Chaordic Mind

This year has been full of surprises.  Life has taught me that you never really exist in a state of calm or unrest, but some stratified grey area in between.  When life gets rough I think back to the “in between” that is water.

I’ve received a few questions about the 2011 sexy infosec geeks list, and last year was such a hit as was the year before that I thought we should do it again.  It is hard to keep a list to just 10 people when you really have a list about 50 long.

A friend asked me how I compiled the list.  I told her it was based on the people I know and those referred to me.  I’m easily influenced by recommendations of others, as are so many people in this world.  I solicited input, averaged out the outliers, and once again used biased weighting to determine the final set.  Again, these are only my opinions.  I encourage you to make your own list as well. As always, feel free to disagree or add your own using the comments.

Without further commentary and tangent, I give you the Third Annual Top 10 Secy InfoSec Geeks for 2011.

10. Halvar Flake (@halvarflake)

Halvar has many skills. He was denied access to the US in 2007 and prevented from teaching a class at BlackHat – probably because the information was much needed. He specializes in math, reverse engineering, and making friends with people who recommend him for lists list this.

09.  Felix ‘FX’ Lindner (@41414141)

FX is a well known member of the German security team Phenoelit and Head of Recurity Labs.  He is a mainstay in the security world, who along with the rest of the Pheloelit team has brought many others into security.  He participated in C3, speaks on security, and is overall a nice guy.

08. Jayson E. Street (@jaysonstreet)

Jayson Street, much like Zaphod Beeblebrox, is “just this guy, ya know”.  Jayson presents at conferences around the world and people attend his talks because of how entertaining he is, regardless of the topic.  He frequently speaks on the topic of social engineering, is never without his vest of pockets, and amazingly somehow able to find a Pizza Hut and Pepsi in every country he visits. He has received several accolades over the ages.

07. Andrew Jaquith (@arj)

Aside from being an all around likable guy Andrew has severed in various CTO positions, co-founder of @Stake, and industry analyst positions. Andrew authored the book Security Metrics, started MetriCon, manages Mini-Metricon, and is a full-time pundit.  If someone mentions the words metrics they will probably quote something that Andrew has said.

06. Joanna Rutkowska

Joanna made a splash in 2006 with her Black Hat presentation on an attack against Vista kernel protection mechanism and a technique dubbed Blue Pill, that used hardware virtualization to move a running OS into a virtual machine. In 2010 she co-created the Qubes security-centric operating system based on Disposable Virtual Machine.  In this era of virtual machines, we need more people to promote the need for security in virtual systems.

05. Alex Hutton (@alexhutton)

Alex Hutton has been involved in so many risky things, he is most certainly an infosec bad-boy. He graduated from the Jack Jones school of Factor Analysis and Information Risk (FAIR), former Research & Intelligence with the Verizon Business RISK Team, author on the Verizon Data Breach Investigation (DBIR) and PCI Compliance report (PCIR), and organized (Security Metrics) Metricon 2011. Now that is one risky dude!

04. Michelle Klinger (@diami03)

Michelle may like infosec as much as she likes cats – and that’s saying something.  She co-organized BSidesDFW two years in a row.  She is an excellent cat herder who never likes the lime-lite but always does what it takes to get things done.  She has sarcasm and charm to spare.  In 2011 she was nominated for an RSA Blogger award due to her post, Security B-Sides Turned Me into an Adult.

03. Kyle Creyts (@hushedfeet)

In a DO-ocracy Kyle would be King (or close to it).  Kyle is founder of BSidesDetroit, an event he started to bring together people in the greater Detroit to Ann Arbor area.  At a youthful age he stood up a conference in one of the most diaspora cities and created a conflagration of like minded people.

02. Marcia Hofmann (@marciahofmann)

Marcia is a Senior staff attorney at the Electronic Frontier Foundation (EFF) focusing on helping ensure that modern technology is used for liberation rather than control. She liaisons with hackers at security conferences and help guide them on how to proceed with sometimes sensitive topics. She has the legal perspective that every aspiring hacker needs.

01. Joseph Sokoly (@jsokoly)

Joseph has been my ‘poster guy’ for Security B-Sides.  In 12 months he took a presentation on how hard it is to break into the industry (BSidesAustin) to a followup on all the support he received (BSidesBoston) back to his home town and co-founded BSidesDFW.  I’ve always enjoyed out long one-on-one conversations about life, people, and leadership.

Dear friends,

We started Security B-Sides (BSides) to do something different. We wanted to create a platform to help the security community achieve things together that we could never do alone, and expand everyone’s opportunities.

