Teleseminar – Scott Blake on “Being a CISO”
November 30, 2006
The fourth episode of the Episteme IT/InfoSec Career Portfolio Teleseminar & Podcast Series will feature my good friend and former colleague Scott Blake of security research company Echelon One.
This episode is going to be all about getting to the top echelon (no pun intended) of the information security world: the ins and outs of the world of a Chief Information Security Officer. Scott is the former CISO of Liberty Mutual Insurance, where he was incredibly successful in building a security program based on a real understanding of risk and business-driven security. Before that, Scott and I share a similar background – he build one of the earliest security research teams at Bindview. That team (RAZOR, for those who don’t remember) was one of the most prolific out there, and its former members are some of the most brilliant security researchers around.
Scott is one of the best security executives I have had the pleasure of meeting in my career – he’s smart, intuitive about the security industry, and he understands what the business needs of the enterprise are when it comes to security. He also understands the way to build a security career from the bottom up – he can give a lot of insight into what CISOs want, what they’re like, how they think, and how to become one.
The teleseminar is going to take place at 1PM PST/4PM EST on Thursday, December 12th. Send an email to episteme_tele@aweber.com to sign up for the Mailing List and the call-in info.
If you have questions that you would like to see Lee and I discuss on the call, please leave them in the comments below.
Amrit Called Me Cute!
November 30, 2006
Over at his blog, Amrit responds to the whole analyst thing, calling me “cute” in the process. His point is that Gartner is very stable and provides a valuable service. From the post:
“As for a pattern of people leaving – The Gartner security team has roughly 25 analysts,of those 2 have left in the last 5 years. Of the 700 analysts at Gartner it is less than 10. I am sure if I used similar statistics to make a statement about patterns in OS security Thomas would tear me to bits, but claiming there is a pattern and insinuating that there is an issue with analysts objectivity or limited value is very much out of line (admittedly Thomas didn’t say anything about limited value, but others have)”
While I don’t know that “cute” was what I had in mind, and I think Amrit missed the point of the debate – the point isn’t that Gartner’s analysts are leaving Gartner in droves. The point is that WHEN THEY LEAVE, the vendor community is almost the exclusive destination. That is a pattern that’s hard to debate. I don’t know that I really believe that there’s a problem with that pattern; it only becomes a problem if there becomes a perception of impropriety somewhere down the line.
I’ve yet to see anyone claim limited value – there is no doubt that the analyst firms provide some value by dedicating resources to the study of problems in various areas. Much like academic research departments, the analysts have the time and resources to study problems in a way that most of us don’t – there’s definitely some value in that.
The biggest issue I have with analyst firms isn’t the ones providing significant research and dedicating resources – it’s the ones that are providing little new research and little new value that are the ones that irritate me. More on that in the next few days.
(As an aside, I think that Amrit is the next Corey Haim-style teen idol – little girls everywhere are going to have his poster over their bed, and dream of having him call them cute.)
Podcast – Integrated Thinking for IT
November 29, 2006
The first episode of the Episteme Career Portfolio Podcast Series is ready – this episode is a recording of the teleseminar with Linda Ferguson on Integrated Thinking for IT.
On the call, Linda and I talked about all sorts of interesting skills needed for an incredible IT career. We especially focused on the interplay between intention and attention, and the way that we can use purpose and focus to create results in code, in technology and with people. We also spent a significant amount of time focusing on what it means to be “good with people”, and how the skills involved allow an infosec and IT professional to develop their career more signficantly.
Click here to download the latest episode.
The Un-Analyst
November 29, 2006
There’s a big brouhaha going on in the security blogosphere right now about Amrit and Rich leaving the analyst world to become high-level security excutives at vendors – Matasano, Shimel and Rothman all have weighed in with their thoughts on it. And, far be it from me to be quiet on such an interesting topic.
The general thrust of the argument seems to be thus: on the anti-”analysts taking jobs with vendors” side, how can analysts be independent if their next job is likely to be with a vendor? Doesn’t that make them biased?.
And on the pro “analysts taking jobs with vendors” side, analysts are people too. They have families to feed. And if we didn’t listen to Gartner et. al. so much, we wouldn’t care.
