Archive for August, 2011

Aug 27 2011

Fighting a bad habit

Published by under General

I have had way too much experience changing jobs and adjusting to new workplaces.  Over the last decade I’ve worked at six different companies, only one of which have I lasted at for more than two years.  In and of itself, this isn’t necessarily a bad thing, since job changes are common in the security arena and every one of these job changes has been a step up or an escape from a situation that was not beneficial to my mental health.  My latest change from being a Qualified Security Assessor at Verizon Business to becoming the newest Security Evangelist at Akamai was an escape as well.  I wasn’t escaping from Verizon, a company and group of people I can honestly say I enjoyed working with, but rather a (partial) escape from working in a compliance framework I was completely burnt out on.  Four years as a QSA is more than anyone should subject themselves to, but that’s a post for some time when I’ve recovered more thoroughly from the experience.  And the act of changing jobs frequently isn’t even what this post is about; it’s about one of the bad habits I’ve developed when changing jobs.  It’s about going silent on the blog and pulling back into myself while I figure out where I’ve landed.

I have a voice in the community.  I’d be guilty of false humility if I didn’t admit it was a fairly big voice.  I’ve been doing this for a long time, which in and of itself creates an awareness in the community and frankly, I sometimes have some points worth committing to digital paper.  But when I started blogging, no one knew who I was and no one I worked for had any awareness of what a blog was or what sort of impact it could have on a career or on a company that employed a blogger.  Quite frankly, eight years ago I was just another faceless guy managing an IDS and web filter.  I had some ideas I wanted to throw against the wall in order to see what stuck and to have people pick apart so that I could learn and strengthen my understanding of security.  I didn’t realize at the time that blogging would be instrumental in forming my career and putting me in touch with security professionals around the world.  I also didn’t realize that employers might read my blog and make decisions on whether or not to hire me based partially on my writing.  I also didn’t realize that blogging could affect my employer and get me fired.

I’ve learned a number of lessons about blogging the hard way.  I’ve learned that no matter what I think I’m writing, what’s important is how other people are reading it.  There have been a number of posts over the years that I thought were just throw away ideas that somehow struck a cord with a huge number of security professionals.  More often, there have been posts that I thought should provoke a major outcry by readers that went out with barely any notice at all.  I still don’t completely understand the difference between the two.  But in both cases, I’ve realized that people are reading and judging what I write, for good and for ill.  And when I write something people read, it can get back to my employer.  I know of at least one job I left, at least in part, because of something I wrote on the blog.  I also know of at least two roles I’ve been offered directly because of my blogging, podcasting and social media experience and voice, including my current role.  Overall, I have enjoyed a huge positive impact on my life due to the blog and I will not give up on it.

But one of the bad habits I’ve picked up because of my negative experiences has been going silent when I start a new position.  There’s a few reasons for that, and understanding an employer’s tolerance for blogging is only one of them.  It’s stressful to start a new job, no matter who you are and how much you love the job you’re moving to.  My new role at Akamai is no exception to this rule, in fact it’s one of the more stressful changes I’ve ever had.  I love the job, I love my role, but there is SOOOOO much to learn and I’m expected to be an expert NOW, rather than in six months.  I can do it, I love the challenge, but cramming so much new information into my tiny little brain leaves very little extra horsepower to synthesize the information into something worth blogging about.  And I’m not the sort of person who wants to merely regurgitate information, I want to be able to use what I’ve learned and reframe it into something that’s valuable to the security community as a whole.  Which is really hard when you’ve got a fire hose of information aimed at your head and you’re just trying to find the room to breathe.

Another reason it’s hard to blog when starting a new job is just the sheer enormity of change.  Finding the time to blog, the time to podcast, the time to exercise and sometimes even finding the time to spend with the family is hard at first.  What are my priorities?  What tasks have to be done before I can quit work for the day and what tasks can wait until tomorrow or be blown off all together?  When can I fit in an hour or so to collect my thoughts and put them on the screen? 30 minutes?  15? Please, can I just have 5 minutes to post a link or two?  The first few weeks or months are incredibly chaotic and somehow blogging is always one of the first things to suffer for it.  But better blogging than my family.

I’d be lying to myself if I didn’t say that gauging my employer’s willingness to accept blogging was one of the main roadblocks when I start a new role.  I’ve been burnt before and it’s left an impression on my psyche.  I’ve learned to be up front about my blogging and podcasting and my resolution to maintain them and my voice, but it’s still been a crap shoot in some cases to find out what my employer’s tolerance in real life is anything similar to what they said in during the interview process.  More often than not, my employers have maintained an air of benevolent ignorance towards my blog, but every so often I’ve gotten the “we’ve read your blog and are not happy” conversation.  Not often, but it has happened and it’s never comfortable talk.  I’ve actually told at least one manager that my blog and podcast are more important to me than my job.  Neither of us really walked away from that conversation happy.

