Cybertactix's Enterprise InfoSec Blog

June 16, 2013

Are You Paying Attention To Your Personal Growth?

Filed under: Certification,Education,Management — cybertactix @ 10:32 PM

Part of my weekly routine is to regularly visit LinkedIn and review the titles of the “Influencer” posts.  Influencer posts are something LinkedIn started late last year, getting both widely known (Richard Branson, Jack Welch) and not so widely known personalities to post short blogs on a either a variety of topics of their own choosing or themes suggested by LinkedIn.  I scan the title of these posts for things that look interesting to me and then use Pocket to mark them for future reading.  On the weekends I will visit the my local Panera (I use a solo trip to Panera as my reading occasion) and run through as many of the posts as I can, usually noting a couple of ideas for follow up or for recommendation to others.

One of the posts that caught my attention this week was “Three Ways To Make Personal Growth Your Top Priority” by Ram Charam.  If you have had a conversation with me about your job it’s likely that the topic of self improvement has come up, one of the things I continually try to hammer home is that companies are no longer engaged in managing your career unless you are one of a select few.  These days it’s difficult for them to justify too big an investment in YOUR career, it is highly likely that you will take that investment to another company in the future.  That means that you are now responsible for managing your own career and a key part of that is ensuring that YOU make sure that your skills and knowledge are continually growing.  If you cannot regularly sit down at the end of the week and list at least one new thing you have learned then you should (IMHO) take a look at your whether you are in a job that is contributing to your career.  In most companies it is no longer enough for you to be able to do the same job, at the same performance level, that you did it last year.  In this economy in order to maintain their bottom line companies need to be either bringing profitable new ideas/products/services into the market place or be more efficient in delivering existing products/services.

The way to stay ahead of the game, and therefore gainfully employed, is to be regularly increasing your contribution to the company’s bottom line or to be of enough value to another company for them to hire you into a similar role, preferably at the same or better overall compensation.  And since your current employer isn’t focused on increasing your value beyond what they need today that means YOU need to take responsibility for your personal growth.    That can mean either a formal program leading to a degree or certification relevant to your field of employment, or an informal program that increases your relevant knowledge and abilities.

Formal programs are the easiest to find but expensive and in recent years many companies have been cutting back on the funds they make available to an individual employee for education.  Free or cheap materials are easy to come by but don’t directly lead to a diploma or certificate but that doesn’t mean you should rule them out.  The lack of a framed piece of paper to hang on your office wall can often be offset by being able to directly demonstrate specific knowledge or learned skills in the workplace.

For manager’s looking to upgrade their ability to work in a corporate environment you would be wise to look at (actually listen to) the Manager Tools podcast series available from  The number of podcasts available can be daunting when you first visit the site but you can use the drop down category selector to hone in on the podcasts specific to your needs.   In addition to the Manager Tools podcast they also produce a podcast Career Tools, also available on the site, to assist you with personal growth related to your career development.  In terms of general self development take a listen to the original podcast on Self Development (November 11, 2005),  and the podcast on how to Create A Development Plan For Yourself (November 18, 2010)

If you are not the type of person who learns well on their own and prefers to learn as part of a group you may want to check out Peeragogy, a site that stems from the thoughts of Howard Rheingold’s Regents Lecture titled Social Media and Peer Learning: From Mediated Pedagogy to PeeragogyThe site is dedicated to the concept of peer based learning and focuses on how to create a learning construct you can use to learn in conjunction with others who share a common learning interest in order to increase your knowledge and abilities.

If you would like to gain the knowledge associated with an MBA without the expense of an MBA take a look at the personal MBA reading list, a list of 99 books  which cover the core areas of business associated with an MBA.  Even if you aren’t interested in an MBA many of these books should be in the library of business professionals and this can be done inexpensively thanks to the ability to buy used books via Amazon.

If you plan to pursue an MBA but don’t have the finances and/or the time to complete one following either the traditional program or the executive program consider a university that will allow you to gain credits for the experience you already have via Learning Counts.  Learning Counts allows you to create portfolios based on your work/life experience  which are submitted to an outside evaluator, who will decide on whether they are worthy of credit towards an academic course. 

Given the abundance of tools available for personal development today there is no reason why anyone should not be able to continually grow their knowledge and abilities either personally or professionally, and if you aren’t growing then you should not be expecting your compensation to.  If you aren’t already, it’s time to start thinking about your personal growth and doing something about it.


