and methodologies (according to a fixed definition). After identifying numerous methods, it became apparent that nothing comprehensive existed.

As such, I shifted focus to writing a model that could be applied to almost any organization to describe a security program (or, “enterprise assurance management”). The TEAM Model v1 brought together risk management, operational security, and audit management into one requirements-driven model. TEAM v2, currently under revision (I’m working on a white paper for it), genericizes things a bit further in order to make sure that areas like appsec and metrics also have a role.

The research really grew out of a frustration of dealing with competing frameworks and methodologies, all pushed as “the solution” for whatever your infosec needs might be. In 2004-2005 it was very common to see ISACA pushing COBIT, BSi pushing ISO 17799 (now 27001/27002), and SOX folks pushing COSO (to name a few). Unfortunately, comparing them was folly because they all had different objectives and missions. The deltas were huge, which made it a pain to try and implement “once”. Of course, in looking at them in-depth, it was silly to do them all overlapping instead of trying to optimize their strengths under a larger program approach. Hence, the TEAM Model was developed to harmonize areas that had traditionally been setup as being in competition with each other.

Q: What is your favorite security conference (and why)?

I’m more of an RSA Conference kind of guy. I enjoy the more commercial-oriented environment. Though it’s hard not to like the fun of Black Hat and DEFCON. I also need to give a shout-out to CIScon in Helena, MT. It might be small, but the quality is very high.

Q: What do you like to do when you’re not “doing security”?

Is this a family show? 🙂 Just kidding… my interests are varied, my time limited… quality time with the family is always nice. I also practice Gracie Jiu-jitsu, which is a lot of fun. Beyond that, reading, writing, and just generally slacking off.

Q: What area of information security would you say is your strongest?

I am, quite intentionally, a generalist. My experience has depth in several areas, including architecture, compliance, risk management, security program management, incident response management, and proactive security programs. I’m sure some who read this will roll their eyes and moan about how worthless generalists are, but I see it as a vital role that bridges the gap between techies and business, even within the security community.

Q: What about your weakest?

I have no real experience with malware research and analysis. It’s an area that never really interested me. I find malware incredibly annoying, but I’m far more interested in the human factors that drive that underground industry than I am in the code itself.

Q: What advice can you give to people who want to get into the information security field?

I honestly don’t think people should look to go into a dedicated security role/profession. We need people with security knowledge and skills working within all aspects of the business. The best thing someone could do with interest in infosec is study it on the side while finding ways to integrate it into their daily operations in whatever role they’ve been assigned. This advice holds especially true for people on the business or legal sides of the house.

Q: So it sounds like you advocate being more of a generalist in the field. Do you think that most people in our professional have “career tunnel vision” when it comes to information security?

There are a couple primary perspectives on generalization vs specialization. On the one hand, no matter what you think may be your specialty in infosec, you have to maintain a relatively broad, general level of skill across the board just to be able to understand what happens within the industry and community. On the other hand, many argue that eventual specialization is inevitable because the industry is simply too broad to cover it’s full breadth while having any degree of reasonable depth in any one topic.

I certainly see merit in both arguments, but also believe that both sides have a place. The higher you get in the people stack, the more generalist you have to be. If you’re a front-line engineer, analyst, or consultant, then you have the luxury of being specialized. Many people are happy with their specialties, and thus stay with tracks that allow them to work in that one area, becoming SMEs to a degree that some of us will never achieve.

On the flip side, someone has to manage organizations; someone has to see where all the pieces fit together; someone has to have a vision for a better tomorrow; someone has to be able to build bridges between SMEs in different areas, identifying cross-over, areas for collaboration, and ways to optimize effectiveness and efficiency. You simply cannot do this with a narrow view of infosec.

In terms of tunnel vision, again, some people have the luxury of working with blinders while others don’t. The challenge is in making sure that contributions from these focused people are not taking out of context, and that they’re not allowed to dictate to the broad community based on a narrow vision that can’t be, or isn’t, adequately generalized.

Q: How can people get a hold of you (e.g. blog, twitter, etc.)

Blog: www.secureconsulting.net
Twitter: twitter.com/falconsview
Google me

Today we interview another friend, that I’ve known for quite some time, Kevin Riggins.

Q: Tell us a little about yourself.