Thanks to the incredible support of all our volunteers and sponsors, over the past two and a half years, the community organizers have held 37 conferences across four continents involving over 100 organizers, and thousands of participants. I am so proud to be a part of this, seeing people help each other and doing things they would never have done otherwise.

However, this week, some criticisms were published about BSides. As the person named in some of these statements, I want to set the record straight on items that are factually incorrect, as well as address some of the growing pains I mentioned above. BSides, as a community organization, has a responsibility to our community and our sponsors.

Not-For-Profit Status

BSides is not yet a not-for-profit (NFP) organization. It is true that I initially included language stating this on the website and Facebook page because that is the spirit in which the organization was developed. This has since been removed. We have not misrepresented ourselves as a NFP to any sponsors or vendors, nor have we provided them with a receipt claiming such.

We are in fact pursuing NFP status. Please know this: I took the initiative to file for California state acceptance, which is the first step to filing Federal 501c3. The state filing was approved this year after many cycles. Due to state budget cuts, we waited months for each reply.

I have recently engaged a third-party company who specializes in these types of organizations to walk us through the process of selecting Board members, drafting bylaws, and completing our Federal application.

I admit that I might’ve taken more time than needed to address some of these important administrative details, but this delay was never out of malicious intent; getting caught up in the growth of the organization delayed this process. The foundation of BSides was never lost along the way.

In the spirit of growth, and to further that foundation, I’m happy to announce that the three initial board of director members for BSides will be: Jack Daniel, Gene Kim, and myself. Gene is the newest member of the team, and is an experienced executive and well-respected member of the information security industry and has served as an adviser and board member for many organizations.

Financials

Regarding the financials and banking issues, quick factual clarification. Shortly after forming BSides I applied for an Employee Identification Number (EIN) with the IRS. I then opened a separate bank account for BSides into which we deposited funds received. Since some sponsors wished to pay via credit card we used PayPal to accept these funds. I linked the PayPal account to the BSides bank account to be able to transfer funds.

This quarter we engaged a third-party bookkeeper to review the bank account and help us create an event-by-event accounting of all funds received and expenditures made. Let me emphasize, all BSides funds have gone directly to the events, to cover administrative costs, or were donated to charitable organizations. To go a step further, neither myself, nor Amber, have received any compensation for our time or effort and all of the funds have been kept in a separate account from our personal funds.

Another important piece to the financials is the management of events. When we had 5-10 events spread out over the year, it was easy to manage all invoices and all accounts from one central location. This process broke down and we ended up paying for one event using funds raised from the last as we tried to collect on committed funds. Going forward, we have discontinued the “global” sponsorship and will require each event to raise their own funds and cover all expenses. There will be no co-mingling of finances.

Responsibility and Accountability

Although we are not yet a NFP and not required to publish financials, we will publish a report in accordance with typical NFP practices. We are diligently working on this and our hope is to have it completed in the next couple of weeks. If any sponsor would like to know how their funds were used, we are also ready to provide a full itemized accounting details for them.

I am not perfect, and many of the changes that occurred in the last two years came from extreme growth and change. I agree with Bill Brenner that this is an opportunity to build something better. We learn, we evolve, we move on. We now have a formal board of directors, a third party bookkeeper, an organization that will help us complete the 501c3 paperwork and filings. We have new processes for each event operating independently. I think the good we have created should not be abused or ignored.

The Future of BSides

My main concern is what the future holds for the many event organizers whose sponsors may question their involvement in BSides. I will continue to assure our sponsors that BSides remains a worthy investment and that we are laser focused on making this a better and more transparent organization for the benefit of the security community and broader industry.

I would like to encourage others to continue to be collaborative, and help each other do good things. If you want to volunteer and participate in our improvement, please contact me at mike@securitybsides.org or join the BSides Google group.

If you have any questions about BSides or any of the accusations, please email me. In the spirit of total transparency, I will attempt to reply to all of your questions.

Going forward, I hope the community can help itself heal, band together, and continue to help others do together what they could not do alone.

Sincerely yours,
Mike Dahn

This is a re-post of an article I wrote for IT Compliance Advisor, a part of TechTarget.com, in August 2009.  I find the material to be just as applicable now as it was then.  You can find a list of reference material here.

One of the problems that many companies face is staying ahead of the information security curve. Go too fast and you run the risk of wasting capital, but run too slow and you run the risk of being compromised. So how a company can escape the hamster wheel of pain? Be proactive in managing risk and implementing a maturity framework for the organization.

In an attempt to balance the two domains of cost and security, a continual tradeoff, many companies have implemented regulatory compliance standards. These are good tools for measuring ones security to a known industry baseline. The classic example of this is the Payment Card Industry Data Security Standard (PCI DSS). Using standards like PCI DSS, companies can measure their adherence to eliminating sensitive data and protecting the remaining in-scope systems.