June 11, 2013

Cyber War: It’s Real and It’s (Virtually) Here

Filed under: cyber_warfare — cybertactix @ 10:10 PM

Recently an article in Vanity Fair ( made a case for the supposition that the U.S. is engaged in a cyber war with Iran.   The U.S. government has, via the FBI investigation into the leaking of information regarding Stuxnet,  stopped just short of openly admitting to engaging in computer based attacks against Iranian targets, in particular the Iranian plants designed to process uranium into nuclear fuel, and although Iran has claimed that the Revolutionary Guard “controls” the fourth largest cyber army in the world the abilities and intentions of Iran are not nearly as well known.  While short on specific facts related to Iranian involvement the Vanity Fair article does lay out an interesting case for drawing the conclusion that Iran has supported, if not actively engaged in, cyber attacks against the U.S. economy.

One of the difficulties in many cyber attacks is attributing the attack to an individual or group unless someone comes forward and claims the attack. In contrast with physical attacks in the real world (a.k.a. meatspace) the clues left behind in a cyber attack are merely digital data and easily duplicated (unlike in the physical world where investigators rely on unique, difficult to duplicate, evidence like DNA) making it easy to leave behind forensic evidence meant to mis-direct investigations.  Software exploits can be copied by the attackee or another party, modified and then used to attack the original attacker or a third party.  Forensically the attack can be made to look identical to, or a variant of, the first attack and point a damning finger back at the original attacker.   In the cyber world it is seldom possible to say with absolute certainty the source of an “attack”, rather one has to gather all the evidence and then postulate as to the most likely source. 

Unlike conventional warfare where physical assets are attacked and destroyed the cyber warfare described in the article bears a closer resemblance to a “cold war” involving espionage, coalitions with other nations or groups, propaganda campaigns, and technology competitions as well as diplomatic and economic pressures.  While there is no direct evidence that Iran is engaging in cyber warfare against the U.S., there is no doubt that the U.S. has engaged in cyber attacks against Iranian assets, Cyber war is real.

What does the future hold?

With the likelihood that the U.S. will look to use cyber attacks as as part of its global policy arsenal in the future  ( and the most likely response will be cyber counter attack, the ability to definitively attribute attacks to a specific actor(s) is the next major challenge for information security analysts I both the public and private sector.  Rather than relying only on technical skills the new breed of information security analysts will need to be a hybrid mix of technologist and intelligence analyst, capable of understanding complex computer technologies and interpreting large volumes of evidence to uncover patterns in order to attribute attacks to specific actors or nations.   In the near term “kill chain” analysis and big data correlation will likely become the primary tools of the security analyst trying to fend off and identify cyber attackers.  It will no longer be enough to merely deploy technology in the hopes of protecting information and assets, it will be necessary for defenders to be able to “know” and understand the motivation and tactics of attackers or groups in order to try stay ahead of strikes in the high stakes chess game that will be cyber information security and warfare.

The U.S. is not only looking to be able to use cyber attacks as a part of its global policy, it is expecting that the U.S. will be a target for cyber terrorists/warriors.  In addition to buying exploits in underground markets the Department of Homeland Security is looking to be able to share information about these exploits with “critical infrastructure” providers in order to protect the infrastructure from attackers.  Unlike conventional physical weapons that have to be duplicated in the real world (which takes time and resources) and have a virtually unlimited shelf life, digital weapons can be duplicated and sold to multiple buyers instantly but once known by defenders have a very limited shelf life.  If the U.S. government makes knowledge of zero-day exploits available to high value targets in the U.S. the next arms race may not be the race to discover new digital vulnerabilities and create exploits, it may be the race to patch against them.

June 7, 2013

The Evolving Requirements for the Role of CISO/CSO

Filed under: Career Skills,Management — cybertactix @ 3:20 PM

If your career strategy is directed towards landing a CISO or CSO role you need to read yesterday’s post ( on Jeff Snyder’s Security Recruiter Blog.   Being a CISO isn’t just about managing the organization responsible for the protection of corporate/customer information; it’s about doing so while being able to contribute to the company’s bottom line AND being able to show the contribution to peers, management and the BoD in terms they understand.

Quick Book Review: Peter F. Drucker’s The Effective Executive

Filed under: Book Review,Management — cybertactix @ 2:45 PM

I just finished this classic on management. If you make decisions that contribute to the overall goals established by your organization’s leaders but think executives are only those at the top of an organization you need to read this book.  The book was originally written, and titled, in the 1960s long before the widespread use of computers and the explosion of knowledge workers in modern business.  Read this book and learn how to learn to be effective in your role contributing to your company and society.

February 18, 2013

What Keeps This Information Security Professional Awake at Night?

