Archive for the 'Social Networking' Category

Sep 07 2014

Is pay rising with demand in security?

If you follow me on twitter, you know I like to throw out questions occasionally just to stir things up.  On Friday I asked the following question about jobs in the security realm:

We keep hearing about how desperate companies are to hire infosec professionals. So how come we still see so many low ball salary offers?

This hit a nerve with quite a few people, many of who mentioned that besides having low salaries for the apparent demand, we also see low stature in the company and that while there’s a demand, companies still don’t see how paying a security professional leads to profit.  The conversations on twitter led to an interesting side road about how newcomers to the field are expecting huge salaries without having any experience at all.  But the most comprehensive response came from John Wood, who wrote a whole blog post about it rather than responding 140 characters at a time.

John sees the reasons as being a) the company doesn’t really care about security, so they’re just trying to get the lowest paid person they can, or b) they have no idea what the actual job market for security professionals is like in the real world.  If it’s ‘a’, I’d agree with John and say far away from the company; let someone who’s willing to suffer through a thankless job take the role on.  His suggestion for the second part is that you should talk to the hiring team and explain to them what salaries are like in the real world, then walk away until they’re willing to pay what you feel reasonable.  I’ve worked at a lot of companies in my career and I’ve never had this strategy pay personally, but maybe it has worked for others.

I see the effect of companies who just want ‘check box security’ a lot.  Having been a Qualified Security Assessor (QSA) dealing with PCI in a former life, I’m all to familiar with the concept.  I understand that most companies out there still don’t see that security has to be part of core processes in order to be effective and still see it as an impediment to be overcome rather than a selling point for the company.  Besides being directly responsible for the low salary offers, it’s reflected in the low stature the security team is often given within a company.  Of course, there’s the whole argument that we still don’t know how to speak ‘business’, but that’s a drum to beat another day.

Security as a core competency, as  business process that leads to more sales and greater profit is a hard sell and one that’s always going to be difficult to draw a direct correlation to.  I’m lucky in that I work for a company where security is a part of the discussion any time a product is sold, but how do you bring security into the conversation when you sell widgets?  It’s not easy, there are no simple answers and it’s something that each organization has to discover for itself.  The more we can make business aware that a good, well trained security team is essential to the health of the company, the more likely we are to see a willingness to pay salaries commensurate with the market rate for those roles. On the other hand, I’ve been told at a number of places sometimes there is no way of creating that linkage and security will always remain a check box for that company.

What about the new security professionals who are asking for high salaries with just an education and little or no experience?  That’s a hard one for me, since when I started in the security profession the only way to get a job was through experience.  I’d guess that it’s a dark reflection of the demand for security professionals; while in school the student hears again and again about how much demand there is and has unrealistic expectations once they graduate.  Or maybe they’re not that unrealistic after all, since at least some of them seem to get the salary they demand, even if they have to grow into the role they take on.

As a closing thought, one of my coworkers, Brian Sniffen, states

Only contractors are paid spot price. Salary is an annuity.

His point being that if you want the flexibility that creates a high end salary, you have to take the risks that a contractor does, including changing jobs regularly and having an uncertain stream of income.  In security, that risk is probably lower than in many careers, but it’s still a risk that’s there.  I’ve been a contractor and I’ve hopped jobs a lot in my career, which is another way to deal with the pay issue.  I’m not ready to do much of either in the near future, thank you very much.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Jul 28 2014

“Your cons are just an excuse to drink and party”

Published by under General,Humor,Social Networking

I’m sure we’ve all heard it before when trying to get approval to travel to conventions:  “This is just a boondoggle and you’re going to party the week away!”  Many people believe that the only thing that gets done at security conferences is that a lot of alcohol gets consumed and people get silly at night.  If you go by some of the things we talk about publicly, it’s no surprise that managers might believe that.  While there’s a little bit of truth in accusations, the reality is that there’s so much more going on at conferences that we don’t talk about.  

