An Information Security Place

There’s a new security blog out there, and this one is another Accuvant employee (so you know it is going to be good). 

His name is Jim Broome, and his blog is called Jim’s Bloggyness.  Jim is an Assessments Team Lead at Accuvant, and he is one smart dude.  Here’s his profile:

Jim Broome, an information security industry veteran with over a decade of experience in the field, is a Principal Consultant with Accuvant?s assessment team and also acts as the technical lead for the assessment practice area.

Accuvant is a leading national security consulting organization that designs and executes strategies to address its clients? complex information security challenges. Jim?s role is to provide world class security consulting services to Accuvant clients while still providing technical leadership to the assessment team as a whole.

Experience

As one of Accuvant?s more seasoned assessors, Mr. Broome, has performed a number of consultative engagements including enterprise security strategy planning, risk assessments, threat analysis, application assessments, network assessments and penetration testing, and wireless security assessments for a large number of fortune 500 clients. These clients represent a variety of markets including manufacturers, telecommunications (cellular and traditional), public utilities, healthcare, financial services, and state governments.

Prior to joining Accuvant, Jim was a Principal Security Consultant for Internet Security Systems and a member of the X-force penetration testing team. At ISS, he was responsible for providing technical leadership to the Western Region consulting practice while performing his day-to-day duties of performing network assessments and penetration testing. Prior to ISS, he was the Director of Network Operations for Cavion.com, a managed service provider exclusively for credit unions. At Cavion.com, Jim was responsible for managing the network operations staff and security organization while maintaining 99.999% uptime.

Notable Accomplishments

With a been-there-done-that attitude, Jim is a constantly sought after consultant, due to his extensive level of knowledge in most areas of security implementation and management from both a technical and managerial level. As one of the original authors of several training programs including Checkpoint Software?s CCSA/CCSE program, Jim is a well regarded security/technology instructor and mentor to many administrators and IT management organizations.

Since coming to the Accuvant organization, Jim has been responsible for establishing and standardizing many of the solutions and techniques employed by the Assessment practice. This provides our clients with a level of consistency that is unparalleled in the industry and establishes Accuvant as the premiere security services company.

Certifications and Training

Jim is a Certified Information Systems Security Professional (CISSP); Checkpoint Certified Security Engineer (CCSE); NetScreen Certified Security Associate (NCSA); ISS Certified Engineer

Professional Education

BS in Computer Information Systems from Trinity College and University

Welcome to the blogosphere Jim.

Vet

I have always been hesitant to use friends within companies as a means to getting business.  I just think it is a very dangerous move and can kill the friendship along with the business deal if something goes south. 

I have had two instances of this happen this week.  One involves a former coworker of mine.  She now works for a fairly big organization here in Houston, and I knew that if I could get them as a client, it could have some nice rewards.  However, I just did not want to start asking her to setup appointments and all that for fear of seeming like I was using her.  So I stayed away.  I knew that she was somewhat aware of what I did and what Accuvant did, so I decided to just let things fall where they may.  Well, she actually contacted me a couple of weeks ago through our former boss (she couldn’t find my contact info - said the cat ate it).  And now it has turned into a full-fledged opportunity to do some business for them, and I just have a great feeling about the gig.  They need a lot of what we provide as far as services and products, and her coworker (the security guru) seems to really want to meet with us. 

And then there is another company down here in Houston that is just an absolute monster.  They are all over the US and Canada, and Accuvant has been trying to get in there for some time now.  But we just could not get them to give some love.  Well, I have a friend that also works at this company at a very high level in security, and I knew I could probably get in the door.  However, the same thing applied.  I just don’t want to be that person who tries to use my friends for gain.

Well a few weeks ago someone approached me about a possible PCI opportunity.  He had a client that needed some PCI scanning services.  He had met one of the Accuvant founders at an event and learned what we do (we are QSA certified, are certified scan vendors, and we do PCI gap analysis work) and thought we would be a great fit.  There had been a couple of people he had brought in before us, and they had fallen flat on their face.  We walked in, and now we have the business.  Granted, PCI scanning is not huge money.  But we proved ourselves by impressing the very friend that I refused to use.