And both sides have a great point – it’s hard to trust an analyst when you don’t know who he/she is negotiating with behind the scenes – it’s one of the reasons that the SEC used to restrict the activities of analysts within investment firms. Note that I said “used to” – these restrictions were gradually lessened as banks and investment firms merged repeatedly through the 80s and 90s, and eventually, the system failed in a most spectacular way. If you read Bethany McLean’s brilliant work on the Enron case (the book and the movie), she details the way that the dependence of the investment firms on investment in Enron from their customers kept their analysts mouths shut.
At the same time, I have slightly less sympathy for companies who treat Gartner’s opinion the same way that we treat Wall Street analysts – this is especially true in security. Generally, companies are treating the analyst community “like demi-Gods” (in Alan’s words) because of a single pervasive belief:
“Outside people are smarter than inside people” (Actual quote from a co-worker)
Unfortunately, that one’s a hard-wired neurological tendency to have – we take for granted what is close to us every day, and we start to develop a resistance to the things that we persistently hear. It’s why consultancy is such a huge business, and why there are so many persistent jokes about it: “what’s a consultant do? Takes your watch, tells you the time, and keeps your watch”. So, companies are always going to need outside advice. Unfortunately, we end up going mostly to people who make “demi-god pronouncements” rather than teaching via the Socratic method.
So, to this end, I’m making an announcement, in the spirit of the geniuses over at 7-Up (the Un-Cola) – I’m hereby declaring Episteme to be the first “Un-Analyst” firm. I’m going to give lots of opinions in the form that make people think about what they’re doing and how it fits for their environments. And I’m going to spend a lot of time asking questions that make people think and lead them to find their own answers. There are going to be papers written about how things are and asking questions about how they should be – killing sacred cows and questioning “that’s how we’ve always done it”. And using the 5 Whys a whole lot.
And I’m not going to give “demi-god” like pronouncements – only push people to think about how to build technology, teams and careers through asking a lot of questions. And through teaching people how to tell time rather than by taking their watches.
Perhaps I’ll make the logo a big question-mark.
Teleseminar – Lee Kushner on “Getting Hired, Getting Promoted and Building a Career”
November 29, 2006
After tomorrow’s teleseminar with TK, the next upcoming episode of the Episteme IT/InfoSec Career Portfolio Teleseminar & Podcast Series will feature my good friend and InfoSec recruiting guru Lee Kushner, president of LJ Kushner & Associates.
As an example of how to build brilliant networks, Lee and I first met in an elevator at BlackHat a couple of years ago – we’ll probably tell the story on the call, because it’s such an interesting piece of serendipity. And, since then, Lee has been one of the first people I talk to when making a career move – he’s one of the most astute observers of the trends going on in information security, and he really understands the way that sustainable and successful careers are built in this industry.
Because of that brilliant insight and the amount of time he spends with people who are building their careers, he really has a great understanding of the beliefs, knowledge and wisdom that make an information security pro a success, whether early in their career or as a security executive. And we’ll talk about all of those things on the call.
The teleseminar is going to take place at 1PM PST/4PM EST on Tuesday, December 5th. Send an email to episteme-tele@aweber.com to sign up for the Mailing List and the call-in info.
If you have questions that you would like to see Lee and I discuss on the call, please leave them in the comments below.
The Invisible Frame
November 28, 2006
“When you look at a picture, do you ever stop to think about how it would change the picture if the frame was different?”
That’s a question that Linda asked me once when we were walking through an art gallery. And we sat as I imagined the pictures in front of me in different frames to see the differences.
And sometimes, we can realize that our lives are in psychological frames – I know that the same question applies. I was reminded of this when I was reading Kegan and Lahey (who I have mentioned here and here), who talk about “Big Assumptions”. These assumptions are often those that go unquestioned in our lives.
They illustrate the point by telling the story of a woman who has moved from the UK to the USA, and is learning to drive here. From the book:
““…One time, my mind was on six other things. I got into the front right side,
took out my keys, and looked up. ‘My God’, I said to myself. ‘here in the United
States, things have gotten so bad, they are even stealing steering wheels!’”
Of course, the countervailing evidence was just an arm’s length away to her left,
but — and here is the main point — why should one even look? If we are
certain we know how the world works — and this is how a Big Assumption operates; it
creates certainty — why would we ever think to look for a different reality?”
(emphasis in the original)
This is the way that most of us live our lives – we live with frames that surround our concept of the world that go unquestioned and unexamined for much of the time. And this is as it should be. If, for example, we had to question constantly whether or not we lived in The Truman Show (and a million other things we are certain of each day), life would be nearly unlivable.