There’s obviously the talks.  While I personally only attend two or three talks a conference, I know people who spend their entire day running from talk to talk and wish they had time to see more.  There’s a lot of research being revealed at Security Summer Camp, some of which is being seen for the first time there.  It’s valuable to know what’s up and coming, what’s new and interesting and what the trends are in the security field.  The talks given at conferences are one way to find out about all of these.

A second reason to attend conferences is the contacts.  Having connections amongst your peers is easily as important as having knowledge about your field when it comes to a career in security.  There’s too much going on to know everything, there are times when you’re going to need help, so creating and cementing the relationships that will help you over the course of a career are fundamental to your success.  This happens in the hallway track between sessions, this happens during lunches and dinners and this happens even more during the parties at night.  Conferences provide a means to be social with like minded individuals that simply doesn’t exist in many other venues.

And finally there’s the break from the daily routine to de-stress and relax a little.  We need to get away from the daily routine from time to time, it’s a fact of life and why we have vacations.  Conferences provide a similar function, but in addition they give us an opportunity to gain new perspectives on our routine and exchange ideas with others that can be incredibly valuable in dealing with the problems in our normal work environment.  That shift of focus can make all the difference in the world in how you tackle a problem when you return to the routine.

So, yes, the conference parties are what a lot of people think of when they hear us asking to go to a conference.  But they’re only a small part of what’s going on at the conference and even they serve an important role as a social lubricant.  Of course, that’s assuming that you’re safe and sane when drinking and don’t do something that’s going to get you in deep trouble back at the office.  There’s always a few people who don’t know when to stop at every conference.  Don’t be ‘that guy’.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Jun 10 2014

If you don’t enter, you can’t win

Let me start by saying Nikita is brilliant and should be showered for accolades for coming up with this, presumably on the fly.

Let me give you some background.  Today was the day the letters about who’s talks were accepted for Defcon 22 came out.  Additionally, all the rejection letters for those not lucky (or well prepared enough) to be chosen to speak came out today.  I know my limitations, and as such, I haven’t submitted a talk to Defcon, other than being on panels and being part of the Defcon Comedy Jam in years past.  I also know I’m a smart ass and I jokingly asked Nikita on Twitter (@niki7a) “Can I get a #Defcon rejection letter?  Even though I never submitted anything.”  And here’s the reply I got.  As a coworker put it “So your talk on not submitting and regretting it was rejected because it wasn’t submitted and the rejection was song lyrics about not regretting your actions with a statement on why they regret rejecting your non-submitted non-submital? Meta.”

Martin,

The review board has reached a decision for your submission. Unfortunately, we will not be accepting your talk, “I didn’t bother to submit, and other regrets in the Hacker scene”, for DEF CON 22. If you submitted more than one paper, it may still be in review. Individual letters are sent out for each paper.

Every year, I have to write a bushel of rejection letters, and it’s never easy to shoot someone down who has put together a CFP. I really respect the effort each applicant puts into their work. The work you do, and the willingness to share your knowledge with the community is incredible, and I appreciate the fact you submitted with us. In a perfect world, every submission would be accepted and it’s contents shared with the community. Each talk has the potential to be the building blocks for a new idea, the solution to someone’s headache, the itch that needs scratching, or the salve for someone else’s.

In the end, I try to provide feedback for you so that when a talk is rejected you can get some sense of why and take that feedback to build a better paper. Hopefully, you can use it to submit it again to another conference, or again with us next year. Either way, Thank you again for the hard work. I’ve put together your feedback from the review board below.

———————————————
 We had to reject simply due to the fact that you didn’t submit. Maybe you will think about that next time. I mean seriously, like, what were you thinking?  I’d like to give you the following feedback as a way to help you understand this oversight on your part, perhaps my words will motivate you to improve your position for next year.