There are two problems with aligning an entire information security model along any singular guideline. It should be noted that, in the absence of any information security program, PCI DSS is a very good baseline standard.

The first challenge is the 0-to-100 problem. Some companies start with no information security program and try to adhere to something like PCI DSS. Much like measuring the acceleration of a car by how fast it can go from 0 to 100 miles per hour, these companies struggle with getting from 0 to 100 percent compliance in under 12 months. For these companies this means implementing security for the sake of a deadline, which means not always having the time to test what works and what does not.

The second challenge is the security limiter problem. Once companies reach 100 percent adherence to a given standard, many times they stop developing their information security program. These companies then enter a vicious cycle of identification and remediation. Each year, their auditors alert them to a new set of issues and, each year, the companies fix those and then relax until the following year.

So how do we escape this endless cycle of identification and remediation? How do we provide a way for companies to go from 0 mph to 50 mph in year one, 50 to 100 in year two, and still be inspired to go from 100 to 150 in year three? How do we become proactive instead of being reactive? One option for addressing these problems is the capability maturity model (CMM) that involves risk management.

A CMM is nothing new or innovative. It’s a useful approach for managing the maturity in a system. The Computer Security Handbook 4th Edition reveals that CMMs originated from software development. This book states that a CMM “can be used as a way to assess the soundness of a security product builder’s engineering practices during the many stages of product development.” If a CMM can be used for measuring the soundness of engineering practices, then why not leverage it to measure the soundness of information security practices?

A maturity model encourages continual growth rather than strict adherence to Procrustean boxes of information security. It’s the mathematical equivalent of the integral or the continual variable transmission of an automobile. It provides a smooth curve instead of designated endpoints of information security. For companies suffering from the 0-to-100 problem, a maturity model enables growth from 0-to-50 initially, with the projection of moving from 50-to-100 at a later date. Companies that suffer from the security limiter problem have the ability to continuously and proactively plan information security development to parallel growing business needs, instead of an independent set of criteria.

The Information Security Management Maturity Model (ISM3, or ISM-cubed) provides us with the intersection of information security and a maturity model for growing an information security program. ISM3 describes the process this way:

“Rather than focusing on controls, it focuses on the common processes of information security, which are shared to some extent by all organizations.

Under ISM3, the common processes of information security are formally described, given performance targets and metrics, and used to build a quality assured process framework. Performance targets are unique to each implementation and depend upon business requirements and resources available. Altogether, the performance targets for security become the Information Security Policy. The emphasis on the practical and the measurable is what makes ISM3 unusual, and the approach ensures that ISM systems adapt without re-engineering in the face of changes to technology and risk.”

In fact, the ISM3 is based in part on extending the Systems Security Engineering Capability Maturity Model (SSE-CMM), which is ISO standard 21827. The SSE-CMM “describes the essential characteristics of an organization’s security engineering process that must exist to ensure good security engineering.”

In addition, consider the Building Security in Maturity Model (BSIMM), which is “designed to help you understand and plan a software security initiative.” As well there is the, Open Software Assurance Maturity Model (OpenSAMM) project that can “help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization.” These frameworks exist as tools for helping develop the maturity of organizations and software through the use of measured metrics.

And metrics is where all the magic really happens. Only by measuring the maturity of an organization and matching it to the development and progress of known attacks can we demonstrate that we are maintaining the balance between costs and security. There is a saying that if you and your friend are being chased by a bear, you don’t need to outrun the bear — you need only outrun your friend. In the world of ever-increasing compromises, many companies struggle to stay ahead of the curve. A maturity model, with proper metrics, can help your organization do just that. The best part? Companies that implement a maturity model and show measured growth are many times more likely to adhere to industry standards such as the PCI DSS.

This post clarifies an earlier one “Considering an Opt-Out Program on PCI Validation“ and helps explain how PCI compliance validation is changing based on risk measures present in the merchant’s environment.  Regulation and deregulation cycles happen in response to market forces.  In this case selective deregulation is happening in the form of reduced validation based on risk and fraud reduction measures present in merchant organizations.

Present State

When many companies think of PCI compliance they immediately think of a third-party QSA auditor.  For mature organizations this is the old way of thinking as both Visa and MasterCard permit merchants of any level to self-assess.