I’m very excited to say my position at Akamai as the newest Security Evangelist is very different.  I was explicitly hired, at least in part, to blog, to podcast and to continue being a very vocal part of the security community.  Everything I’ve encountered so far tells me this is where I need to be now and hopefully far into the future.  Many of my coworkers were friends long before I worked for the company and will be for a long, long time.  But, like everyone, I’ve been scarred by some of my previous experiences and it takes a conscious effort to overcome the habit of initial silence.  Obviously, this post is part of combating that, but carving out an hour or two a week to post as part of my job rather than despite my job will also be an important part of the effort as well.  I’m supposedly a ‘thought leader’ and in order to be that, I have to actually have the time to collect my thoughts in order to put them out there for other people to read and critique.

One last reason I haven’t been writing nearly as much as I used to over the last year is saturation in the PCI field.  Not the field itself, it was my mind that had reached the saturation point with no room for new ideas to enter.  Over the last few years my arguments with folks like Josh Corman, Mike Dahn and a myriad of other really bright people had reached the point where we weren’t talking about anything new, we were just going over the same old ground from different directions.  Or just having the same argument again and again without anyone learning something new.  And that’s not what I want for the blog or for my own education.  While it’s not the same as not writing because of a new job, it has definitely been related.

So here’s to setting aside some time and energy to blog.  I like writing.  I like getting feedback.  I like putting my ideas out there for others to tear down or build upon.  There are a lot of people smarter and/or more experienced than I am and interacting through the blog makes me a better security professional.  And if you haven’t figured it out by now, I’m passionate about being a security professional and becoming better at it every day.  Blogging has long been one of my best tools for meeting that goal.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Fighting a bad habit

Aug 25 2011

Support Change at the ISC2

Published by under CISSP/ISC2

I’ve been a CISSP for close to a decade now.  And in that time, I’ve never really been happy with the way the ISC2 represents themselves, with the way they promote the the certificate and the way they support the CISSP community.  Basically, it’s been my opinion that the primary goal of the ISC2 has been self-promotion and the gathering of more people who have 5 more letters after their name.  Promoting the community, furthering security, making the world a better place have always seemed like secondary goals at best.  They do perform some good deeds, like the Safe & Secure Online Program, but even that sometimes comes off as more a PR effort than a real attempt to improve the security of the world overall.  If you’ve ever read the CISSP mailing list (which you have to be a CISSP to do), you’ll notice that there’s been a lot of time spent complaining about the disconnect between everything the Board of the ISC2 does and what the community would really like to see done on our behalf.  My opinions on the leadership is probably part of why the ISC2 labeled a small group of people, including me, as the ‘Certified Usual Suspects’.  I even have the hat to prove it.

I’ve seen a few attempts at joining the ISC2 Board of Directors over the last few years, but unluckily I’ve never heard of most of the people who apply.  And to make matters worse, it’s incredibly difficult to get a seat on the Board unless you’re endorsed by current members of the Board.  So when I see someone I know of who’s preparing to take a run at the windmill again, I’m more than willing to help by putting my support behind them.  This year, Wim Remes is running for the Board and I’m going to support him and hope other CISSP’s will consider backing him as well.  I don’t know him personally, but given the interactions I’ve had with him on-line and the endorsements he’s already received from people I trust, I’m willing to take a chance.

Support Wim Remes by sending an e-mail from your e-mail address registered with ISC2 mentioning your NAME, EMAIL ADDRESS and CERTIFICATION NUMBER to

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

7 responses so far

Aug 23 2011

Network Security Podcast, Episode 252

Published by under Podcast

It helps sometimes to laugh at yourself.  It usually helps even more to laugh at someone else though.  Rich, Zach and Martin spend a little time laughing at some of the stories in the security news at the moment as well as laughing at each other. We even laugh at the music for tonight’s podcast.  It’s good to laugh and let a little stress go sometimes.

Network Security Podcast, Episode 252, August 23, 2011
Time:  33:38

Show Notes:

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Network Security Podcast, Episode 252

Aug 16 2011

Network Security Podcast, Episode 251

Published by under Podcast

It’s funny that we’re getting to upload episode 251 before uploading episode 250.  But given the chaos that was recording at Defcon in front of a hostile crowd, maybe it’s for the best.  And maybe ‘hostile’ isn’t the proper word for it, since they were very friendly, they just enjoyed throwing the Core Impact balls that were provided by Paul and Larry from PaulDotCom.  At us.  In any case, this week we do a wrap-up and recovery episode of the Network Security Podcast.  We also have an interview with two kids who attended Defcon Kids, Martin’s very own Spawn.  Why did they enjoy throwing balls even more than our loyal listeners?

Network Security Podcasdt, Episode 251, August 16, 2011
Time:  36:26

Tonight’s Music:  Cool Coffin Kids by Dark Torch Anthem

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Network Security Podcast, Episode 251

Aug 10 2011

Interview with Gregory Evans

Published by under Podcast

The following is a special interview with Mr. Gregory Evans, conducted July 6th, 2011. This interview is unedited and played in it’s entirety. Mr. Evans is a unique individual and we’ll leave it up to you to form your own opinions about him.

Interview with Gregory Evans

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

6 responses so far