Filed under: Awareness,BYOD,Cloud — cybertactix @ 9:33 PM

Late last week I was talking with the CISO of a firm that provides support services, in the form of data manipulation and management, to financial services organizations (among others) and he asked me what information security issues kept me awake at night.

Two issues immediately sprang to mind;

  1. BYOD (Bring Your Own Device)
  2. The increasing use of Internet (Cloud) Services/Applications

The common thread with these issues is that they take security out of the direct control of the organization and place it into hands of other parties, and not necessarily the parties you are aware of.    With pressure from boards and senior management to continually cut costs in order to raise profits many companies are looking to shed/transfer the cost of technology and infrastructure outside of their organization and that transfer is increasingly taking the form of employee provided technology (BYOD) and the use of services hosted outside of the corporate data center.  This calls for  new review processes to ensure that external parties associated with these services have appropriate and contractually obligated controls in place which meet the needs and standards of their clients, as well as the implementation of new controls and processes related to how these services are used by the company.  Without the right processes and controls and a clear communication to all employees regarding them, the increasing use of these services can send a message to employees that the use of such services without reviews and controls is sanctioned by the company.   


Many of us now carry in our pockets more raw computing power and storage than was housed in a permanent, not mobile, data center watched over by professional physical security staff 30 years ago.  And every user of these devices has a preferred device and set of applications which may not be the ones that are your corporate standard.  The relatively low cost of modern computing devices means that most corporate executives have gotten used to carrying them for personal use and as a result of have instant, on the go,  access to their key personal data and productivity tools.  This leads them to wonder, why they can’t have similar access work data and use these same tools in their work life, just think how much easier and productive they could be if they had instant access to their work files during the commute home, if they could carry and access work related information on an instant on, Internet connected 1.5 lb. tablet with 10 hours of useful battery life rather than lug around a 5 lb. laptop that takes minutes to boot and forces them to search for a power outlet after 5 hours of use.  And of course its counterproductive to have to carry one device for personal use and another for work, so let’s use the same device for both.  Fortunately there are a growing number of products to manage the security of these devices, providing password protection, remote wipe capabilities, encryption and preventing co-mingling  of personal and work data.  Now if only you could figure out how to prevent a user from leaving all that data in the back of a cab (try that with a datacenter)!

Securing the hardware is only part of the solution however.  Now that companies are giving users the option of using their preferred hardware solution users also want to be able to use their preferred software solution as well since there is a good chance that the corporate software solution intended to run on the corporate provided PC doesn’t likely run on the users choice of mobile device.   And even if it did how does it access the data safely stored in the secure “sandbox” created and managed by your corporate device management software?  Don’t look now but your user has probably figured out a way to make your corporate data accessible to their preferred software solution, and if they can’t make the data available to application son the device itself there is always the web/cloud.

Web Services/Applications

The use of Internet sites by staff to support business related functions and products without the proper review/approvals of legal/compliance/InfoSec/risk organizations is becoming increasingly commonplace nowadays.  As Bruce Schneier wrote in the January 15th edition of the Crypto-Gram newsletter (, end user acceptance of these sites terms of service/use can created unknown/unwanted issues related to intellectual property and data security for the user’s organization.   Someone in the organization decides that the tools provided by the organization aren’t the ones they want/need to get their job done and they sign up for the hot new website on the Internet that provides a “better” tool.  As part of that signup they check the little box that says they agree to the terms of service for the site.  If they happen to be high enough in the organization (and in many organization it’s not as high up as you might think) they have just bound the organization to those terms without any sort of review by the organizational functions (legal, compliance, information security, risk management)that would review a contract if there were financial payments being made.  Many new software startups do not have their own datacenter or even their own systems, and even if they did their datacenter could be in someone’s basement or a convenient closet.   Instead it is common practice to host a startups website in the cloud where initial costs are negligible and scaling up the infrastructure is quick and easy.  And how many startups have the organizational structure in place to ensure the contract they signed with a service provider has adequate review from knowledgeable legal, compliance, information security, risk management professionals?  How concerned are they with the backup, security, availability of the data and services your business may grow to rely on, not to mention patching and vulnerability management?

I recently ran across a case where it was discovered that a company’s staff were using a third party for a key project deliverable.  Communication between the corporate staff and the third party were occurring via a 4th party application being used to store and manage the key deliverable.  When the companies information security staff asked the third party about their contact with the fourth party they were directed to the site/application’s Terms of Service, no contact had been negotiated, the third party had simply used a credit card to pay for the service and therefor accepted the terms which laid out a “best effort” basis for protecting and backing up the data, without the benefit of a legal/compliance or risk review.  A review of the 4th party site indicated that the site/application was managed by a fifth party who did not indicate whether  it was hosted in their own data center or on a sixth party’s service.  You can see how quickly this whole project was headed down a rabbit hole. 