• Visa (Inc. and Europe) permits a report on compliance from an internal auditor provided it is signed off by an officer of the corporation.
• MasterCard permits self-assessments but internal auditors must “attend PCI SSC ISA Training and pass the associated accreditation program”

Although organizations must validate annually, they are relieved of this in the following  situations (as noted by Simon Sharp):

• Visa Inc.: merchant does 75%+ EMV transactions = no requirement for ongoing external assessment (major abbreviation)
• Visa Europe: merchants meet 1-4 milestones of Prioritized Approach are in a safe harbor even if breached (major abbreviation)
• Visa Asia: merchants who implement end-to-end encryption or process EMV chip transactions in countries where iCVV penetration is >75% have the following options:
  • Validated compliance with milestones 1-4 of the PCI SSC’s Prioritized Approach are recognized as fulfilling Visa PCI DSS validation requirements.
  • Attested to not storing prohibited data and process EMV chip transactions in markets where iCVV penetration is higher than 75 percent – you may define merchant level by the annual volume of non-chip transactions.

Reducing Risk = Reduced Validation

Visa Inc’s Technology Innovation Program (TIP) notes organizations that reduce fraud risk using technologies such as EMV (Chip/PIN) no longer need to validate compliance annually.  Visa Europe has their own version of TIP that goes a step further to say that for merchants who validate against the Prioritized Approach 1-4, Visa Europe will:

• waive penalties for non-compliance or non-progression
• grant ‘safe harbour’ from penalties and allocation of incremental counterfeit fraud losses in the event of a data compromise

Sure there are caveats and I’m not certain what “allocation of incremental counterfeit fraud losses” entirely means, but the idea that a merchant will achieve safe-harbor from anything is a pretty big carrot with which to lead merchants.

Certainly the pendulum has moved from encouraging compliance to encouraging risk and fraud reduction.  To this end the Visa has changed from incentivizing compliance, via the Visa CAP program in 2007, to incentivizing risk and fraud reduction, via the Visa TIP programs in 2011.

PCI Deregulation

Perhaps it’s premature to say that PCI compliance as an industry is in a deregulation phase.  Clearly PCI compliance for regions that have not seen wide adoption such as Asia/Australia still need movement towards full compliance and validatoin.  Conversely, if a merchant has >95% of transactions using EMV (Chip/PIN) with iCVV and CDA authentication – the need for PCI compliance may be limited.

Although deregulation may never fully occur, the need for annual third-party validation is no longer necessary for companies that have either: reduced the risk to payment card data or have highly-mature internal controls and validation capabilities.

Abstract

As regulation-deregulation cycles rise and fall, it is important to understand how the evolving landscape of compliance impacts your future. This post proposes maintaining compliance but making validation an opt-out optional component – a radical change from the status quo.  Evidence already suggests the industry is moving in this direction and changes to compliance are necessary for the continuance of risk management.

Please understand that when I say opt-out, I am referring to mandated external, third-party validation requirements. I think internal validation is more important than ever.

Special thanks to idea people: @lennyzeltser, @mckeay, @alexhutton, @kindervag, @joshcorman

Background

I recently read Lenny Zeltser’s blog titled “Could Regulatory Compliance Encourage Weaker Security?” This is a valid question and one that needs addressing. The question can be rephrased as, “Who does compliance work best for?” To answer that question we need to understand why compliance exists.

In a blog post I wrote on How Compliance Regulations Gets Made we focus on the natural regulation-deregulation cycles and how they exist in response to an increase or decrease in data breach/loss. The ultimate goal of compliance is to set a baseline of standards within an industry. The question Lenny raises is one I’m often asked by opponents of such standards, “what about the big/little guy (who do not fall within the Bell Curve norm for best practices)?”

It’s true that regulatory compliance is targeted not only at setting a minimum standard for technical security (firewalls and IDS) but also a minimum standard for security maturity (policies and procedures) within an organization. So let’s think about this graphically. There are four quadrants within which to place organizations: those with either high/low-level of security and high/low-level of maturity.

Security vs Maturity

For the purpose of this conversation let’s assume that maturity encompasses the Check and Act aspects of the PDCA Cycle and security refers to the Plan and Do components. The reason I break it down this way is to directly reflect the results of the Verizon PCI Compliance Report (PCIR). This report found that:

“Organizations are better at planning and doing than checking. If the check phase is broken, they cannot act to maintain the state of security over time.”

The Verizon PCIR found that organizations are great at Planning and Doing but not great at Checking and, as a direct result, Acting on those changes. To me this disconnect is the difference between organizations with a high-level vs low-level of maturity within their security practice.

With this in mind, let me suggest that regulatory compliance standards should most impact those organizations with a lack of either security or maturity, but not both. So let’s break this down and the types of organizations they embody.

