Recently in Career Category

This is a service announcement for product/service vendors.

As an information security executive, I appreciate all the work you do. The products and services that you develop are feature-rich and help me secure my environment, and I appreciate partnering with you to make that happen.

However, there are some rules that you need to follow:

1. Do not cold-call me and within 30 seconds ask me what my budget is. I'm not going to tell you what I am willing to pay if I don't have a previous working relationship with you and have sufficient confidence in your ability to provide me with a reasonable value proposition. I appreciate the fact that you want to make money, and it is in my best interest that you do. I realize that you will not be around the next time I need you if I do not let you make a profit. I do not mind paying for a product or service that is provided well.

2. Without having any knowledge of my environment, do not tell me that what I have been doing is ineffective and too expensive. It is an insult to my abilities to deliver value to my organization.

3. Do not claim that commercial products are always better and cheaper than open source alternatives. I realize that open source products also need to be maintained and that I need product-specific skills in order to operate them. If what you offer can be operated by somebody who's skill set is limited to operating a toaster, I probably do not want to do business with you.

4. Sometimes your call is not convenient. If I let you go to voice mail, do not call back three times in the following five minutes.

5. Don't schedule a follow-up phone call with a sales engineer if I do not explicitly agree to that.

Thank you for your attention.

It has been almost three weeks since my last post and because my goal is to provide one or two posts a week, that is simply too long.

My silence can partially be explained by simple mundane things like a high workload and the desire to spend time with my family when I am at home, but there has been a secondary cause also.

I believe that it is important to reflect about who I am professionally and how I want to portray myself. After having collected a bunch of security certifications (in chronological order: CISSP, GCIH, CISM, OSCP, CISA), I think I'm done with that for a while. All certifications have contributed to my understanding of the field, and they reconfirmed that I am exactly where I want to be.

While up to recently, I advertised myself as a information security generalist, I believe that I am currently in the process of shifting focus towards becoming an information security strategist.

My day to day work, and my general thinking, has been impacted by the fact that I have few operational responsibilities. For one, it means that the only 'real' reasons that I am touching security technology are out of curiosity, to prove a point, or to evaluate a product's potential. Actual implementation and operation is not something that I have done in quite a while.

Likewise, while I am fairly proficient with vulnerability scanning and penetration testing techniques, I have not done full tests recently. It doesn't mean that I don't like to tinker around in my own lab to try out new tools, or that I don't assess new vulnerabilities and exploits, but the pressing need to be current to the minute is something that it slowly fading.

I feel a little sad about this realization. Being on the bleeding edge of technology, developing and performing assessments, and being in the loop on what's going now on is incredibly rewarding. But, setting strategy, determining direction and ensuring that an organization moves forward in its level of professionalism and its quality of service is something that also has its rewards.

At the very least, not being on call 24/7 for operational emergencies has its benefits.

I regularly get questions of students who expect to graduate soon asking what they need to do to get started in the information security field. Unfortunately, I cannot give a straight unambiguous answer to that. What I can do is start a thought process for that student. In the end, they will have to do the work.