“And now, the end is here
And so I face the final curtain
My friend, I’ll say it clear
I’ll state my case, of which I’m certain
I’ve lived a life that’s full
I traveled each and ev’ry highway
And more, much more than this, I did it my way

Regrets, I’ve had a few
But then again, too few to mention
I did what I had to do and saw it through without exemption
I planned each charted course, each careful step along the byway
And more, much more than this, I did it my way

Yes, there were times, I’m sure you knew
When I bit off more than I could chew
But through it all, when there was doubt
I ate it up and spit it out
I faced it all and I stood tall and did it my way

I’ve loved, I’ve laughed and cried
I’ve had my fill, my share of losing
And now, as tears subside, I find it all so amusing
To think I did all that
And may I say, not in a shy way,
“Oh, no, oh, no, not me, I did it my way”

For what is a man, what has he got?
If not himself, then he has naught
To say the things he truly feels and not the words of one who kneels
The record shows I took the blows and did it my way!

[instrumental]

Yes, it was my way”

Thank you for your time, I can’t tell you how much I appreciate the opportunity you’ve given me to berate you over electronic medium, I can’t wait to see you at the show!

Please consider submitting or not submitting again in the future, and I hope that you enjoy DEF CON this year.

———————————————

Thanks,
Nikita Caine Kronenberg

There may be material here for a submission to Defcon 23.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Apr 06 2014

NSP Microcast – BSides London 2014

This afternoon I had a chance to talk to two of the main organizers of one of the biggest security events of the year, BSides London.  Paul Batson and Thomas Fisher have been working tirelessly (or maybe tiredly) for months to bring together all of the disparate elements required to make a conference come together.  And it’s no mean feat when the people you’re working with are all volunteers and the money comes from sponsors, both of whom believe in your cause.  This year will be my first chance to go to BSides London (this is the fourth) and I’m really looking forward to it.

-Martin

NSPMicrocast-BSidesLDN-2014
Time: 18:00

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Mar 20 2014

European InfoSec Blogger Awards

Next month is Infosecurity Europe here in London, taking place from 29 April until 1 May, as well as BSides London on 29 April.  I’ve never had the chance to go to either event and I’m really looking forward to my first time.  Another event that’s happening alongside both of these is the European Security Bloggers Meetup at the Teck Pub (appropriately named place for our group).  Many people may not know it, but I’ve been one of the people organizing the RSA Security Bloggers Meetup from the very start and I’ve been the MC for almost every single one.  So I’m very excited to see how the event translates to London and the European community.  I know it won’t be the same event, which is why I want to go.  Brian Honan is hosting with a little help from Jack Daniel and Tenable Security, which pretty much guaruntees this will be a most interesting shindig.

One of the aspects of the Meetup since the second or third year has been the recognition of bloggers and podcasters by the security community, the Security Bloggers Awards.  As one of the organizers of the Security Bloggers Meetup, I’ve always held my blog and my podcast as being out of the running for any recognition in the RSA version of these awards. I didn’t want there to be any potential conflict of interest with the awards, so it was easier to opt out of the competition all together.  Some people might say it’s because I feared folks like the Security Weekly Podcast and Exotic Liability taking the awards even with my competition, but I’m going to stick with my story of conflict of interests.  

But a funny thing happened last year; I moved my family to London.  Which means I’m now a European blogger and podcaster.  And since I have absolutely nothing to do with the European Security Bloggers Meetup or the European Information Security Bloggers Awards, I feel free to compete and do my best as a transplant to take whatever awards I can wrest away from the natives!  It also helps that the only ‘competition’ here in the UK that I know of are the Eurotrash Security Podcast and Finux Tech Weekly. And I’m pretty sure you have to have actually posted within the last year and you can’t have any pictures of WickedClownUK in spandex.  Not just can’t have them on your site, you can’t even be in possession of them.  Since the ‘rules’ of this competition are … well, non-existant, if I can convince voters of these requirements, it helps my efforts.