1. High-Security / Low-Maturity: These companies care about security but have never documented policies and procedures. They have log management systems but have slowly stopped reviewing them. Regulatory compliance can have a positive impact here.
2. Low-Security / High-Maturity: These or organizations run well but with little funding for sorely needed security projects. There has never been a “hammer” to drive spending. Regulatory compliance can have a positive impact here.
3. Low-Security / Low-Maturity: These are organizations that do not care about security or compliance. Perhaps they are too small (mom-and-pop companies) or those that will validate compliance but never maintain it through the year. There is no changing these companies and little that compliance can do for them. Validating compliance for them is a waste of time and money and since there is no driver to maintain a state of security.  (Instead new technologies such as tokenization, end-to-end encryption, and validated payment applications will have the highest impact here.)
4. High-Security / High-Maturity: These are companies at the top-tier of their breed. They don’t manage security, they manage risk! They adopt and implement custom risk management solutions based on careful analysis of data classification and impact analysis reports. These companies see regulatory compliance as a roadblock and implementing industry “best practices” as a deviation from their perfect path.

I propose that regulatory compliance will most help groups 1 and 2, but not groups 3 and 4.  (Unless you consider regulatory compliance the driving force for said technologies above, though I would argue data breaches and word of mouth have a higher impact here than compliance.)

Although I believe in the need for increased education, flexibility of controls, and more data for risk modeling – I’m going to save us a bit of time and skip to the chase.

• Companies in group 3, who do not care about compliance or security, will not change their tune by forcing them to validate compliance.  Instead the end result will most likely be in them checking a box and ending up in the 80% of companies (see: Verizon PCIR) that do not maintain their state of compliance.
• Companies in group 4, who care passionately about risk and security, need a reprise from continually validating against a standard that is built for the average individual. Although, the stated way to address this for PCI compliance is through documenting a set of Compensating Controls, what other options do we have out there? What other ways are there for such companies dealing with compliance validation?

Remember, the stated goal of regulatory compliance, taken from regulation-deregulation cycles, is to reduce the number of data breaches and data loss. In both groups 3 and 4, continual validating against a standard may, in my opinion, have little to no impact on the number of data breaches/loss. The reason is that group 3, though validating will not maintain that validation, and group 4, treat validation as an exercise in documentation.

Other Options

On February 6, 2011, Visa launched its Technology Innovation Plan (TIP) “to recognize and acknowledge merchants in Visa Inc. regions outside of the United States that have taken action to prevent counterfeit fraud by investing in EMV technology.” (Since Visa Europe is a franchise, the “outside the US” may only apply to Asia-Pacific and Latin-America & Caribbean, but it’s a bold change we should view as the tip of an iceberg.)

In essence, they are saying that organizations that have achieved the following, need not continue to validate their compliance against the PCI DSS standard:

• Implemented a sufficient level of controls so as to reduce fraud* (see: EMV)
• Validated their state of compliance once
• Have not suffered a data breach

* Yes, fraud is discernibly different from data breaches but one leads to the other and as a result are interconnected.

Wow, what an innovative approach. I’ve talked about the TIP program with industry insiders and they are mostly in agreement that we don’t know if this will result in positive or negative changes. I feel it will be a great success and here is why.

Opting Out of Validation (Not Compliance)

Presently companies that validate their state of compliance need to submit two things: a validation document (either a self-assessment questionnaire or a report on compliance) and an attestation of compliance (AOC) document. The AOC is nothing more than a memo that reiterates that organizations commitment to following the payment-brand rules for protecting payment card data.

I think organizations that choose to opt-out of compliance validation should still need to sign the Attestation on Compliance (AOC) to reaffirm their social contract and commitment to protecting payment card data. If they fail to achieve this within their, alleged, super-robust security and risk program then they deserve to undergo the same forensic review and financial implications that come with any other organization. If they instead achieve in protecting payment card data and are able to repel the wily-hacker then they should continue their reprieve from annual compliance validation (perhaps they can externally-validate every 2 or 3 years).

The reason I suggest this is because, and here’s the kicker, you cannot tell the difference between a PCI compliant organization and one that has let security and compliance lapse until they experience a data breach. Until that point, both organizations appear, from the outside, to be operating in the same manner.  (Sure, you can tell a difference internally, but so far very few organizations that achieve compliance once organically maintain it year-over-year.)

But Wait – It Already Exists

The PCI Council has already rolled out the Internal Security Assessor (ISA) program and MasterCard has begun listing this qualification as part their validation program requirements.

“Effective 30 June 2011, Level 1 merchants that choose to conduct an annual onsite assessment using an internal auditor must ensure that primary internal auditor staff engaged in validating PCI DSS compliance attend PCI SSC ISA Training and pass the associated accreditation program annually in order to continue to use internal auditors.”