I am not saying it is wrong in all circumstances to use friendships for business purposes.  But as a general rule, I just am really hesitant to do so.  And with these two instances, I have found that if you don’t use the friend and you end up getting in and proving yourself and your company anyway, then it is that much more rewarding.

Vet

Why do Alan and Mitchell call the Still Secure, After All These Years blog and podcast “SSATY” instead of “SSAATY”? 

Is there a conspiracy against the letter “A”? 

Do they not like the letter “A”?  I would think not since it starts Alan’s first name and also starts Mitchell’s last name. 

Does it help Alan cut costs to leave out the extra “A”?  Maybe so since he has recently announced a very successful quarter at his blog.

Did the blatant pursuit of fame and fortune drive the “A” away?

Did the “A” drive away in a cab after Alan pelted it with racist comments?

I should probably just ask Alan and Mitchell, but that would be too easy.

Vet

I just finished a post at my Computerworld blog about grassroots security. Basically, I am talking about securing the Internet by securing the typical user. So now, I am goign to say much the same thing, but I am going to use a different metaphor. It is in the title, but I will draw it out a bit here.

Have you ever worked at an organization that takes safety seriously? Or have you ever been a firefighter? What is one of the things they teach you about putting out a fire? That’s right - you aim at the base of the fire. Spraying water at the tips of the flames don’t do jack!

So this is what the Security Catalysts group is all about. A part of that initiative (actually, a really BIG part) is teaching the regular user what is going on with security and how they can secure themselves and help secure the community. So, starting out this initiative is Michael Santarcangelo’s first production of a series of vidcasts called the Family Security Series.

This is a very important first step in a very important project. Please think about ways you can help this effort, even if it is a local and independent movement. But I would also ask you to consider joining the Security Catalyst forums so we can pool our efforts. And even think about applying to join theTrusted Security Catalystss as well. It doesn’t cost anything. All you need is a good security background and a passion for security.

We are trying to make a difference. Consider joining the team.

Vet

[Updated post - I added quite a bit]

I am about to leave the RSA conference. I am a little disappointed that I was not here all week. The last two years I arrived Monday and left Friday and got to go to all the sessions I could make it to. But that was when I was an Information Security Manager for a non-profit psychiatric clinic. They were used to sending doctors and their execs to conferences, so it wasn’t a foreign concept to them. Now that I am a presales SE for a security consulting firm, I have to make sure I am available for meetings and such as much as possible.

I really am grateful that I am here at all this year. I really came in just for the security blogger gathering, and I wouldn’t be here at all if it wasn’t for that. Of course, I did meet with a potential client while I was here, so I feel much more justified.

Speaking of the blogger gathering, I have to agree with Martin that it was a great event. I loved meeting everyone that I have been IM’ing and emailing and podcasting with for a year now (BTW, my blog is almost 1 year old - Feb 24, 2006 was my first post). My favorite part had to be the big bear hugs I got from Alan Shimel and Mitchell Ashley at StillSecure (the most exciting event of the evening was the cab ride from the Thai restaurant to my hotel, but I will give Alan a chance to blog about that first). Those two guys crack me up, and they are really cool guys.

I also finally got to meet the great Mike Rothman. I like that guy a lot.

I also got a thrill when I met people that said they read my blogs. I agree with Alan when he comments on how flattering it is to have someone say they read and actually value what I write.

I also enjoyed meeting Cutaway from Security Ripcord. That guy is as down-to-earth as you get. Just a good guy who doesn’t put on any airs. He’s a Marine (some would say former Marine, but once a Marine always a Marine). I was in the Army, so we inevitably end up talking military stuff. If you add Martin to the mix (ex-Army), it really gets deep.

