Nowhere do I find this more evident than in the Byron case.

Look, let’s be blunt: from everything we know about what Byron was doing, it was kind of stupid. He was acting as an agitator to the G20 security establishment. He wasn’t being particularly subtle. He was trying to stir up a response, and he did.

I think it’s clear that he’s guilty of mischief. He’s certainly an agent provocateur (def: “a person or group that seeks to discredit or harm another by provoking them to commit a wrong or rash action.”)

Joshua Errett over at NOW Toronto described it best:

“What Sonne was actually trying to do is expose security inadequacies of the G20, as is the role of the hacker. His intent was never to harm, and any crimes he allegedly committed were entirely victimless.

That the justice system can’t see the deep shades of difference between Sonne detailing security lapses and petty vandalism is an outright shame. And, in some ways, discrimination. If Sonne had been a cowardly Blac Blocker, bail would have already been set. There certainly seems a different set of rules for hacking.”

With the ruling yesterday that Byron will remain in jail until his trial and be unable to have any contact with his wife during that time (unless in the presence of lawyers), there’s little question that he got the “rash action”.

And it’s clear that Canadian society has made its statement on how it intends to deal with dissent – zero tolerance.

In contrast to Byron’s crimes, those who steal $30-$50 million, dangerous offenders, those who kill while drinking and driving and crack dealers all go free on bail.

This is one of the more disturbing issues with the case – not that Byron wasn’t guilty of being annoying, but that the treatment he is receiving at the hands of the justice system in Canada is far more harsh than those who commit far more significant crimes that leave people hurt, dead or destitute.

Free Byron.

Technorati Tags: byron sonne, canada, dissent, free byron, overreaction, politics, stupidity, supression

And that doesn’t even mention that the picture that they’re using makes him look that way.  (As an aside: in my 11th grade journalism class, we spent a lot of time talking about how pictures frame the news story that you’re reading.  Before you ever even start the Globe and Mail coverage of this story, you’re greeted with a blurry, grainy picture of Byron looking like he’s about to blow up a building.   Regardless of whether the facts  support the charge, our minds are primed with all of the times that we’ve seen a terrifying looking psychopath looking very similarly to this picture… and we read the story with that bent.)

Unfortunately, the reality seems a little less glamorous. If you read Byron’s Twitter account, you’ll find that Byron was being little more than the opinionated activist that he is. “An agent provocateur”, as someone told The Star. He talked about investigating the fences and posted video of the fences. He talked about how the cameras were being set up in locations that were likely to be used by activists. And he was pointing out that the amount of money spent on “security” for this conference was a little out of range.

One of the things that Byron has been most pilloried for in the news was the talk he gave a few months back on radio surveillance (a decent account can be found here).

Amazingly, Byron even posted the slides to that supposedly “provocative” talk on his Twitter feed. (I’ve put the same slides here for the BitTorrent challenged). Read them… there’s nothing in there that suggests anything but a security professional talking about insecure radio transmission.

Let’s give a different picture of the guy that used to work for me. Byron’s a very smart and well-rounded engineer. While he wasn’t the top producer on the team, he was someone who I valued a great deal from a management perspective. He was vocal and would push others to come to the table with their best (even when he wasn’t up to their level). He was the member of the team most willing to call out others in a meeting. It wasn’t just internal… he was even willing to call out a vendor in a blog post. (Note that since I wrote this, nCircle took the orginal post down)

Above all, Byron Sonne was always an ethical person and someone who I trusted a great deal. And I agree with the assessment that Jesse Hirsh made in an interview with The Toronto Star:

“I suspect that this may just be a stunt and perhaps a stunt that got out of hand,” Hirsh said.

Regardless, it’s a shock to me that this would lead to an arrest and incarceration. None of the posts made threats or suggested potential for harm. His talk is innocuous. And this all looks like a very large over-reaction from a police service that felt somewhat embarrassed that someone was publicly calling them out on their failure to encrypt their communications and poor placement of security cameras.

Technorati Tags: arrest, byron sonne, inappropriate pictures, influence

The thought that stuck out to both of us during the chat was the idea that we’d fail kindergarten if we were subjected to another year – that the things that has made each of us successful to this point would have caused utter failure in the current school system. We both have a nearly chronic inability to follow the rules, stay in single-file lines, refrain from asking “why?” about a million times too often and ensure that we always make the sky blue when we color.