(Ok, so Visa has not adopted the same stance and companies that store, process, or transmit payment card data for both brands must adhere to the minimum standard for both, but still it’s a change.  Also, the payment card brand validation guidelines are guidance for the acquiring banks who have the ability to manage their validation programs on a case-by-case basis.)

This means that many organizations (there are exceptions) who wish to opt-out of formal validation can do so leveraging their internal assessor team.

Conclusion

What we have is a directional movement towards, what I will call, selective deregulation. Step 1 is the PCI SSC ISA program.  Step 2 is the Visa TIP program.  What is the next step? The only way to know is to wait and see.

I’m not proposing that we do away with validation entirely, but instead that we move into a hybrid approach towards validation that is based on risk, maturity, pas performance, and future commitment.  The market has spoken and the Council and payment brands are already responding.

My suggestions for you?

If you fall into category 1, 2, or 4 above – prepare the following:

• Develop a “heat map” of your internal risks, data types, and exposures
• Adopt a risk management strategy, however rudimentary or advanced
• Attend the PCI SSC ISA training ASAP

If you fall into category 3 above – investigate the following:

• Are you using a PCI validated payment software and hardware?
• Are you using PCI DSS validated service providers?
• Are you area of technologies that reduce the need for PCI compliance such as: tokenization and end-to-end encryption?

As January of this year rolled around, I hadn’t planned on changing jobs but I knew the year ahead would be interesting.  During my tenure at Verizon Business I learned quite a bit and met many wonderful people.  When I decided to join the company two years prior I did so because of the people.  One lesson I learned long ago is to rank my job by: (1) what I will be learning and (2) who I will be working with.

Tenure with Great People

The most wonderful thing about working for Verizon Business was working with the RISK Intelligence team, led by people like Wade Baker and Alex Hutton.  These gentlemen and their team are responsible for the famous Data Breach Investigations Report (DBIR) and the Verizon Enterprise Risk and Sharing (VERIS) risk modeling tool.  Many companies put out research reports but few focus so much on making their methodology transparent and unbiased.

One of my favorite projects from 2010 was working with the Verizon RISK team on the first annual Verizon PCI Compliance Report (PCIR).  It was hard work, and needed to happen alongside an already heavy work load, but it’s one of the most important projects I’ve worked on.  The reason why is that it analyzed reports and data over the two years prior – of actual assessments – and portrayed the results openly.  This year, Martin McKeay is taking over the PCIR and kicking it up a notch by providing even more ways of splicing the data.  I can’t wait to read it!

My eternal three items for improving the information security industry (in response to Josh Corman asking) have been:

1. Education, education, education
2. Flexibility of controls
3. More data for risk modeling

It’s the #3 that the RISK Team at Verizon is famously known for.  In fact, security researcher, Anton Chuvakin recently referred to the DBIR as “a piece of juicy awesomeness that only comes once a year”.

It’s Good to have Options – but hard to Choose

I hadn’t planned on moving on but when a good opportunity came along for me to grow and learn, I had to take it.  I received a number of casual job offers during RSA 2011 week, during which Martin and I presented on PCI compliance in the Cloud and the entire Security B-Sides team had a successful BSidesSanFrancisco event.  Nothing was compelling enough to make the big switch.  Then came Square.

Thanks to Sam Quigley, I had the awesome opportunity to contract at Square, a mobile payments startup in San Francisco. Square is not just another startup, it’s a company that is going to revolutionize the payments and social landscape.  They make payments simple and elegant.  Check out the TechCrunch post/video of Jack Dorsey’s famous “bridge” speech as to why they will be the Apple of payments.

Why will Square succeed?  Because they are a company of people following their passion and have a community of customers who love them.

Although I love the company, and will pimp them every chance I get, I decided to take another path.  I still love the people I met at Square and the lessons I learned.  So here are a few of those lessons:

1. Follow your passion, passionately.
2. Everyone in the company is part of idea creation, but it’s the leader’s job to be the “editor” of these ideas.
3. Ideas that are not used do not get discarded, they go “on the shelf” for later use or re-evaluation.
4. Measure everything.  ”If you cannot measure it, you cannot improve it” – Lord Kelvin
5. Don’t fail fast; iterate fast.
6. Know and tell your story well.

I cannot emphasize this last part enough.  Watch Jack Dorsey tell his story at Stanford.  He does so without slides or prompts.  He knows his passion and his direction and can articulate it easily.  How many of us can tell our story this well?

Knowing your story and being able to articulate it helps us live the direction we want to go instead of just zig-zagging through life.