One other person I really enjoyed meeting was Washintonpost.com’s own Brian Krebs, who writes the Security Fix blog. Brian is a celebrity in the security world because he writes for such a distinguished publication. But he is also respected by security professionals because he writes some good stuff and knows what he is talking about. And he was a nice guy, and he was also humble. I had to thank him personally for the great job he did of exposing the scandal with the Connecticut substitute teacher that was convicted for exposing her students to pornography (here and here).

Some other big names that were there:

Bruce Schneier - It was pretty cool to actually get to introduce myself to him. I’ve met him, but only quickly at shows and at a book signing. This was more personal.

Richard Stiennon - VERY nice guy. And all we bloggers thank him and Fortinet for sponsoring the event (we thank Microsoft as well).

Rich Mogull - Gartner man himself. Another down-to-earth and very likeable guy. And he is a second dan is taekwondo.

Ron Gula - It was a pleasure to meet Ron as well. Another good guy who could easily be arrogant but was not.

There are others, and I don’t mean to leave anyone out. I just can’t remember everyone. Suffice it to say that this was a group of people who were just excited to meet a bunch of peers and talk about security (though I don’t think we talked about security as much as we just BS’ed and had a good time networking).

Vet

It is rare these days to meet a person with true vision. I mean a person who can just look at a topic and instinctively know what it would take to succeed in that arena. It is even more rare to find a person that is also passionate about the topic to which they are applying their vision. And the rarest find is a person who has all of the above AND the nerve and the fortitude to do actually try to do something with that vison and passion, all the while inspiring others to join up and do the same.

Well, my faithful readers, I have found one of these rare people. Many of you know Michael J. Santarcangelo, II. Known affectionately as Santa to some (play on the name for you thinking he’s fat and jolly and has a white beard and rosy cheeks and… you get the idea), Michael is founder of The Security Catalyst blog and podcast. Instead of writing a bunch of stuff about him, here’s his bio from the above site:

One of the top rated and most requested speakers on security issues and certification training, Michael is a coach, consultant, professional speaker, and leader active in reshaping the future of information security. His rare approach of blending multiple disciplines together allows him to connect with audiences around the world as he invites people to think differently. He brings this passion and energy to podcasting as the Security Catalyst and works to explain and demystify security so everyone is able to protect themselves.

Michael is the catalyst behind Security 2.0. In addition, he is the founder of the Catalyst Community, The Trusted Catalysts, Security School House (announced September 2006) and was the founding President of the Tech Valley (New York) ISSA Chapter. Michael holds a Bachelor of Science Degree in Policy Analysis from Cornell University.

Now, before you people start wondering if I have some unnatural attraction to Michael, let me state that I am writing this (and will be writing more) because I believe Michael knows the sad state security is in now days and really wants, even needs, to do something about it. How do I know? I’ll tell you how!

Michael has brought together a group of security professionals (including yours truly) to form a group called The Trusted Catalysts and the Catalyst Community. In joining The Trusted Catalysts, I have conversed with Michael via email and chat, and I thought he had a good vision. But then I actually got to talk to Michael on the phone yesterday, and it truly struck home just what Michael is all about. The guy had so much to talk about he seemed about to burst at the seams (I don’t mean that in a bad way - I asked him to explain what all he had in mind for the Catalysts, and I got it). He is a wealth of information and experience, and he wants to give that away. He’s not a selfish person who wants to be the one guy who knows it all and people have to come to. He wants to genuinely help the security community. I guess I stand corrected. That is the rarest kind of person.

I am saying all this because I want to give you a heads up if you don’t know about Michael and the Catalyst Community. You need to watch the Catalyst Community over the next year and the years to come. I think this community will grow, and I think it will become a tremendous force in the security industry within a few years. And with Michael’s vision and inspiration, it will be a truly positive force, unlike what one security focused organization has become - I won’t name names, but it starts with “(” and end s with “2″.

Thanks to Michael for his passion, vision, energy, candor, and unselfishness. I hope I didn’t embarrass you too much. And I like the hair (or lack thereof).