I am a husband, a son and the proud father of our furchild, an 8 year old Corgi 🙂 I am an avid science fiction reader and love tinkering with computers and electronic gadgetry.

Professionally, I am a Senior Information Security Analyst with a Fortune 500 financial services company. I lead and manage a team of five analysts who are responsible for providing internal information security consulting services and tasked with performing risk assessments for the different business units that make up the company.

I have a blog called Infosec Ramblings where I write about information security topics.

Q: How did you get interested in information security?

I have worked in an extremely broad range of disciplines in information technology over the years. This includes help desk, workstation management, server management, UNIX administration, etc… About 10 years ago, I started becoming very interested in how easy it was for people to get access to information that they weren’t necessarily supposed to have access to. I was able to talk my employer into sending my to my first SANS conference where I went through the Security Essentials course. I came away from that experience knowing that this was the path I wanted to take.

Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?

I am a college dropout. Actually, I do have my Bachelor’s degree, a BA in Computer Science, but I did not get it until I was an adult. I decided during my youth that I would rather work than continue to go to college. I don’t regret that decision, but I am also very glad that I went back to school as an adult and finished what I started. I have had more certifications than you can shake a stick at, but the only two that I keep current at the moment are my CISSP and my CCNA.

As far helping my career is concerned, college helped me learn how to think better. The actual information wasn’t as important as the process of learning. Regarding certifications, you see quite a bit of disparagement aimed at the CISSP and those who have the cert. For me, getting my CISSP was a very valuable experience. I spent a significant amount of time self-studying for the exam and I think that really helped me broaden my perspective when it comes to information security. Does that mean I think the CISSP indicates I am some sort of expert? Not at all. Like any certification, the experience of the individual who has those letters behind his name is much more important than said letters. I also self-studied for my CCNA. I think the fact that I have one “management” cert and one “technical” cert helps show that I am not one dimensional.

It also keeps the network folk from trying to pull the wool over my eyes 🙂

Q: What did you want to be when you grew up? Would you rather be doing that?

I honestly can’t say what I wanted to be when I grew up. That pretty much extended all the way into my first stab at college. I started out in Electrical Engineering, switched to Computer Science, then Accounting, then Petroleum Land Management, and so on, and so until I finally landed in Electronic and Computer Technology and then quit. I got a job based on the last one and the rest is history.

Q: What projects (if any) are you working on right now?

You recently published Michael’s interview where he mentioned a mentoring project that will be coming to the Security Catalyst Community. I am working with him on that project and really looking forward to what we can accomplish with the help of the great community that exists there.

Q: What is your favorite security conference (and why)?

Any that I can get to 🙂 I really enjoy Defcon and have had fun at RSA Europe the last couple of years. Defcon is great for keeping up with the newest things that are happening in Infosec. Not necessarily via the presentations, but via the great hallway track. RSA Europe is fun because I get to meet up with a lot of my European friends.

Q: What do you like to do when you’re not “doing security”?

“Doing security” tends to bleed over into my non-work life, but beyond spending time with my wife and puppy dog, I am an avid amateur photographer. My flickr page is listed below. I don’t get things up there as often as I’d like, but I really enjoy taking pictures. I have recently taken up piano again. I am focusing on Jazz piano right now and have fun. As I indicated above, I love reading science fiction and I also enjoy singing in choir at my church.

Q: What area of information security would you say is your strongest?

I have a broad background to draw from and, as such, I would say I am strongest at being able to have a good grasp of what affects a project from a security perspective, a business perspective and an information technology perspective. This allows me to effectively communicate with all the people involved in the efforts that we have to assess and consult on.

Q: What about your weakest?

Admit weakness? In a public forum? Pshaw. Just kidding. I am not as technically proficient as I used to be. I still have a lab at home and still keep my fingers in, but my day-to-day duties don’t call for the level of technical hands-on ability that I used to have.

Q: What advice can you give to people who want to get into the information security field?

Take a hard look at yourself and decide if you are ready for the stresses that a career in information security will put on you. You are contemplating getting into a field where you can never quit learning. Our field is an ever changing one and keeping up takes a significant commitment. It is also a field where you may be faced with having to influence people to make decisions that they might not want to make. In other words, you are often going to be causing others some stress which can make them not happy with you. You have to be okay with that.

