Getting Information Security Training Right
December 17, 2008
Anybody who has talked to me in the past few years knows that one of the things that I’m most passionate about is evolving one’s career. Whether it’s the work I do with career coaching, my talks and research with Lee Kushner on infosec careers, or just my blog posts here, it’s a favorite topic of mine.
The topic of certifications go hand in hand with career management – in fact, when Lee and I talk, one of our slides lists “What certification should I get?” as our “least favorite question“. Because we get it every time we talk to anybody.
One of the other things I’ve been doing of late is teaching classes to help people become more effective penetration testers. Penetration testing is where I started my career, and I really enjoy helping people learn those skills and develop that part of their capabilities. So, for the first few months after I left Neohapsis, I was working with one of the more well-known training organizations, and I expected to be able to make a difference.
Unfortunately, my expectations were underwhelmed. Where the organization promised “deluxe acommodations” for their students, we were booked at the Quality Inn. Where they promised “cutting-edge techniques”, they got information and exercises that were 5 years old.
Anybody who has worked with me knows I’m a bit of a stickler for doing right by my clients. And this wasn’t right. And I was frustrated because, despite my emails to the leadership of the organization, I was seeing no improvement.
So, I was sharing this frustration with my associates over at Foreground Security (who also run The Hacker Academy. And they agreed with me. But they did it one better: they challenged me. Dave and Aaron said:
“Can you do better?”
When I told them I could, they threw down the gauntlet.
“Give it a shot. What would it need?”
After a few conversations, we came up with a few different things. First and foremost, the curriculum needs to be up to date. No more teaching stuff that is five years old and calling it “state of the art”. Exercises should be consistent with what Foreground’s team of pen-testers are seeing on real engagements on a daily basis. If tools/exploits/techniques stop being relevant, then we teach their replacements.
Second: the curriculum needs to be KEPT up to date. And so do the students. And the students need access to a quarterly update of all the things that are new. No more of the “get ‘em out the door” way of doing things – let’s ensure that every student who goes through this class is given access to continuing information that will let them stay current.
Third: Let’s give them real facilities with solid, repeatable technology and processes. And it shouldn’t matter whether they take a class from us in Orlando, DC, San Francisco or Switzerland, the experience should be the same.
And, finally: Instructors should be trained to give the same material in the same way each time.
In short, we’ll run it like a business. And we’ll treat our students the way that they deserve to be treated.
Well, Dave and Aaron liked that so much that they told me to go for it. And they put out a press release about it. Our first class with the new curriculum I’m designing is going to be in mid-January, in Orlando. Because, really… who wants to be anywhere but Florida in January?
Email me if you have questions. Or email Aaron Cohen to find out the logistics, price, signup, etc.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
The Importance of Turnover
December 8, 2008
We in North America love our sports metaphors. I was reminded of that recently when I was speaking with the president of a successful and relatively forward-thinking security company, and he was telling me about his management philosophy.
“I want the people on my team to stick around. I mean, look at the New England Patriots – you think they build a dynasty with huge amounts of turnover? Nope – they kept the core of that team intact over the years.”
Well, I personally don’t agree with his stance. I have always believed that teams that stay together for too long lose the freshness and innovativeness that is required for success in these times. I heard a great quote (attributed to Tom Peters) recently:
“If the rate of change outside your organization is greater than the rate of change inside your organization, then the end is near.”
Brilliant. And true (in my experience).
But not in the opinion of my colleague. Nor, in the opinion of the New England Patriots, apparently.
But I’m a football fan as well, and something about that didn’t smell right.
So, I put together some research on the matter. And it showed exactly what I’d expect – the New England Patriots are a dynasty not because they keep their core together, but because they have built a system that manages turnover.
To summarize the research: from 2003-2008, the Patriots had approximately 33% turnover among staff and players – that is, the entire team could be expected to be replaced EVERY 3 YEARS. Yet they remained competitive during that time.
In fact, only 13 players TOTAL (3 offensive, 5 defensive, and 5 coaches) were on the team for all five of those years. (And they’re hardly “core”, unless one considers the long snapper and the running backs coach “core”). The two most important of those are Tom Brady and Bill Belichick, and even Brady’s importance has been minimized this year, given the play of Matt Cassel in the same system.
More importantly, when you look at the coaches, the turnover has all been where it would be presumed to be most important: at the top. The team has used 3 offensive coordinators and 3 defensive coordinators in those 5 years – in product development terms, that’s like switching VPs of Marketing and Engineering 3 times in 5 years.
So, I assert that the New England Patriots make my point: the reason that a company (or a football team) is successful isn’t its ability to avoid turnover, but its ability to create (esp. talent development and knowledge capture) systems and (most importantly) a culture that minimizes the impact of turnover.
Coming Soon: Security People on Video
December 4, 2008
Because what we all need is to see more of that, right?
Seriously, though – I’m working with a cool new project and I wanted to share a bit of a preview. The site is called Demos on Demand for Security. It’s sort of like a Revision3 for Security, and has brought aboard some pretty cool people as hosts. I’m not going to share all the names, but it should be obvious from the sample videos that Richard Steinnon is going to be one of the hosts. (If you’re interested in being a host or a guest, feel free to email me
I’m also excited to announce that I’ll be doing a regular (at least a couple times per month) show with my favorite person in the industry to debate with – the always fun and lively Michael Santarcangelo. Sort of a Hannity and Combs of security, so to speak. With hard-hitting (but entirely “fair and balanced”) interviews of the people in the security industry.
The first episode of that show should be up in the next few weeks, so keep watching both here, and at the DoDS site for updates.
Working hard
December 1, 2008
Over the years, I have become a big fan of football – less because of what goes on during the games as what happens behind the scenes. One need only look at the life of a professional football player or coach to understand the difference between the work ethic of someone who is a moderate success, and someone who ascends to the ultimate top of his/her field.
This has been a fantastic week for that curiosity on my part. First, there’s a great article in Sports Illustrated about the preparation that Derek Brooks makes every week. The article is reprinted here. Relevant quote:
“It may be surprising that a 10-time Pro Bowl linebacker would study players who are still three or four years from making it to the NFL. But even now, the day before he faced the Vikings, the 35-year-old Brooks settled into his den again to watch Florida quarterback Tim Tebow and running back Percy Harvin in the Gators’ rout of South Carolina. “Some people relax or get recharged by going to Europe or going to the beach,” Brooks said. “For me it’s studying young kids. The one edge I feel no one will ever have over me is the mental edge of knowing players.”
This is a guy who is a veteran and future Hall of Famer. Anybody care to guess what got him there?
Even more interesting is this week’s version Peter King’s “Monday Morning QB” column – King breaks down the week that the Arizona Cardinals just had and exactly what the schedule was:
“From 8 p.m. to midnight, the coaches met to finish the gameplan, working on red-zone, goal-line and nickel plays. Most coaches were at the facility for 17 hours, minimum, on Monday.”
The work required to be successful at the level of NFL players should be instructive as to what it takes to be at that level in any career or job.