Conclusion

Although Square is a great company and will change the world, I believe that my work there would not be as impactful as it would at another company.  I’ve decided to take a job as Director of Threat and Vulnerability Management (TVM) at PricewaterhouseCoopers (PwC).  Here I will be able to follow my passion and have an enormous impact.

My fundamental passion is empowering people to have a greater impact on the world around them.  At PwC, mentor programs are built into the DNA of the company and I’ll be able to help grow a team.  Much like I do with Security B-Sides, I’ll be able to leverage a team of people to be more than the sum of their parts.  I have some great plans for working in a leadership position at a multi-national and well-respected firm.

Much like at Verizon, at PwC I’ll be able to work with a smart team of professionals such as Gary Loveland and Mark Lobel who curate the PwC Global Information Security Survey.  I’ll be able to move beyond PCI compliance and focus on helping companies manage risk, however it makes the most sense for their company.

Most of all, we as a firm will leverage the talented and ambitious professionals that make up PwC.  I always thought that the Big4 sold products and services, but the reality is that their only service is their people.  I look forward to working with a group of talented professionals and helping them grow as a team.

When interviewing at PwC, I was asked a question I will never forget.  “Anyone can sell themselves.  How will you sell your team?” It’s true that you reach a point in your career when it’s simple to sell yourself, but the true measure of a leader is how well they grow, position, and market their entire team.

I look forward to the challenge and am excited to see what the future brings.

I’m between jobs right now (purposefully) and looking to relax.  As other friends are away at the beach enjoying the sun, I decided to go camping for a weekend.  Mt. Tamalpais (Mt Tam) is a great place to walk among the historic redwoods and is the backyard of San Francisco.

The camping area is drive-in meaning you can bring as much as you want and not have to worry about over packing.  We kept it light with all our loyal REI supplies, especially my favorite which is the Quarter Dome 3 Plus tent.  It’s probably the best tent I’ve ever owned based on our criteria.  The “Plus” is not for us larger Americans but adds an additional 4 inches to the length of the tent, which really helps out for us tall people.

The first day we did a long hike, got lost, got found, and enjoyed a long day-hike in the woods.  One of the more interesting things we came across was this Newt Crossing sign.

I sometimes wonder if anyone what variety of signs exist out there.  My first thoughts were, “how will the drivers see them?”  Newts are rather small and even at 15 miles per hour I don’t see how a car driver could differentiate them from the concrete road.

None the less it was fun to peek out from the trees into this road-side view of the ocean and historic Highway-1.  We drove home over Hwy-1 and remembered why it’s important to drive slow.  The road twists and turns around the edge of the hill in such a way that there is little to no distance between the edge of the road and the cliff.  It is here that the wrong turn does not result in your car crashing into a ditch but reaching terminal velocity before splashing into the ocean.

The newt crossing was just around the bend from, I-kid-you-not-on-the-name, Steep Ravine Environmental Campground.  We didn’t stay here but by the photos you can see this is the place to stay.

I should remind you that in addition to a beautiful landscape and picturesque views, this area is very windy and thus rather cold even during the day.

Ok, back to the woods.

The redwood trees are most widely known for their gigantic size.  If you have not seen these before it’s really something of awe to stand beside a tree that is not only over 1,000 years old but also wider than the length of your car.  There is no doubt these are the king of trees, but what you may not know is that they have almost a personality about them.

Redwoods tend to grow in groups or clusters.  This helps them leverage the shade each brings and secure a more firm base.  If a tree or tree-cluster is blocking the light of another tree it simply grows around them. I’ve seen trees growing at a straight-diagonal or diagonal and then once they reach the light, straight up.

Hiking along Steep Ravine Trail you see many trees that exhibit an extreme resilience.  For example, this photo of me standing on a fallen redwood.  Although only about 25% of the root structure is still in the ground the branches of this tree are already sprouting into full-grown trees.

We saw another fallen tree where the branches had sprouted into even bigger individual trees.  All I could do is stop and think to myself how even with only partial root structure the single fallen tree was supplying water to the entire set of new trees growing out of its branches.

I can’t help but stare in amazement.

I really enjoy camping Mt Tam and will go back over and over.  A few friends have mentioned camping in Salt Lake City, UT which I would really enjoy.  Until then I’ll be camping in the beautiful backyard of San Francisco where there are plenty of new paths to hike and sites to see.  I hope you make it out this way and try some of the great camp grounds in the area.

A few days ago I posted a message to Facebook:

Learning & living to follow my passion, ignore the rest, and happiness will follow.

I know so many people who believe they will be happy when they get more money/status/recognition.  Happiness comes from the in-between, not the end goal.  You need to be happy doing what you believe in and to do that you need to follow your passion.

