Apr18

New talk – The Solution vs The Silver Bullet

by Michael Farnum on April 18, 2013 at 12:13 pm
Posted In: Accuvant, Conferences, Presentations

I have developed a new presentation that I gave for the first time yesterday at the Texas Technology Summit in Houston. The title and synopsis are below.

Title: The Solution vs The Silver Bullet (or InfoSec Industry != InfoSec Practice)

Synopsis: The information security industry and information security practice are two concepts that should not be confused. The industry is for making money. The practice is for securing your organization. While the two certainly overlap on a Venn Diagram, there are large areas where never the two shall meet. The infosec practitioner needs to know how to discern where the practice stops and the industry starts. Otherwise, the Silver Bullet mentality will take over, and the practice becomes unmanageable. Join Michael on this talk to discover how to start down the path of discernment. Michael will give practical ideas on dodging the Silver Bullet cycle or getting out of it if you are there already.

The Texas Technology Summit is more of a general IT show with a good amount of security focus. I picked that venue for this talk because I wanted to test the talk first on that kind of general crowd. I wanted to see if it resonated with folks who might have security as a part of their job, but not be solely focused on security. Turns out that it did. I had great feedback that addressing security as a complex system rather than a checklist helped them with their approach to building a security program. I also talked about determining your organization’s current and desired security maturity levels, and using that data to help make decisions. That was also very well received.

I did have a couple of people at the show who are straight security professionals who I know and respect. They were very positive about the talk as well. So now I am going to try it on a security-focused crowd at NAISG DFW next week. We’ll see how it goes there. I may do a bit of tweaking between now and then, but overall I am happy with the talk. I’ll post a recording if I get one while I am there.

Comments Off
Mar04

Innovation Sandbox at RSA – a Lesson in Security AND Oratory Skills

by Michael Farnum on March 4, 2013 at 10:04 pm
Posted In: Security

While attending the 2013 RSA Conference last week, I took a chance and attended the presentations in the Innovation Sandbox Showdown. If you haven’t been to these or aren’t familiar with them, this is where security startups show their wares to a panel of venture capitalists and infosec experts for the title of “Most Innovative”. The catch is that each vendor representative has 3 minutes to do a presentation about their company. After they finish, they have 2 minutes to answer questions from the panel. These time limits are STRICTLY enforced, meaning that the mic is turned off when the time ends. No exceptions.

As I watched the showdown, a couple of points started forming in my head. The first was from the standpoint of a security professional with an interest in new security technologies. The second was from the was from the standpoint of an orator. So let’s start with the first one.

First – The Security professional

Each of the vendors seemed to attack the big issues of today, like cloud, malware, browser security, BYOD, etc. But you know what? I’m just a little tired of it all. Every year, we have more vendors. And every year, they fall away. And as I write this section of this post, I just want to stop and scream. So many products, and I keep getting reminded of Jeremiah Grossman’s post about increasing the attack surface with more security products. Yes, I know this doesn’t exactly equate. Every time a product comes out does not mean you are going to put it in your network. But there is this overload that has been coming and coming, and we have reached it.

So many of these issues – like BYOD – can be fixed using stuff you have in your security toolbox now. That doesn’t mean there isn’t a need for point products sometimes. But like Jeremiah said, bad guys shift tactics. And the more products there are guarding your network, the more they look for holes in those products. So it is smart to look at what you have and be smart about what you buy for security. Yes, we need innovation. But innovation is not limited to product vendors. You can innovate within your own enterprise. You can act differently, be more proactive, watch more closely, and use the tools you have. Let’s stop the cycle of buy, install, follow the shift, buy, install, follow the shift. Start hardening, start reviewing your risk, start learning your business, start determining your gaps, start creating a program.

Are there problems that can only be solved with a new product? Probably. But first we start doing things right instead of perpetuating the fraud that we have to constantly rely on others to innovate for us.

Second – The Orator

I have performed quite a few talks over my career. I have talked to fairly large audiences (200-300), and I have spoken with small, intimate audiences. Both have different challenges. With those talks, I have had plenty of time to prepare for the presentation. I practiced my talk, polished my slides, and then ran through it again. I have also done Toastmaster-like events where you have a random topic, little time to prepare, and only a few minutes to talk. The Innovation Sandbox has elements of both. Like Toastmasters, you don’t have a lot of time to talk. But like typical talks, you have time to prepare for the talk (i.e.practice), and you have time to polish the message.

    Prepare, Prepare, Prepare – then Prepare Some More

Bobby Unser (Al Unser’s brother) said, “Success is where preparation and opportunity meet.” What struck me was how little the speakers seemed to prepare, and how badly their presentation was done. Even with this huge opportunity to speak in front a crowd that could possibly spell success for their company, they did not prepare. I just don’t get that.

    Polish

Run the presentation with folks outside your company. Don’t talk in the echo chamber, or all you will get back is people saying it is great, it is wonderful, we’re gonna kill the ball with this presentation. Seriously people, you must let others hear the talk. Get feedback. Figure out where your doing stuff wrong, where you can adjust. Figure out out to get your message down in 3 minutes. And some advice: if you let others hear your stuff and they have no criticism, there are two possibilities: your presentation is phenomenal, or you picked the wrong people to listen to your presentation. In the immortal words of Sheldon Cooper, “Of those two scenarios, which one do you think is more likely?”