So go vote for Rich, Zach and me as the hosts of the Network Security Podcasts for Best European Security Podcast of 2014!  Sure, I’m the only one of the three of us that actually lives in Europe.  Yes, I’m not really European, I’m an American transplant.  But none of that is nearly as important as not letting Chris John Riley win the award!  So vote early, vote often, and just vote for the Network Security Podcast!  Or at least go vote, since I’m not really all that attached to winning an award, truth be told.

Hmmm, vote for the Network Security Blog as the Best Personal Security Blog too while you’re there.  Maybe I do care about awards after all.

 

 

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Jan 23 2014

But first, BSides…

I’m looking forward to this year’s pilgrimage to San Francisco.  Not that it’s ever been a pilgrimage before, since I lived 60 miles away, but now that I live near London, it’s a much longer trip.  I’ll be arriving in San Francisco a few days early for a couple of reasons.  The first is to visit my family and friends in the Bay Area, who I haven’t seen since I moved away.  The second reason is to attend BSides SF on Sunday and Monday.  Which, in many ways, is also a visit to friends I haven’t seen since moving.

Let’s assume for a second you’ve never attended a BSides event.  It’s community led, it’s free, and each one is unique.  BSides SF is being held in the DNA Lounge, which has been a fixture in San Francisco for as long as I can remember.  Think of a funky, grungy, dark underground bar.  Then add in a couple of hundred hackers, security devotees and a few people who happened to find their way into the event with little or no idea of what’s going on.  The talks range from first time speakers (something that’s strongly encouraged) to some of the best speakers in the realm who want to step outside the confines of a business conference to talk about things that aren’t quite politically correct.  Finally, add in a healthy dose of chaos and an even healthier sprinkling of community and you have some idea of what BSides is.  But unless you actually attend, my description is never going to be adequate to capture the true energy of the event.

I make no bones about it, for me conferences are about meeting the people there, not about the talks.  However, the talks at BSides tend to take a higher priority than they do elsewhere.  While some of the talks are a bit rougher than those at conferences you pay for, the fact that people are speaking with unfiltered passion more than makes up for it.  And a number of the talks simply couldn’t be given at a corporate event.  I’m looking forward to Morgan Marquis-Boire’s (aka @headhntr) talk, even though he hasn’t publicly stated what it’ll be about yet.  Morgan has worked on uncovering a number of government surveillance schemes around the globe, so anything he’s chosen to talk about has to be interesting.  Along the same lines, Christopher Soghoian’s talk about living in a post-Snowden world is a must for me, even though I often find myself disagreeing with with what Chris says publicly.  What can I say, privacy has always been a favorite topic of mine and has never been something that’s more in need of open, public discussion.

I’m also looking forward to seeing three of my friends on one panel, Jack Daniel, Wendy Nather and Javvad Malik discussing how to talk to an analyst, or rather how not to talk to an analyst.  Javvad gave an excellent PK (20 slides, 20 second per slide) talk at RSA EU covering all the horrible slides he sees again and again as an analyst.  The trio will be entertaining at the least, and I might even learn a little about talking to analysts myself.  Ping Yan’s talk on using intelligence looks interesting and has potential for my day job, so I’m going to try to find a seat for that talk as well.  And I have to support my podcast co-host Zach Lanier, even though I usually understand about half of what he’s presenting on any given occasion.

There are other interesting talks, if I can sit through the talks I’ve already mentioned, it’ll probably be the most I’ve seen at one conference in a long time.  I have a pretty short attention (Squirrel!) span, and I’d rather be talking with the presenters than simply listening to them passively.   I’ll have a mic and my Zoom H4, so it’s entirely possible I’ll be able to get a few of them to spend a few minutes doing exactly that.  Which means I can share the conversations with you as well.