How can Information Security Professionals Worry Less and Sleep Better?

No matter how much technology a corporation puts in place to protect data, it’s always going to be possible that the data protected by that technology will be made insecure.  The problem with current technology solutions is that they are designed to protect data under a specific set of parameters, and the ingenuity of the company’s employees will always come up with ways to defeat the technology solution.  In many cases the reason that security/controls are bypassed isn’t because of a hacker with malicious intent, its due to an employee with good intentions but a lack of understanding as to why security controls exist and the implications of their actions to defeat those controls and make systems and data available so that the employee can be, at least in their mind, more effective and productive.  A good “security education” program that helps to embed an understanding of the necessity for including good information security practices in everyday processes and procedures so that information security awareness becomes part of the corporate culture can be one of the most effective tools in an information security professionals tool box.

February 16, 2012

Relationships Matter

Filed under: Career Skills — cybertactix @ 10:10 PM

Tonight I got a call from an “old friend” who happens to be a security recruiter.  When I say “old friend” that’s not precisely accurate statement, we’ve never physically met, only spoken on the phone and that has only been for the past couple of years, he just seems like an old friend because we get along so well and I enjoy the phone calls which are a mix of personal and professional items.  When he called tonight we spoke about his health issues and his children and also about what he has been up to professionally.  While we haven’t known each other long we have built a relationship which allows us to be frank with each other.

Part of tonight’s conversation was about relationships and the soft skills that are required to move ahead at the senior levels in a company, the larger the company the greater role soft skills play.  For a security professional a good mix of technology background and security mindset will get you started and certifications will definitely help your career but eventually you will hit the wall and the only way through it is by  having the relationship skills that allow you to open what is otherwise a locked door.  Unfortunately most companies focus all of their training budget and resources on improving technical skills and certifications.  They tend to leave soft skills like relationship building and managing staff aside until you reach a level where they are for all intents and purposes absolutely mandatory.

I recently spoke with another friend who was promoted to a senior (Managing Director) level last year.  He is now heading a security operations unit with a staff of several hundred and was told he has to attend management training.  He shared the pre-class assignment for the first session, a case used by the  Harvard Business School.  It dealt with a senior manager who after two years of running a very profitable division had some time for reflection and was troubled and wondering if he was doing a good job of leadership.  After reading the case study I saw a number of issues with it, most of which were related to how he was (or actually wasn’t involved with the people who reported to him).  What really troubled me though was that this assignment, which dealt with the basic “blocking and tackling” of being a manager (i.e. building a relationship with your staff), was the first real management training that that this Managing Director was getting from his company.  Don’t get me wrong, the company had provided him with training required to do his job, things like how to fill out the staff review forms and deliver the review and associated compensation information, but they hadn’t taught him the basics of building relationships.  Fortunately for him, unlike many technologists, he was a natural at it.

If you are at all concerned about your career you need to be concerned about your soft (non-technology) skills.  Your ability to work collaboratively with your peers (when you reach senior levels those below you will refer to your ability to collaborate as “playing company politics”) and to build relationships are the keys to the executive washroom.  The technical skills that were important in your role as a technologist become less important in your role as a manager where the key skills include the ability to motivate others, and as a senior manager where you need to get others to work with you and not against you.  For many these skills do not come easily, for me it is a constant task to take the initiative to meet others, shake hands, remember names, and smile but it is necessary in order to move forward in my career path.

And if you are thinking about switching jobs the ability to build relationships is a key factor in continued success.  When you are considering switching take an objective look at your position.  How much of your current success in the role is a result of your technical abilities and how much of it is your ability to influence or work collaboratively with others?  How effective will you be in a new role, division or company without the relationships you built in your current role, division or company?  When you are thinking about investing in your future don’t just think about investing in the more tangible things like technical skills and certifications, think about investing in the intangibles, relationships and the soft skills required to build them quickly and effectively.  Relationships matter!

January 9, 2011

Personal InfoSec Certification: Which 1st?

Filed under: Career Skills,Certification,CGEIT,CISA,CISM,CISSP — cybertactix @ 4:38 PM

One of the questions I often see on the groups I am part of on LinkedIn, and a question I am also asked by fellow InfoSec professionals and auditors is “which certification is easier to pass, CISSP, CISM or CISA?”