Unfortunately, it is when the invisible frames work to impoverish our lives that they need to be examined. Many of us, for example, carry around the “if I’m not [some idealized trait here], people won’t like me” frame – and, regardless of evidence to the contrary (or even conscious/rational acknowledgment of its untruth), we live by that frame.
While all of our frames serve some purpose, one of the most important exercises you can perform is to examine your frames. Much like that day in the art gallery, bring the frames to the center of your attention as part of the picture of your life… and notice, just for a few minutes, what your life would look like if the picture had a different frame.
The Sounds of Words
November 28, 2006
I was listening to WUMB as I was driving the other day, and they were playing an amazing in-studio performance by Antje Duvekot. Between songs, the interviewer was asking her about her amazing ability to make the melody of the songs fit so incredibly with the words of the songs. And she said something that struck me as amazing (which I’ll paraphrase here):
“I have a really hard time with melody. I find words much easier. But I’ve noticed that I pay a lot of attention to the rhythms of the words. I’m one of the few people I see who notices the sounds of words and how they affect the rhythm. I learned that from listening to Woodie Guthrie…”
As is so often the case in my life, this was completely serendipitous wiith a conversation that I had been having the day before with Linda in preparation for our teleseminar later today (click here to send email and sign up now).
We were talking about the importance of rhythm in conversation, and I had a striking realization – when I am doing hypnosis, telling a story or speaking to an audience, people usually are paying attention to the words that I’m using. But when I’m most in the zone, I’m actually not – I became aware that I often choose the content of the story by choosing the words that fit the rhythm of the story most appropriately.
The strangest thing about this is that it’s how most great singers and storytellers tell stories – if you listen closely, you can realize that the rhythm of their words is in sync with the rhythm of the music or the story itself. And that’s one of the things that distinguishes great stories and great songs from the mediocre ones – that synchronization.
500 Words on Love
November 27, 2006
Over at GapingVoid, Hugh is having a call for mini-manifestos – I couldn’t resist writing my own, on a topic I find particularly compelling.
On Finding the Love of Your Life
No, I don’t mean your husband or wife. In a typically-male, results-focused way, I mean your true calling. The reason you feel that you’ve been put here.
Let me explain with a story.
I spoke with a friend recently who turned down everyone’s dream job (not being asked to be an astronaut, but damn close) because his kids are growing up and he needs to be there for them rather than spending all his time at work. He said to me: “You can only have one primary purpose in life.”
That’s what I mean by a calling.
Most of us have been brought up to get a job, buy a house, keep up with the Joneses. What would happen if we all followed our true reason for being here?
When you look at the best and brightest, isn’t it clear that they’re following theirs? Look at Seth: is there any doubt that his calling isn’t writing about marketing? Sometimes it almost seems like he emerged from the womb spouting pithy anecdotes about marketing success. Or Tom Peters: can you imagine him being anything but intense about someone running their business at anything less than full-on-WOW?
But it’s not just about public work: everyone knows that person who was just born to be a mom or a dad. Or a school teacher. Or an incredible neighbor who has the most incredible garden you’ve ever seen.
So, look within yourself. Remember back to when you were a little kid and someone asked you what you wanted to be when you grew up, and you actually had the moment where you dreamed for a minute about how cool it would feel when you did THAT thing… whatever it was.
What was it? More importantly, what did THAT feel like? And what makes you feel like THAT today? Because it’s not about the content of the dream… it’s about the feeling.
Now, take one single step toward doing the thing that gives you THAT feeling. And, if you still love feeling like THAT, take another step towards it. Lather, rinse, repeat.
And look up after some time, and find yourself fulfilled.
How would it change the world if everyone felt filled with THAT every day?
Deep Thoughts, By Product Developers
November 27, 2006
Recently, I was reading a completely ridiculous story about crazy warning labels on products. The article talked about some of the crazy warning labels found out there in the market, and the winners of this year’s Wacky Warning Label Contest. From the article:
“This year, first prize went to a heat gun that removes paint by blasting it with air heated to 1,000 degrees Fahrenheit. The warning label said: “Do not use the heat gun as a hair dryer.”
Second prize went to the warning label on a kitchen knife: “Never try to catch a falling knife.””
Sometimes I wonder exactly what it is that makes some product managers out there tick. Seriously – what kind of deep emotional scarring was present in the person who decided it was necessary to warn the world not to dry their hair with a 1000 degree heat gun, or catch a falling cleaver as it fell through the air?