 

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Jan 06 2014

Still going to RSA

In the last couple of weeks Mikko Hyponnen from anti-virus company F-Secure announced that he won’t be speaking at the RSA Conference in San Francisco at the end of February.  His reasoning is that the company, RSA, colluded with the NSA for a fee of $10 million in order to get a weakened version of a random number generator included in the public standards, a move that makes the whole suite of encryption standards easier to crack.  As Mikko points out, RSA has not admitted to this accusation, but they haven’t denied it either.    So Mikko has pulled his talk and has publicly stated that as a foreigner, he doesn’t feel right supporting the conference.  I understand his sentiment, I see what he’s hoping to accomplish.  But I don’t think boycotting will do much, other than gain Mikko a little bit of attention short term and harm his reputation long term.

The first problem with boycotting the conference is that RSAC is, for all intents and purposes, a side company from the RSA corporation.  It has it’s own management structure, it’s own bottom line, it’s own profit and loss reporting.  And it’s only a small fraction of the overall revenue stream of the corporation. As such, any impact that boycotting the conference might have is going to be highly dilluted when it reaches the management of the central corporation.  Yes, at some point in a meeting it will be discussed that a speaker has withdrawn over NSA concerns, maybe even a dozen other speakers will join in a show of allegance.  But the conference organizers will simply pick from the dozens of alternative speakers of nearly equal capability and move on.  Senior management might lose two or three minutes of sleep that night, but nothing more.  And any impact that having a particular speaker boycott has can easily be written off as being from other, much larger changes that RSA is making to the conference lay out this year. 

The second problem I have is that while Mikko has stated he’ll be boycotting the RSA Conference, he’s said absolutely nothing about F-Secure boycotting.  As a vendor, I know that marketing departments have to commit to the conference at least a year in advance and I’ve heard that some commit to multi-year contracts in order to get better pricing.  The small booths at either end of the halls cost tens of thousands of dollars, while the big booths in the center of the floor cost the vendors several hundred thousand dollars when all is said and done.  If Mikko wanted to make a statement that would really be heard, he’d have F-Secure withdraw from the RSA Conference this year and for the next few years.  Except he can’t.  Any vendor that’s mid-size or larger in the security field has to be at the RSA conference.  In many cases, this conference is the keystone for the whole marketing effort of the year, and any talk of a boycott would be immediately quashed as an impossibility.  Quite frankly, if you’re a security vendor and you don’t have a presence at RSA, you’re not really a security vendor and everyone knows it.  

The third issue I have with the boycott has nothing to do with Mikko and is closely related to the vendor point; it’s become a popular meme since Mikko’s announcement for security professionals to say they’re going to boycott RSA as well.  I’ll be honest, I’ve never paid to go to RSA, I’ve always had a press pass, gone as a vendor, or gone as a speaker, more than once as all three at the same time.  But even if I was, the money I’d pay to go to RSA is still insignificant when you compare it to what the organization makes off of the sponsors.  It would take a huge number of attendees failing to show up in order to make an impact.  Given the growth rate of the converence over the last few years, it’s most likely that even a thousand people joining up in a boycott would simply lead to a flat growth rate at best.  Additionally, similar to vendors, most people who are attending and have their company pay for it have already purchased their tickets and a boycott at this point would be more detrimental to them than it could be to the RSA Conference.

If you think that NSA has been behaving badly and you really want to have an impact, go to the event and talk to people at the event.  If you’re a speaker, change your talk to include a slide or ten about what you believe RSA has done wrong.  You might be right or you might be wrong, but you’ll have a chance to tell your story to the several hundred people in your audience.  If you’re an attendee, go to the conference and talk to other attendees, tell them why you think the RSA Corporation has crossed the line and spread the word.  You gain almost nothing by throwing a temper tantrum and leaving the playground.  But if you attend, talk to people and raise awareness of the issues, you let others know that something isn’t right, something needs to be changed.