As Drawk said: “we’d in the corner eating the paste.”

I realized later that I should have corrected him… so I will now… “we’d be in the corner figuring out how to take the paste, turn it in to some crazy 5-star dish involving liquid nitrogen and debating about how to market a nationwide line of “frozen paste” shops.“.

It’s a trait that a lot of my friends seem to share.

The MP3 is worth a listen – Drawk had some great stories on there and I talked about random stuff that some people might find interesting.

(Aside: if you haven’t picked up Drawk’s “Domination Basics” ebook, you need to – it’s free and one of the better reads of the last year. The last person who I convinced to read it immediately sent me the message that “OMG! Drawk Kwast is the UberMan!!!!”. All I can say is that you should read it yourself and find out what all the exclamation points are all about.)

Cris’s comment was that using pre-existing material for anchors is “sort of like exploiting around DEP” – basically, the idea of a "Return-to-libc” exploit.  You have pre-existing functions that perform the task that you’re hoping to do.

This reminded me of something that Tom did to me during the weekend.  Tom walked up to me this weekend and said:

"So, you’re a hypnotist right?  You’ve been in trance before, you know what that feels like, don’t you?" And, as soon as I think about it (which I have to do to understand his question), he achors it.

Tom then proceeded to spend the rest of the weekend enjoying firing off the trance anchor at opportune times.

So, in our email conversation, Cris and I were talking about some good elicitations to anchor that many people would already have:

“Hey… remember that scene from Say Anything where John Cusack was standing outside with the boom-box on his head?  How romantic was that?  What was the most romantic movie scene you remember… one that just made your heart melt?"

Or: "As you wish" (for anyone who has seen the Princess Bride).

Or: "What’s the song that gets you most in the mood?”

In other words, the "Return-to-Barry-White" exploit. 

Note: I’m well aware that this isn’t at all new.  Neither’s ret2libc, really.  But it’s a great example that hopefully drives some new ideas and new thinking.

I was actually lucky enough to speak twice at the conference – I was the opening speaker and the final speaker before Chris and Linda closed out the conference.

More (including video of my talks) in the coming days, but for now, just a picture of me, Chris Ron Verreggen of RapidSuccessCoach.com.

“When asked how he had managed to fool them, one of the airline execs in Jersey stated:

“If they were real then there would have been opportunities for us to expand our business and that’s not the sort of thing we are going to ignore.””

That quote is the key to it all – we can all learn something from this executive. The problem is that the higher ups in this company were willing to throw caution to the wind when granted a potential for monetary gain. Of course they’d love to expand their company, but at the cost of ignoring security and inviting the con-artist into their inner sanctum?

The question is would this executive also be answering a phishing email like the one I got from Jassay Goran in the Solomon Islands that promised me I’d get $8.5 million if I followed a few simple steps? People involved in social engineering are often extremely bright, inventive and ingratiating – as I have said repeatedly in talks, social engineering is primarily a crime of the imagination. Note that in his explanation and defense of his actions, the executive used the phrase, “if they were real,” as the pretext for his action. Anytime someone does that, they’re taking a big chance with that little word “if.”

I’ll comment more on this article and overall story in a later blog. I think there’s something to be learned from a fact that’s recently been reported about this 17-year old—he has Autism. Also, this story really makes me reconsider the whole topic of user education. More thoughts after the pre-Blackhat rush settles a tad.

Technorati Tags: con artist, con man, security awareness, social engineering

“The super-high-speed cable is now hidden under six feet of Cornish beach-which is just as well, because if it were discovered and damaged, the entire web in Britain could turn to treacle. Warren Pole reports on the fragile network of ocean cabling that keeps the modern world turning, the madcap economics of internet supply-and why it will run out of space by 2014 unless scientists think of something… fast.”

While we’re pushing bandwidth at the final mile (I’m able to get 25Mbps down, and that’s not even on FIOS), we’re going to run in to significant snags at the key chokepoints – the core internet infrastructure and the transoceanic cables.

According to the article, there are nine cables joining the US and England that have a capacity over 39Tbps.

When I started in security in the 90s, we spent a lot of time talking about infrastructure and the core. Then, we “solved” a lot of the bandwidth problems in the late 90s and got ahead of the game.

And now we’re deploying video across the net. I watched UFC 100 the other night through Yahoo. All of my TV is via iTunes/AppleTV.