And where’s the label on the knife package that says: “Warning: throwing this knife at someone could result in serious injury.”?
In reading the knife label, I couldn’t help but remember an episode of Deep Thoughts, By Jack Handey:
“If you ever fall off the Sears Tower, just go real limp, because maybe you’ll look like a dummy and people will try to catch you because, hey, free dummy.”
Except that he wasn’t serious.
On Employee Morale (with a Guest Host)
November 27, 2006
I’ve spent a lot of time on here lately talking about careers, but one of the topics I originally wanted to spend time talking about here is the kind of management that can lead someone to want… no, actually, need…. no, beg and plead to come work for your company.
Well, my beautiful and brilliant wife beat me to it. So, today’s post is written by Melina Murray… take it away, Melina:
I was just talking to someone who had a pie competition at work. A real, major pie competition. The whole company either baked a pie or went to the tasting. And they had awards for the winners – First place, 2 tickets to SF (from Oregon).
That was just one of the things that this brilliant company sponsors/puts on throughout the year. They bring in bands during lunch time some days, they encourage different groups getting together (at work, during work hours) to have a drink and get to know each other, when they otherwise would not interact. For competition events, they give away anything from trips to iPods. These are all pieces that make this company a great place to work. Yes, this is a profitable, private company. But that shouldn’t matter.
In order to have a “great place to work”, the people, the employees have to WANT to come to work. They need to see 2 things; 1. that their works matters in the big picture, and 2. that they are valued and appreciated. So many companies do neither. It is honestly pathetic.
It really isn’t about the prizes, although trips and gadgets are nice. It is about fostering an environment that says: “Sure, you’ll have to work your butt off, but let’s have fun together”.
As a leader, do you really want your employees to come to work every day, waiting for the clock to hit 12 and then 5? When asked about their job, do you want your employees to say “it’s OK, it’s a paycheck“?
Or- do you want them to say: “XYZ is a pretty cool place to work. We do these amazing projects and have a fantastic team“? Or do you really want them to say: “I love my job. Working at XYZ is more fun than I ever imagined. Sure, we work hard, but we also have tons of fun“?
Think about the fact that this is marketing. It isn’t media marketing, but grassroots. If you were thinking of going with a product or service, what would you think of a company that has miserable, apathetic employees, versus one with enthusiastic employees? It can make a difference.
The kicker- it isn’t hard to do!! You don’t have to be profitable, you just need to put in a little effort. First and foremost, this mentality has to start with the CEO/President. The leader of the company has to want to espouse the environment. After that it trickles down through the executive management team and HR. If the leader of the company is not on board, any efforts will flop and fail.
Let me get back to HR for a moment. The role of a human resources professional at a company can be difficult. You have to be an advocate for the company and the employee. This can be difficult at times and requires a level head, complete confidentiality and honesty. Just because someone’s title says “HR”, does not mean that employees will feel open to talking. Relationships have to be grown and fostered. Sitting in an office all day, or staying within the same group only seeks to distance any potential relationship between HR and the other employees. Companies are changing from what they were 20 years ago. HR is not just about payroll, worker’s comp and benefits. It is about creating and enhancing the workplace environment to make it a place people want to come to.
And managers are as responsible for their employees happiness as the CEO and HR. A manager who plays favorites, is unavailable or confrontational is doomed to have a miserable team. Managers who promote team work (collaborating), who take steps to grow their people, who put on impromptu events for their team are very likely to succeed in having a motivated and excited team.
Back to my original rant. It is easy to have fun. It doesn’t require plane tickets or iPods, or amazon gift certificates, although those are nice perks. Contests are always a great way to bring people together. Prizes can be anything from a half day, to a full day off, a really cool award/plaque, a special parking space, small gift certificates, or anything else. Potlucks can be a great way to gather everyone. Some people love to cook, and most people love free food!
It requires saying- “Hey, I know you work hard, so let’s have a lunch so I can say ‘thanks’“. It can be as easy as having the CEO/President take one lunch (just one) a quarter that she/he spends at the office, talking with any and all employees. As inexpensive as 10 boxes of pizza in the conference room. A time where anyone from the receptionist to the mail room clerk to the QA manager can come in and chat. This says “I care, I see you, and I hear you“.
Think about how much it costs in time and lost productivity to replace someone, then ask yourself how much these events really cost the company. I’ll bet the answer is “not much”.