Today we interview Nick Owen. I had the pleasure of meeting Nick at SecTor 2009 and he has a wealth of knowledge in areas that most people struggle in.

Q: Tell me a little about yourself.

I’m best described as a serial entrepreneur. WiKID is the fourth start-up in which I have been actively involved. For the record, I am 1-1-1, though the tie is a bit generous.

I live in Atlanta, Ga, with a beautiful wife, three lovely children, one cat, one fish, and six chickens with a frustrated (so far) hawk as a neighbor.

Q: How did you get interested in information security?

My second startup did electronic bill presentment and payment services. I was in charge of operations and thus security. I hired Caleb Sima’s group from ISS to do a pen test. I later invested in SPI Dynamics.

Q: Do you find it difficult to juggle a family AND a startup? What is the biggest sacrifice you’ve had to make as a result?

For the first two start ups, I spent a lot of time at the office. You spend a great deal of time thinking about and discussing what you need to do to succeed. You worry a great deal about things that aren’t always tremendously important, like what the competitors are doing. That also was the time when Netscape came out, Yahoo started, Java debuted, etc, so it was a very interesting time. Now, I have a pretty good idea of what our strategy is, I know what part of the market we’re targeting, etc, so I typically work from about 8-6 and rarely work on weekends. That being said, I always think about work and I worry that I’m not always “there”.

My “pay” is not always “regular”, but luckily I have a spouse who is very tolerant of this fact. I actually think this is good for my children. They are by no means spoiled :).

I have to say that it is a great time to start a company. Why? Because the economy will only get better from here. So, if you can start a company, you will be sitting pretty as the economy recovers.

Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career

I have a BA in History and an MBA, making me both ignorant and evil, which seems like a great basis for information security.

Q: Why do you think a mix of History and an MBA provides a good basis for infosec?

In all seriousness, I believe that you go to school to learn to learn, not to actually learn facts or a specific skill. History teaches you strategic thinking, trend recognition and how to write (though I seem to have forgotten the grammar part). I have over time picked up a lot of tactical information about security, giving me what I think is a well-rounded view.

I got my MBA to increase my marketability as management material, but also to round out the skills I thought I would need to be an entrepreneur. I knew I needed to be a jack-of-all-trades.

When I first started blogging, I did a number of posts on why ROI is a poor measurement, how to come up with a cost of capital for a project, etc. I realized that I had to focus on our market and I got a bit frustrated by it. I may pick that back up, but I still not sure that any information security people would actually use it.

Q: What did you want to be when you grew up? Would you rather be doing that?

I think I always wanted to be working for myself. When grown ups asked me what I wanted to be, I usually chose an inanimate object, such as a fire hydrant.

Q: What projects (if any) are you working on right now?

I would like to get some time to do some blogging, exploring some concepts around ‘best practices’ and how to measure the financial impact of information security investments.

Q: What is your favorite security conference (and why)?

I probably had the most fun at DefCon, but SecTor was great. I liked the fact they had limos pick up the speakers at the airport. I have never come off a plane to find my name being waived by someone.

Q: What do you like to do when you’re not “doing security”?

I’m on the board of my children’s school, the Waldorf School of Atlanta. I have a garden where I primarily grow tomatoes and various hot peppers, which I often use to make my own hot sauce.

Q: What area of information security would you say is your strongest?

I have written a good number of tutorials on how to integrate two-factor authentication with a bunch of different network devices and applications. If we get too far from authentication, chances are I am making it up.

Q: What advice can you give to people who want to get into the information security field?

Explore the numerous open source tools in information security, choose any that are of interest and contribute. Contributing doesn’t mean just code. It means feature requests, documentation, bugs, etc. Doing documentation is a great resume stuffer. You are essentially saying “I know how to learn to use a tool and I know how to document my work”. How valuable is that to a potential manager?

Q: How can people get a hold of you (e.g. blog, twitter, etc.)

The much neglected WiKID corporate blog: http://www.wikidsystems.com/WiKIDBlog and on Twitter: @wikidsystems

Kicking off the Information Security D-List Interviews is Paul “PaulDotCom” Asadoorian. Paul gave me the opportunity to pick his mind via email and IM over the past week.

Tell me a little about yourself.

I live in Rhode Island, and have all my life, where I have always been a computer geek and lots of other things. I started programming when I was 7 years old on the Apple IIe computer. I’m somewhat of an over achiever and earned the nick name “Salad Shooter” shortly after I founded “PaulDotCom”. My first real job in the industry was an intern for a small software company. I did some programming, but my primary job was “Backup Boy”, or “BUB” for short. As the “BUB” I had to go around to all of the development systems and perform backups. Keep in mind this was well before USB thumb drives, and involved magnetic tape drives, pliers, screw drivers, and DoS like commands on a PoS specific operating system (IBM 4690). I am thankful for all that I learned and appreciate things more getting my start at the bottom (I mean it doesn’t get any more bottom than being called “BUB”).