We’re not prepared for users like me. And that doesn’t even consider the idea of wholesale IPTV. No question – the idea of trying to lay cable to solve this problem is going to be difficult to keep up with. These cable links, which can be seen simultaneously as being tenuous and formidable, retro and high tech and innovative and shortsighted, are a model for the often unpredicted but possibly anticipated challenges that keep us in business.

Technorati Tags: Fiber Optics, Internet security, Security, security awareness

“According to a recent Websense Inc. survey, the decision has already been made by the business units with 86% of IT respondents reporting pressure to allow more social networking in the business. The message resonates loud and clear to security: Resistance to advances in technology is futile; find secure ways that business can move forward.”

It seems obvious that the more social networking we do, the more vulnerable we make ourselves to breeches in security. Viruses can spread quickly, data can be compromised and entire systems can be severely hampered.

The fact is Facebook offers a variety of ways for those in the same company to interact and for various organizations to create networks – there’s business value there. Not to mention that Twitter, LinkedIn, MySpace and other such sites, although all different, have the power to bridge a global communications gap. Both Facebook and Twitter have become popular with professionals between the ages of 25 and 35.

It’s evident to me that it’s virtually impossible to stop this trend towards incorporating and integrating social networking sites into the IT networks of companies. With pressure on businesses to allow the use of such sites comes the need for controls, common sense and regulations. While I’m a huge fan of incorporating social networking in to business, there’s definitely an important control issue here. Here are a few questions I encourage anyone to consider before using a social networking site in tandem with his/her business.

Why are you deciding to incorporate a social networking site?
There’s no doubt that such sites make communication easier. That’s a given. But you have to determine the reason for this expanded communication and how much control is needed. You’ll need to develop protocols for using the site within your company and other protocols in utilizing the site when dealing with vendors, clients and the general public.

Which features will your employees be able to access and which will your business utilize in its public profile?
Each social networking site offers a range of choices to its users. As an example, if you elect to go with Facebook, a range of choices await you as to how much information is public, which tools are made available and how participants can interact. Are Wall postings appropriate, should Status updates be allowed and which groups, if any, will be established? These questions and others are appropriate for the manner in which the network is used within the company and amongst the general public, clients and vendors.

What controls will you put around the use of the technology?
Once you decide to incorporate a social networking site, you’ll need to develop a sound security plan and a method for checking on how individuals are using the site. Opening your business up to a site such as Facebook makes it more vulnerable to hackers, phising schemes and other security concerns. Once you open up your organization to an outside entity greater security precautions and more vigilance will be needed. Beyond just technical controls, also consider the need for policies and procedures – develop written policies, specific guidelines and a clear vision of the exact reasons for using such a site to guard against misuse, miscommunication and compromises in security. It’s the first step in helping to ensure a smooth transition by your company into the world of social networking.

Anybody who knows me knows that I’m a huge fan of social networking (evidence Twitter, LinkedIn, Facebook) – as such, I welcome the fact that social networking sites are not only here to stay, but that they will continue to expand and evolve. That means that the security and business communities as a whole must also evolve and develop.

Technorati Tags: facebook, linkedin, Security, social networking, twitter

So, Gadi posted recently about his disappointment with NLP. It’s not the first time I’ve heard these arguments, and they all come down to a single, fundamental misunderstanding:

What we commonly call “NLP” is not science. Nor is it even scientific.

Most of this confusion comes out of the distinct issue that John Grinder called out in his book Whispering In the Wind. The thing that was originally “NLP” was a project that attempted to model successful people, notice the patterns of language and behavior, and replicate them. (This, Grinder refers to as “NLP_modelling“).

NLP_modelling was not scientific, but at least its principles were sound. Grinder and Bandler went and sat in the room with three strong therapists and learned to “act like” those therapists. They kept doing so until they were able to replicate the behavior. And then they continued to do so until they gained conscious ability to explain how they replicated the behavior.

While none of this was science, at least there was a principle behind it.

Where it all went to H-E-double-hockey-sticks is when they wrote down what they did and tried to explain how they replicated that behavior. This was a fool’s errand in some ways… there are grave epistemological concerns here – it’s beyond difficult to take your own behavior, translate it into conscious understanding and then try to convey it to others in language. It’s the same reason that great baseball players aren’t often good coaches – when you’re really good at something, it can often be difficult to teach others. Grinder once noted that when Bateson reviewed their work, his comment was: “Shoddy Epistemology.” Bateson was accurate, and this is where things started to get wonky.