I wish Mikko the best, and maybe his boycott has raised awareness some.  But all the people who say “Me too!” aren’t going to have an impact.  They might feel better about themselves for a short period of time, but all their really doing is cutting themselves off from one of the biggest events in security.  It’s better to attend, be social and spread your opinions that opt out and leave your voice unheard.  I’m attending as a blogger, as a podcaster, as a speaker (panelist, really) and as a vendor.  It would have more impact on me and my career to boycott than it ever would to the RSA corporation.  

If you really want to send the RSA Corporation, quit buying their products and tell them why.  Now that’s a message they’ll hear loud and clear.

 

 

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

8 responses so far

Nov 21 2013

Had fun in Norway

I got invited to speak at the annual dinner of the Cloud Security Alliance in Oslo, Norway earlier this week and had a lot of fun at the event.  I always enjoy visiting cities I’d probably never see if not for my job.  Even more importantly, I love talking to people who are outside of the conference circuit and the echo chamber that is twitter.  It’s always interesting to see how these people see security differently than I do and differently than most of the people I hang around with (digitally, at least) do.  I appreciate the invitation Kai Roer (@kai_roer/kairoer.com) extended to me and I’m glad I went.

The other gentlemen who talked at the event was Mo Amin (http://www.infosecmo.blogspot.co.uk/) a London-based security professional who was giving what was only his second ever talk in front of a crowd.  There were some rough edges to his talk, but then again, there are enough rough edges to my own talks that you could grate cheese on them.  But Mo brought up some points about security awareness and training that many security teams need to be thinking about.  Specifically, he asked how many of us are teaching to a plan we developed in a vaccuum without understanding the needs of our audience or having talked to the people we’re trying to communicate with before hand.

It’s surprising (or maybe not) how many security training seminars are something that was developed by people who are more concerned with what the target “needs to know” as defined by the trainer.  We spend a lot of time developing the training based on what we believe our co-workers need to know to be secure, rather asking them what they’d like to know about and how they’d like to be taught it.  This is by no means true of all security teams, but it’s more prevalent than it should be and it’s thought of as ‘the right way to do things’ by many people.

Mo related a lot of his past experience from teaching English abroad to teaching security within a company.  And when you think about it, from the point of view of a lot of our co-workers outside of security, we really do speak a different language in our little club.  So maybe it’s worth taking some time out as you develop training to talk to your users in order to find out how they’d like to be taught. It might be interesting to see how that changes your effectiveness.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Nov 07 2013

Congratulations to my friends at Twitter

Published by under Social Networking

It looks like the Twitter IPO went well, maybe even exceptionally well.  Now lets hope they don’t pull a Facebook and see their stock at 25% of it’s current value in 3 months.  

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Nov 03 2013

Building the tools to spy on us

Even if folks like Google, Microsoft and Facebook weren’t mining every bit that flows across their networks, there’s a number of companies out there that are building the tools to let government agencies and law enforcement organizations to spy.  Companies like NICE, Bright Planet and 3i:Mind are probably just the tip of the iceberg when it comes to companies who see a profit to be made in the monitoring and spying space.  

I’m a bit torn when it comes to products like these that make it easy for LEO and other state actors to monitor the public.  On one hand, these are valuable tools for catching criminals.  On the other, they create a long term record of everything a protestor or dissident does, something that’s begging to be abused down the line.  And just because it’s not making national news doesn’t mean there aren’t already examples of exactly this sort of thing happening.  

I find Bright Planet’s product, BlueJay to be at least slightly amusing in that it’s basically just a Twitter search engine that looks for people who are stupid enough to tweet about the crimes they’ve committed or are planning to commit.  Why a police department couldn’t do something like this on the cheap I don’t know, but I hope that this isn’t that expensive of a product.

As long as there’s a way to make a buck from monitoring the public, someone will do it.  I’m sure there’s a lot of internal justification and arguments for these products that goes on, just as I’m sure that some of these companies know their products will be used and abused for purposes they weren’t meant for.  I’m just hoping that as the companies build the tools, they take in mind the need for checks and balances to track the usage of their tools and make catching the abusers possible.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Next »