BLUF (Bottom Line Up Front): It depends… on what your professional background and experience, and or in some cases your lack of experience, are.

My back ground is technical, I provided support for a number of years to banking trading floors, not the open outcry trading pits of the commodities exchanges or the NYSE, rather row upon row of traders with a phone in their hand bent over screens that are constantly flickering as the commodities or stocks they follow change prices and their own “books” (records of the financial positions they hold) are updated to show current value.  In order to keep all of this running (downtime can quickly result in large losses) I had to become a jack of all trades in technology (voice, market data, personal computers and desktop workstations, servers of all types, mainframe communications, and multiple network medias and protocols).  Much of my knowledge was picked up on-the-fly from rubbing shoulders with people, usually vendors or consultants, who specialized in each of these areas interspersed with occasional whirlwind classroom training sessions.

As things got more complicated more staff were needed to keep all of this running and because of my breadth of knowledge I found myself “managing” the help desk for a large trading floor.  Due to an audit finding I was suddenly “promoted” to Information Security Officer and in charge of re-building an InfoSec program that had been un-monitored for several years.  As a result I got a crash course in information security which was an eye opening experience.  Once the program was on track I turned over BAU to an unwilling associate (her words of “I don’t know anything about information security” were met with a “Steve will teach you” response from management) when the Continuity of Business expert was stricken with a sudden (and ultimately fatal) illness.  When management decided that we needed to have certified staff to show the regulators that we took InfoSec seriously, this experience combined with my technical knowledge gave me the necessary background to be able to pass the Certified Information Security Systems Professional (CISSP) exam.  Over a year prior to taking the exam I took a one week (40 hour course) CISSP exam prep course to help me focus on the elements the exam was likely to cover but seeing as this was the first exam I had written in quite a few years I was hesitant to take the exam.  

As part of changes being put in place to meet greater demands from regulators and the marketplace I became more involved in developing compliance monitoring processes and ultimately in helping to develop risk based models for governance.  Moving from a model of “OMG there’s a vulnerability, we have to fix it” we began to focus on “what is the risk and what will it cost to fix it/should we fix it/what are the compensating controls?”.  This is the essence of risk management, and this along with a corporate focus on becoming partners with the businesses we supported and understanding/working to meet their requirements gave me the basis of the knowledge I needed to pass the Certified Information Security Manager (CISM) exam.  Two months prior to taking the exam I took a one week (40 hour course) CISM exam prep course to help me focus on the elements the exam was likely to cover.

As a result of all this experience I qualified to be grandfathered into my CGEIT (Certified in the Governance of Enterprise Infrastructure Technology).  The Grandfathering process didn’t require me to take an exam but it did require that I provide ISACA with an essay on my significant experience across the various areas covered by the CGEIT knowledge base.

In December of 2009 I took my Certified Information Systems Auditor (CISA) exam. In preparation for this, starting two months before the exam, I took a 40 hour (5 weekends) course with my local ISACA chapter.  In addition to the course I called on my experience as an Information Security Officer, a role in which I had to detect, assess, report and provide guidance on remediating broken/ineffective processes and technology, then start all over once the remediation action was taken, in essence auditing without calling it an audit.  Because of my experiences it wasn’t difficult for me to master the material, although it did require me to stop and change my mindset somewhat to see all the questions from the point of view of an auditor.

While all of my experience in technology and InfoSec was a huge benefit in taking these exams it was also a hindrance.  All of my experience was colored by the corporate environment in which I work, by our policies, our standards and our culture.  These were all things which the certifying body can’t take into account when scoring my answers.  The thing to remember when taking any of these exams is that no matter what you think the answer is, the only one that counts is what the certifying body says it is.  During my preparation for the CISA exam I was in a a class with a number of seasoned and experienced auditors, some of whom had taken the exam previously but not achieved the passing score.  One told the story of how, when her company mandated that staff take training and attempt the exam, several interns still in college with no audit experience, decided to study for and take the exam.  The result, a number of the experienced auditors failed but the interns passed.  Why? Because the auditors answers were colored by their own experiences while the interns answers were straight out of the material provided by ISACA without the benefit of any practical, real world experiences.

So before you ask which certification is easiest, perhaps you should ask “which is most appropriate to my current or future role?”, chances are that is the certification that will be easiest for you.

WordPress Tags: InfoSec,Certification,CISSP,CISM,CISA,CGEIT,ISACA

music note While writing this, I was listening to "Michael Tozzi’s".

Blog at