This is because NLP_modelling is not what most people call “NLP”. When referring to NLP, most people are referring to the things that were written down – the hypothesis explanations that were posed by Grinder , Bandler and their colleagues/followers (e.g. Dilts, the Andreas’, etc.) to explain how they replicated behavior. These are what Grinder calls “NLP_application“).

Unfortunately, because of the epistemological concerns, NLP_application is about as scientific as me trying to predict the weather by sticking a wet finger in the air. Because we can hypothesize just about anything. I can observe how certain people act, and then make up any random example of why it must be true. For example, I could tell you that people are a certain way because of the position of the moon and the stars when they were born. How crazy would that be?

So, if NLP isn’t science, what are we to do?

Most people want to throw the baby out with the bath water. I’m a big fan of the original project – let’s look at people who get a particular result, and figure out how they do it.

But if you want to make it science, then turn around and figure out how it works.

Anyone who has looked at NLP has seen the following chart:

(Borrowed from http://completelymental.net/ )

The thing is, anybody who has tried to study whether it works finds that it doesn’t. Yet, many NLP people swear that there’s some efficacy in watching people’s eye patterns and using them to discern how people are thinking.

I was lucky enough to study NLP with Linda Ferguson and Chris Keeler at NLP Canada, and they get it. Linda was the first to point out to me that what Grinder & Bandler probably noticed (unconsciously) was the same set of patterns that Paul Ekman has noticed – we express many feelings and emotions in very small and quick ways with the musculature around our eyes.

So, while eye accessing cues don’t work, we find that paying close attention to that region of the face leads us to a detailed understanding of someone’s emotional state.

This is what happens when you approach a project without solid epistemology – you end up with many of the right behaviors, but the wrong reasons behind them.

And, sometimes, you end up with a whole pile of dogma and “true believers”. But that’s the subject of a different rant.

Until then, realize: NLP is not science. There is some useful background to take the tools and attempt to use them, and, even better, combine them with other, more useful science to figure out how to tie it together.

(As a shameless plug, I’m the one taking the lead on much of the “NLP-like” content at the SE Master Class. I say “NLP-like”, because it won’t be based on either NLP_application or NLP_modelling. But anyone with an NLP background will find similarities on the things that really work in the real world, without much of the NLP and hypnosis dogma that goes around.)

“How do you achieve quick wins in Web Application Security, rooted in software, with measurable results that CIOs would appreciate? ”

I started a thread on twitter with my answer, but that’s not the format for reasoned discourse and detailed thinking. So, I decided to write about my thoughts a little more in detail here.

The answer is simple: You don’t.

Jeremiah laid out most of the reasons in his post, but it comes down to one thing: an SDL improvement effort is a multi-faceted, process-based set of changes that lead to a long-term process that creates security through up-front consideration, not through solving one-off tactical issues.

In that way, the effort that Jeremiah lays out is exactly the same as that faced by the Quality proponents and Deming followers in the 80s. Everyone “knew” that quality was important, but nobody could ever justify the up-front costs of redesigning an entire process to create that kind of quality.

In short, there were no short-term wins.

Yet, today, almost every large corporation has implemented some form of Six Sigma/Lean/TQM program at some point.

The point I was making on twitter was that, if there’s a model to follow to find the way to make application security palatable to the C-suite, it’s the adoption model of Six Sigma.

I see three key points to the adoption of quality as a movement.

Business Pain without a forseeable end
The main driver behind the quality movements of the late 80s and early 90s was the pain that most organizations were feeling. The economic recovery of the 80s lead to a strong competitive environment, with extra pain coming from overseas competition. In the case of the auto industry, it was Japan. For other orgs, the pain came from other offshore and domestic competitors. And as the economy slowed in the late 80s/early 90s recession, many of these organizations looked for a sustainable competitive advantage to give them an opportunity to survive when others in their space couldn’t.

The economy is leading us to a similar state today. Businesses are looking for an advantage as the economy turns down. (Note that I don’t believe that application security leads to a sustainable competitive advantage in the same way that Lean and 6S do. I’m just making a parallel between the conditions).

Examples of Success
The most important factor in the adoption of quality processes was the very public example of success put forward by Honeywell, Motorola and GE. From Wikipedia:

“Other early adopters of Six Sigma who achieved well-publicized success include Honeywell (previously known as AlliedSignal) and General Electric, where the method was introduced by Jack Welch.[8] By the late 1990s, about two-thirds of the Fortune 500 organizations had begun Six Sigma initiatives with the aim of reducing costs and improving quality.”