    Attack the Problem

Many wanted to talk more about their management team, like a great management team was all your company needs to attract venture capital or get people’s attention. I get that it is probably a factor, but as someone pointed out on Twitter (paraphrasing because I can’t find the tweet): “If your management team is famous, they need no introduction – if they’re not, they still don’t.” In other words, focus on the perceived problem and how you solve it. I had a really hard time figuring out a lot about their companies with the presentations. Most of my questions were answered when folks on the panel started asking their questions. That is fail-city in my book.

All right, I’m done ranting. I feel clean again. For now…

└ Tags: ,
Comments Off
May23

Evangelism and Projecting your dislike of religion

by Michael Farnum on May 23, 2012 at 10:35 am
Posted In: Bull Shiitake

Wake up people, you are falling into the same old theistic behavior that we all as evolved sentient beings should eschew, neigh, …loathe. INFOSEC is not a religion and YOU are not the FUCKING POPE ok?

That’s a quote from Krypt3ia on his blog entitled “Infosec is not a religion”. He says this in his rant about the use of the term “evangelist” in security.

Krypt3ia is even nice enough to define the term for us. Now I know Krypt3ia is smart enough to know that a term can be used creatively so that it does not fall into the traditional use of the term. But his obvious hatred of religion (displayed by the quote above) doesn’t allow him to get around this, and it is unfortunate.

Is the term overused? Yes, I think it is. That is why I chose the title “Advocate” instead (thanks to Michael Santarcangelo for the help with the title). Has it turned into a buzzword or sorts? Maybe. But should people who have the title of evangelist be ashamed somehow? No, they shouldn’t. Should people who “take” that title for themselves be ashamed? No. It might be a little corny to take it for yourself, but it is not something to be ashamed of.

If someone is using the term “improperly to suit your needs of being center stage and telling everyone from the fucking mount what “they” should be doing” as Krypt3ia says, then why is he throwing his bile against only this term? Plenty of people put themselves forward as experts who are far from it, and they don’t always call themselves evangelists. Plenty of people want center stage (I’m not immune to that, and I’m pretty sure Krypt3ia is not immune either if his diatribes are any indication).

This is really just a case of projection. Krypt3ia doesn’t like religion, and he can’t stand to see the term used so much. It irritates him, so he blows up (he does that a lot, which is part of his charm). And while my use of the term “psychological projection” is not an exact fit for the clinical definition, I think I can use it here to fit my desired message, which is: Get a grip dude. It is just a term.

└ Tags: ,
1 Comment
May21

An Information Security Place Podcast – Episode 04 for 2012

by Michael Farnum on May 21, 2012 at 8:57 pm
Posted In: Security

 

Holy crap, we recorded an episode. That’s all I got to say about that…

Show Notes:

InfoSec News Update –

  • Howard Schmidt is Retiring – Link Here
  • Vulnerability Stats of Publicly Traded Companies – Link Here
  • Tool Update – Threadfix from Denim Group – Link Here
  • The Mission Impossible Self-Destructing SATA SSD Drive – Link Here
  • The WAF Wars – Link 1 / Link 2 / Link 3
  • PwnieExpress Releases PwnPlugUI/OS 1.1 – Link Here
  • App for scanning faces to gauge age at bars – Link Here
  • Business Logic Testing defined – Link 1
  • ErrataSec – Wants your hotel PCAP Files – Link 1 / Link 2

Discussion Topic –

  1. Should specific security efforts be validated when the program as a whole is crap? Link Here

Music Notes:?Special Thanks to the guys at RivetHead for use of their tracks – http://www.rivetheadonline.com/

Tour Dates:

  1. June 1 – Dallas – Curtain Club

Intro – RivetHead – The 13th Step”
News Bed – RivetHead - “Beautiful Disaster”
Discussion Bed – RivetHead - “Difference”
Outro – RivetHead – “Zero Gravity”

Link to MP3

Comments Off
Feb23

An Information Security Place Podcast – Episode 03 for 2012

by Michael Farnum on February 23, 2012 at 11:17 pm
Posted In: Security

 

Today’s show is Michael interviewing Kevin Riggins. Kevin is an Enterprise Security Architect for a Fortune 500 financial services company. Kevin and Michael have some great conversation about Kevin’s job, what he is doing at RSA, where he blogs, the book he coauthored, etc. (look below in the show notes for links to everything).

Then a fun discussion starts about cloud, risk, mobility, risk in the cloud, risk in mobility, risk of mobility integrated with the cloud, and so on. Good stuff all around.

Here’s some links to stuff about Kevin and other stuff we talked about in the show.

  • Management Team Member for the Society of Information Risk Analysis – link
  • Coauthor on The Cloud Security Rules – link
  • Kevin blogs at Infosecramblings – link
  • Twitter pages – link and link and link
    • Comments Off