It’s been said by others already, but I will repeat it. Find a mentor. Preferably one that has been around for a bit. The value of having someone to bounce ideas off of and who has been through the trenches cannot be stressed enough.

Q: What suggestions would you have for technical people who want to move into a supervisory or management role?

I am going to answer this question assuming that the individual has done their research and truly thinks they want to become a supervisor or manager. What to do? Tell somebody in your current organization. It is easier to move into a supervisory or management role with your current employer than it is to find a new job without having some management experience. You can often ease into it by managing this project or supervising that process while still staying technical. This is great for figuring out if you truly do want to make such a move.

Q: How can people get a hold of you (e.g. blog, twitter, etc.)

Blog: http://www.infosecramblings.com
Email: kriggins@infosecramblings.com
Twitter: http://twitter.com/kriggins
Flickr: http://www.flickr.com/photos/krandj/
LinkedIn: http://linkedin.com/in/kevinriggins

The first Information Security D-List interview of 2010 is my good friend Peter Giannoulis. I’ve known Peter for several years and he’s grown into one of the most knowledge information security people I know.

Q: Tell us a little about yourself.

I live in Toronto, Ontario, Canada, with my wife and two children.

I’ve been an information security consultant for over a decade specializing in the implementation of all sorts of security technologies from firewalls, IDS/IPS, vulnerability assessments, penetration testing and audits. I recently founded Source 44 Consulting Incorporated, whose goal is to provide outstanding infosec services to organizations of all sizes.

Along with some close friends, I also launched The Academy Pro (www.theacademypro.com) in March 2008. The Academy Pro is a website that was designed to provide organizations free infosec tutorials in video format.

Q: How did you get interested in information security?

It was really an accident. I was employed by an infosec consulting firm as a systems administrator. I quickly became bored with the role and brought this to the attention of the President of the company. He offered me a position as a security consultant and the rest is history.

Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?

I have a little bit of college behind me, but I tend to grasp concepts if I study and apply them on my own. Throughout the last decade I have gained many certifications. Many have been vendor neutral based, but because of my position as a consultant, I needed to maintain vendor specific certifications as well.

Q: What did you want to be when you grew up? Would you rather be doing that?

What every geek wants to be; a rock star! While I love my current career path, I would rather be playing Good Riddance inspired punk music to thousands of people every night. There’s nothing like writing songs and performing them to a live audience.

Q: What projects (if any) are you working on right now?

Full time consulting and The Academy Pro takes up most of my time from a project perspective. However, there’s a few things that we’ll be announcing shortly from a company and website perspective.

Q: What is your favorite security conference (and why)?

I don’t frequent them often. I find there’s too many egos at some of the larger conferences.

Q: What do you like to do when you’re not “doing security”?

I love spending time with my family and I continue to play music from time to time.

Q: What area of information security would you say is your strongest? What about your weakest?

I’d say I’m a fairly good instructor. I have always scored high in this area. I also enjoy architecting solutions and performing penetration tests.

As for my weakest; I’m not much of a programmer. That’s an area I wish I took a bit more seriously years ago.

Q: Do you think the average Canadian is able to comprehend the threat that malicious attackers pose? What do we do to change the perception?

Not at all. So many parents in my neighborhood tend to ask me questions about Internet safety and than regret it after I answer. I honestly don’t try to scare people, but instead make them aware of the problem.

Something needs to be done from a larger scale in order to change the perception. I believe that education boards need to make parents aware from an early age about the dangers of the Internet by holding monthly or quarterly workshops with infosec professionals. That would be a start.

Q: Your kids are at the age where they’re getting into computers. How do you, as a parent AND a security professional, work to educate them on Internet safety?

My wife and I have made my children aware of the dangers of the Internet from an early age. Awareness is not always sufficient, so that’s where content filtering comes into play.

Q: What advice can you give to people who want to get into the information security field?

The security field is so interesting that it kind of draws you in. If you’re not looking to lose all of your time and enjoy spending time with your family and friends; don’t do it.

Q: How can people get a hold of you (e.g. blog, twitter, etc.)

Twitter: www.twitter.com/theacademypro
The Academy Pro: www.theacademypro.com
Email: peter@theacademy.ca / peter@source44.net