Because these organizations put forward incredibly public accounts of their success, it was easy for other C-level executives to embrace the potential of the initiatives. While every leader wants to believe that they’re an individual, the top levels of business are very much a CYA culture – only the success of one’s peers allows one to take the risk.

This lead to…

Quality is Free
As these successes built, documentation started to build the belief in this type of program. This eventually lead to the mantra that “Quality is Free” – the idea that a successfully implemented quality program pays for itself in the long-term, regardless of the short-term cost/pain associated with the implementation.

My point to Jeremiah is that the Application Security community is living without the latter two of these points – we have no examples (save perhaps Microsoft) that show that a consistent focus on process-oriented security is successful. And we have no data that backs up the long-term cost benefit of the initiative.

In a situation where the task requires long-term process reorientation, short term wins aren’t possible. We need to follow the model of the adoption of Six Sigma: We need to court those forward-thinking, Jack Welch-type CIOs who are willing to make this happen, and then have them make their successes public.

Only then will we see a widespread adoption of security-focused SDL reengineering initiatives.

In preparation, and to give people a brief taste, Chris and I did a webinar last week. Check out the video for the webinar over at EH.net

Also, since Chris leaked it already (when someone SE’d him on EH.net), I’ll post a small snippet of one afternoon of course outline here:

Determining Tests
• Types of testing
o Direction of attacks
o External
? Electronic
• Phishing
• Client-side / browser side exploitation
• Metasploit
• Core
• By hand

• Malicious attachments
? Person to Person
• Phone
• Written
• Social Networks/IM
• Public Manipulation
o Internal
? Person to Person
• Gaining access to physical credentials
• Solicitation
• Direct interaction
• Creating spies / information leak sources
o Methods (al mamalik,qulaam, kgb,cia,others)
o Trading information
• Becoming an employee
? Electronic
• CD/Key drops
• Authentication bypass
• Key /perimeter bypass
• Falsification of credentials
• RFID/ HID copying

Check out the webinar, and hopefully you sign up for the class.

Technorati Tags: chicagocon, Chris Nickerson, influence, SE Master Class, Security, social engineering

The topic of certifications go hand in hand with career management – in fact, when Lee and I talk, one of our slides lists “What certification should I get?” as our “least favorite question“. Because we get it every time we talk to anybody.

One of the other things I’ve been doing of late is teaching classes to help people become more effective penetration testers. Penetration testing is where I started my career, and I really enjoy helping people learn those skills and develop that part of their capabilities. So, for the first few months after I left Neohapsis, I was working with one of the more well-known training organizations, and I expected to be able to make a difference.

Unfortunately, my expectations were underwhelmed. Where the organization promised “deluxe acommodations” for their students, we were booked at the Quality Inn. Where they promised “cutting-edge techniques”, they got information and exercises that were 5 years old.

Anybody who has worked with me knows I’m a bit of a stickler for doing right by my clients. And this wasn’t right. And I was frustrated because, despite my emails to the leadership of the organization, I was seeing no improvement.

So, I was sharing this frustration with my associates over at Foreground Security (who also run The Hacker Academy. And they agreed with me. But they did it one better: they challenged me. Dave and Aaron said:

“Can you do better?”

When I told them I could, they threw down the gauntlet.

“Give it a shot. What would it need?”

After a few conversations, we came up with a few different things. First and foremost, the curriculum needs to be up to date. No more teaching stuff that is five years old and calling it “state of the art”. Exercises should be consistent with what Foreground’s team of pen-testers are seeing on real engagements on a daily basis. If tools/exploits/techniques stop being relevant, then we teach their replacements.

Second: the curriculum needs to be KEPT up to date. And so do the students. And the students need access to a quarterly update of all the things that are new. No more of the “get ‘em out the door” way of doing things – let’s ensure that every student who goes through this class is given access to continuing information that will let them stay current.

Third: Let’s give them real facilities with solid, repeatable technology and processes. And it shouldn’t matter whether they take a class from us in Orlando, DC, San Francisco or Switzerland, the experience should be the same.

And, finally: Instructors should be trained to give the same material in the same way each time.

In short, we’ll run it like a business. And we’ll treat our students the way that they deserve to be treated.