Vet

I have been blog-tagged by Ian Lamont, the Online Projects Editor over at Computerworld. I have mixed feelings about this stuff, especially since this is an information security blog and I am supposed to be guarding information. But it seems harmless enough. So, in the holiday spirit, I guess I will play along.

I am supposed to reveal 5 things about myself that few people know:

1. I drove a M1A1 Abrams tank with the 1st Infantry Division in Desert Storm

2. I was awarded the Army Commendation Medal (ARCOM) for assisting in capturing of a POW during the clearing of an enemy bunker complex don’t ask me why they had tankers doing this instead of infantrymen). He was hiding to avoid capture and came out with his gun drawn when we got close to his hiding spot. He decided against trying to shoot and run when he saw 5 American soldiers pointing M16’s and 9mm Berettas at various points on his anatomy.

3. I graduated seventh in my high school…out of 86 people.

4. I worked in a head shop in Manhattan, Kansas (in Aggieville, home of Kansas State University) when I was in the Army stationed at Fort Riley, Kansas. I was the only person who didn’t have long hair. No, I did not smoke weed or do any other drugs while I was in the Army. The people who owned the shop were just real cool.

5. I read novels voraciously, but I have to force myself to read nonfiction (except for engaging biographies and military / war stories).

So, now that I have told my deepest, darkest secrets, I am supposed to blog tag 5 other people. Not sure how some of the people I know will react to being blog tagged, but oh well.

Martin McKeay, Alan Shimel, Mitchell Ashley, Mike Rothman, and Michael at mcwresearch.com (not sure if he wants his last name posted).

Vet

Alan and Mitchell at the StillSecure After All These Years podcast interviewed me last week for their podcast. It is up here at Alan’s site and here at Mitchell’s site.  I gave an update on my move to the channel, about honesty in selling security, the converging of the security professional and the general IT professional article I wrote at CW, and some other stuff.  It was fun.
Thanks to Alan and Mitchell for having me on again. I really enjoy talking about myself, as anyone can plainly see, and Alan and Mitchell actually seem to genuinely be interested in the people they interview. They are two great guys that I hope to meet soon at the RSA Conference security blogger gathering (not sure if Mitchell is going to be there, but I know Alan is going to show).

Thanks for the kind words, guys. You are two class acts.

And Alan, notice that I did not alter the picture in any way!  Or did I?
Vet

I forgot to mention that I was a guest panelist on Alan Shimel’s SSAATY podcast last night.  This was a great panel.  I had a great time, and I think we really hit some key points and offered some solutions to security admins and managers out there that need some help selling security to execs.

The panel consisted of yours truly along with Martin McKeay (Network Security Blog, ComputerWorld), Bobby Dominguez (Sykes) and Mike Rothman (SecurityIncite, NetworkWorld).  It was hosted by Alan and Mitchell, two of the best podcast hosts I know, and though I have never met either face to face, I know they are both good guys.

One person that was scheduled but ran into some emergency security management duties was Michael from mcwresearch.com.  I understand why he couldn’t be there, but I really missed his insight.  I would have loved to hear some of his horror stories.

BTW, I was VERY impressed by Bobby Dominguez.  I have never talked to Bobby, but I figured out very quickly yhat he has a vast amount of experience, expertise, and just plain ol’ smarts.  You REALLY need to listen to this guy.  Hopefully he will start a blog soon himself.  He has a lot to offer the community.

Martin is always good to have on a discussion like this because he has a lot of experience in this area.  He never ceases to impress.

And Mike Rothman, well…, he’s Mike.  What else need be said?  And we actually agreed on something in the podcast, if you can believe it!  Actually, Mike and I agree on a lot of things.  We just like to disagree to make it exciting.

And of course, there’s me.  ‘Nuff said!

Anyway, the podcast should be up soon.  Go look for it in the next few days at Alan’s blog.

Vet