Currently I am the “Product Evangelist” for Tenable Network Security. Its my job to use the products in real-world environments and tell people about the features and use-cases. For PaulDotCom, I produce and host the weekly “PaulDotCom Security Weekly” podcast, which now includes both audio and video. I also participate in our security consulting work, performing penetration tests and web application assessments.”

How did you get interested in information security?

I was working as system/network administrator for a small company, you know the right of position where you have to know something about everything (UNIX/Linux, Windows, Networking, Printers, phone switches, etc…). I started to grow tired of Windows and was beginning to work with Linux (I installed Red Hat 5.2 from floppy disks). I appreciated the control, but knew that it came with great responsibility when it came to security. My friend’s computer had gotten hacked, so it got me curious about security. I started to secure computers in the office with mixed success, some would be fine after system hardening, and some would not function as well. This proved very challenging and really started to become a focus in my career. I left that job and took a full time position as a UNIX systems administrator, primarily Solaris. After working there from some time two things happened that put me on the track for security: 1) The firewall admin got sick and I took over firewall maintenance for several Checkpoint firewalls 2) We had to undergo a security audit and I was tasked with hardening our 20+ UNIX systems. I’ve never looked back and made security the focus in my career ever since!

What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?

Certainly, I have a Bachelors of Science in Information Systems, with a strong focus on business (I graduated from Bryant College). I’d say that my computer courses helped me to fill in the gaps of everything that I learned on my own and on my job. I also earned two SANS level certifications (before there were silver and gold), which was very rewarding and really helped my career. I believe that certifications are valuable, especially when you are starting out. For me, it helped me learn and apply so much to my career, even more than it was a resume builder. Certifications are what you make of them, and I did my best to make the most of them by studying hard, creating a lab at home

What did you want to be when you grew up? Would you rather be doing that?

I so wanted to be a baseball player when I was growing up. I don’t think that would be the best career for me now, especially seeing as I wasn’t always very good at it! If I had to choose a new career it might be as a martial arts instructor, fishing guide, or furniture maker.

What projects (if any) are you working on right now?

Well, there is the usual stuff I have going on at PaulDotCom. We are working hard to expand and grow in the areas of Internet radio and Internet TV. My other research project that I will be embarking on soon has to do with embedded systems. I did a lot of research on the embedded side, and even some presentations on the security aspects. I’ve let it rest for too long and want to get back into it. I don’t want to give it all away, but the goal is to raise awareness on how widespread and dangerous embedded security problems are today, and how its only going to get worse, not better.

It looks like you’re invovled in a lot of projects. How do you balance family time with project time?

I think the answer you will hear from many of us is balance with work and family life is a constant struggle. I’d say that sometimes I do it really well, and other times I fail miserably at it. I always try to learn from each experience and try to get better at time management as time goes on. I think I’m getting better, my family may have other thoughts 😉

How do you guys come up with “themes” for the podcast?

At this point it really happens very naturally. I think in the beginning we really had to struggle to come up with content, such as stories for discussions and technical segments. We did a lot of listener feedback in the beginning as well. Since then we have made the technical segments a formal part of the show, and try to do at least one per episode. A technical segment is a “How-To”, including audio and a wiki page entry, explaining to the audience how to do something technology or security related. We draw on our experiences, so its usually whatever we were working that week. The Wiki has also been a tremendous success, as we create a wiki page for each show and document the tech segments, interview questions, and stories for discussion each week. I can’t imagine trying to produce a show without the Wiki
technology! Overall, we try to focus on whats happening in information security, but without being the “accident jumpers” of security media. For example, we like to have on guests that are maybe not so well known, but are the true “rock stars” of the industry.

What is your favorite security conference (and why)?

Just like beer and cigars, its tough to have just one. I really like Shmoocon and Defcon, they are fun in their own unique ways, so I always make sure myself and the entire PaulDotCom team make it out to both events. I meet so many cool people and share new ideas at those two conferences especially.

What do you like to do when you’re not “doing security”?

I of course enjoy spending time with my family (they call me “Clark Griswald” around this time of year). My non-tech relaxing hobbies include fishing from my small freshwater boat, and smoking cigars (preferably fishing while smoking cigars). I also practice martial arts, including Kung Fu and Tai Chi.

What area of information security would you say is your strongest? What about your weakest?

I’d say I’m the strongest in penetration testing and network security, and a splash of embedded systems knowledge. My weakest area is probably deep, in-depth system forensics, I know enough to get by, but its not my area of specialty.

What advice can you give to people who want to get into the information security field?

Wow, that’s a loaded question! I’ve been asked this question many times, and discussed the topic on the PaulDotCom show a few times as well. I finally made a blog post which goes through in detail how I recommend people get their start in information security.

How can people get a hold of you (e.g. blog, twitter, etc.)

My blog is http://pauldotcom.com, but its not just me who blogs, it’s the entire PaulDotCom team. I am also on Twitter as @pauldotcom where I can be found announcing various PaulDotCom things, talking about cigars, information security, and keeping others in check 😉