Well, Dave and Aaron liked that so much that they told me to go for it. And they put out a press release about it. Our first class with the new curriculum I’m designing is going to be in mid-January, in Orlando. Because, really… who wants to be anywhere but Florida in January?

Email me if you have questions. Or email Aaron Cohen to find out the logistics, price, signup, etc.

Technorati Tags: CEH, ethical hacker, ethical hacking, information security, infosec training, penetration test, penetration test training, Security, security certification, training

“I want the people on my team to stick around. I mean, look at the New England Patriots – you think they build a dynasty with huge amounts of turnover? Nope – they kept the core of that team intact over the years.”

Well, I personally don’t agree with his stance. I have always believed that teams that stay together for too long lose the freshness and innovativeness that is required for success in these times. I heard a great quote (attributed to Tom Peters) recently:

“If the rate of change outside your organization is greater than the rate of change inside your organization, then the end is near.”

Brilliant. And true (in my experience).

But not in the opinion of my colleague. Nor, in the opinion of the New England Patriots, apparently.

But I’m a football fan as well, and something about that didn’t smell right.

So, I put together some research on the matter. And it showed exactly what I’d expect – the New England Patriots are a dynasty not because they keep their core together, but because they have built a system that manages turnover.

To summarize the research: from 2003-2008, the Patriots had approximately 33% turnover among staff and players – that is, the entire team could be expected to be replaced EVERY 3 YEARS. Yet they remained competitive during that time.

In fact, only 13 players TOTAL (3 offensive, 5 defensive, and 5 coaches) were on the team for all five of those years. (And they’re hardly “core”, unless one considers the long snapper and the running backs coach “core”). The two most important of those are Tom Brady and Bill Belichick, and even Brady’s importance has been minimized this year, given the play of Matt Cassel in the same system.

More importantly, when you look at the coaches, the turnover has all been where it would be presumed to be most important: at the top. The team has used 3 offensive coordinators and 3 defensive coordinators in those 5 years – in product development terms, that’s like switching VPs of Marketing and Engineering 3 times in 5 years.

So, I assert that the New England Patriots make my point: the reason that a company (or a football team) is successful isn’t its ability to avoid turnover, but its ability to create (esp. talent development and knowledge capture) systems and (most importantly) a culture that minimizes the impact of turnover.

Technorati Tags: bill belichick, Business, Management, new england patriots, patriots, tom brady, turnover

Seriously, though – I’m working with a cool new project and I wanted to share a bit of a preview. The site is called Demos on Demand for Security. It’s sort of like a Revision3 for Security, and has brought aboard some pretty cool people as hosts. I’m not going to share all the names, but it should be obvious from the sample videos that Richard Steinnon is going to be one of the hosts. (If you’re interested in being a host or a guest, feel free to email me

I’m also excited to announce that I’ll be doing a regular (at least a couple times per month) show with my favorite person in the industry to debate with – the always fun and lively Michael Santarcangelo. Sort of a Hannity and Combs of security, so to speak. With hard-hitting (but entirely “fair and balanced”) interviews of the people in the security industry.

The first episode of that show should be up in the next few weeks, so keep watching both here, and at the DoDS site for updates.

Technorati Tags: demos on demand, demos on demand for security, it harvest, michael santarcangelo, richard steinnon, Security, security catalyst, security video

This has been a fantastic week for that curiosity on my part. First, there’s a great article in Sports Illustrated about the preparation that Derek Brooks makes every week. The article is reprinted here. Relevant quote:

“It may be surprising that a 10-time Pro Bowl linebacker would study players who are still three or four years from making it to the NFL. But even now, the day before he faced the Vikings, the 35-year-old Brooks settled into his den again to watch Florida quarterback Tim Tebow and running back Percy Harvin in the Gators’ rout of South Carolina. “Some people relax or get recharged by going to Europe or going to the beach,” Brooks said. “For me it’s studying young kids. The one edge I feel no one will ever have over me is the mental edge of knowing players.”

This is a guy who is a veteran and future Hall of Famer. Anybody care to guess what got him there?

Even more interesting is this week’s version Peter King’s “Monday Morning QB” column – King breaks down the week that the Arizona Cardinals just had and exactly what the schedule was:

“From 8 p.m. to midnight, the coaches met to finish the gameplan, working on red-zone, goal-line and nickel plays. Most coaches were at the facility for 17 hours, minimum, on Monday.”

The work required to be successful at the level of NFL players should be instructive as to what it takes to be at that level in any career or job.

Technorati Tags: arizona cardinals, career, derek brooks, hard work, nfl, peter king

I happened upon an interesting thought exercise for branding when talking with Melina the other day. We were talking about her business, and I asked the following question:

“What problem do you want your clients to have when they think of your name?”

That’s an incredibly powerful way to conceive of branding. It speaks to all elements of what a brand is – what you’re an expert on, what you’re known for, and how you help your clients on a daily basis.

This is true whether you’re branding a business or developing your personal brand. Change it around for personal branding:

What problems do you want your boss/peers/colleagues to have when they think about calling you?

Technorati Tags: brand you, branding, career, Career Skills, personal branding

Job Search is to _____ as Career Management is to _____

I figured I’d post some additional ones:

Job search is to accident as career management is to plan.

Job search is to workout as career management is to training.

Job search is to dating as career management is to marriage.

Technorati Tags: career, career management, Career Skills, jason alba, jibberjobber, job search

“And yet, there are plenty of books about getting a job, but no books I know of about choosing a job.””

That’s exactly why I wrote Forget the Parachute, Let Me Fly the Plane last year. One of the most frustrating experiences I’ve gone through while coaching people on their careers is to have them accept jobs without doing the background research on the company.

So, I wrote a book about how to get a job that actually works for you.

You know, I was going to write an entire post on this… but I said it best on pg. 74 of Forget the Parachute:

No. We’re going to align you with companies first. Then, you’re going to go get the job from them. Because you’re already like them and they’re like you: if we align right, it’ll be like you already have the job. They just don’t know it yet.

“But…”, I can hear your inner skeptic saying. “That’s not how I learned it.“

Of course it’s not. Because what you learned is what everyone else does. And it’s why I had the opportunity to quote the statistic earlier that 3 in every 4 people around you is looking for a new job right now.

If you do what you’ve always done, you’ll get what you’ve always got.

Then, you do a few exercises that help you to research and find companies that fit with who you are and what you’re truly looking for.

Seth has it right in his new post: where you work matters. A lot. So spend the time figuring out whether the companies you’re looking at align with who you are and where you want to go.

Technorati Tags: career, Career Skills, forget the parachute, seth godin

“Information security is one of the most difficult industries to navigate a career in. The industry is new, and the skills are ever-changing. The nature of the industry is that the biggest threats are always in the newest technologies, which means that if you’re not actively running, you’re falling behind. Not to mention that there’s no industry standard for certification, for knowledge, or even for what “security” actually is. It’s confusing at the best of times.

As the industry gets more complex and the economy tightens, a solid career plan and the skills to pull off that plan are going to become ever more important. Industry veteran and respected career speaker and coach Mike Murray will work with the attendees of ChicagoCon to discuss the fundamental skills needed, and put the audience of this breakout session through exercises that will help clarify that plan, and move forward toward their ultimate career goals.”

But I wanted to provide some deeper information for those who might be interested or want to know more.

We’re going to talk about:

• Uncovering Opportunities – Finding a job in troubled times
• Life Jackets – Keeping your head above water until you’ve found that job
• The Art of Indispensibility – Making it harder for your company to let go of you
• Preparing for the Worst – Ensuring that you’re ready to go even before you get laid off

We’ll also talk about real situations that members of the the audience are having, and I’ll be working with people in the class one-on-one to help them prepare themselves for whatever is going to happen next in their careers.

Technorati Tags: breakout session, career, chicagocon, conference, information security career

Tarry asserts in his post that one of the good things about hackers spending time finding vulnerabilities is that (and I quote):

“Security and Compliance will be core focus of all organizations (as regulators will come knocking at your doorsteps)”

Umm… I hate to say it, but that ain’t ever gonna happen. No matter how many regulators show up on someone’s doorstep, that counts as one of the least well-thought-out predictions I’ve ever heard.

Simply put:

• McDonald’s core focus will always be on making hamburgers.
• Nike’s core focus will always be on making shoes/clothing for athletes.
• Ford’s core focus will always be on making cars.

If those organizations ever make “Security and Compliance” their core focus, they won’t have businesses anymore.

While we may think that security is important, the day that it surpasses the core focus of any business (that isn’t in the security and compliance business) is the day that that business has taken their eye off the ball. By definition.

Technorati Tags: Business, compliance, focus, Security