I’ve recently encountered some major changes in my life, and with these changes I’m trying to live by a new set of revised rules.  So I’ve collected for you a two examples of people following their passion and getting so much more.

Jack Dorsey founding Twitter

This video is not only a great story but an example of how following your passion can lead to great success – when you pursue it greatly. Jack, co-founder of Twitter, tells his story about growing up in St. Louis and his passion for maps.  This passion for maps lead to him later working for the largest dispatch software company in the US, wherein he found great pleasure in mapping out the status updates of police and emergency vehicles.  This passion for dispatch, maps, and status updates later lead to him co-founding Twitter.  A similar passion lead to him co-founding Square.

Most people think that great companies are formed by people sitting around thinking how they will take over the world with computers, but the reality is that they are formed by people following their passion.

Jack leaves us with the quote by Lynda Barry, ”Expect the unexpected. And whenever possible BE the unexpected.”

LCD Soundsystem Gets Big

I’m a big fan of both music and The Economist so when I saw this article it struck a chord. It turns out LCD Soundsystem has a great story.

After three critically acclaimed albums and a decade on the road, James Murphy and his electro-rock band have decided to call it quits. Last night was the second of four warm-up shows for what they’ve promised is their grand finale: a headlining gig at New York’s Madison Square Garden

James Murphy wasn’t always the renowned rocker he is today.  In fact years ago his life almost made a big change.  At age 22, Murphy was offered a job writing for the sitcom Seinfeld which was then little-known. He did not expect the show to be successful and chose to continue with music instead. He struggled for years as an artist as his friends ate at nicer-and-nicer restaurants and moved up the socio-economic ladder.

At an age on the cusp of no longer being able to make it as a rocker, he formed LCD Soundsystem and released the first big hit Losing My Edge, which brought him international acclaim.  He goes out on top playing at Madison Square Garden to a stadium of fans sad to see it end.

Following your passion is not always easy and does not always bring you great ending success, but I can promise you two things:

1. Following your passion will keep you happy along the way
2. Following your passion-passionately will increase your likelihood of achieving success

A friend recently asked me to help solve for him a Payment Card Industry (PCI) riddle.  Here is a sanitized and rewritten stub:

A competitor of ours is listed on Visa’s PCI list of validated service providers, but we know that they are not compliant with one of the PCI DSS requirements.  We know this because we operate in the same business model and there is no way that they or we can do this one thing.  My assumption is that this is a case of a Qualified Security Assessor (QSA) missing the boat.  Is there any way that we could also get compliant?

To which I replied:

(1) You can always become compliant. (2) The details are not always what they may seem to you or your competitor. (3) Also, compliance validation is in part to do with the Acquiring Bank and or payment brand.

You seem to think you know everything there is to know about your competitor but in all likelihood you do not – nor are you a beautiful and unique snowflake that deserves special consideration.  Nuances unimportant to you may have a big impact on compliance. I’ve heard this argument before – if they do it why can’t we? The answer is because you know better.

Also, your competitor’s acquiring bank or validation entity may permit them to operate in a certain capacity based on factors unknown to you.  My advice is to talk to your acquiring bank or payment brand and ask them to work with you on a solution.  If you don’t want to do that it’s because you know the answer you will get and just don’t like it.

Alternatives

Of course there are work arounds.  My latest mantra of compliance has been to stop teaching people how to comply and instead teaching them how to develop a risk management program with compliance a natural byproduct rather than an end goal.

To do this you need to know what rules you need to obey, which you can bend, and which you need to work around.  Here is a short list of work arounds.

• Compensating controls
• Segmentation: network, operational, physical, role based
• Tokenization or data surrogacy
• Scope reduction
• Point-to-point encryption
• Remove the data
• Truncate or mask the data

The list goes on.

Today I’m switching gears to talk about something we all do but don’t often consider, LEVERAGE. This post explores ways in which we can leverage the world around us to to maximize our strengths. The areas we can leverage include our job (delegation), out career (social networks), our business (cost centers to revenue centers), and many more. Many of these are examples of chaordic frameworks, but let’s expand on a few of these to better understand them.

Martin Fisher kindly invited me as a guest on his Southern Fried Security podcast. He stipulated that we talk about something other than PCI, which made me very happy since I’ve been looking for a venue to discuss some of my ideas for leveraging the world around you.

You’ve seen it done in the movie The Matrix where Neo bends the world around him to dodge and eventually stop bullets. Let’s see how you can warp and leverage the world around you to maximize your ability to succeed in several areas of your life you.

Goal

Martin stipulated that we should focus on how “information security professionals (especially leaders) need to position themselves (e.g. subjects to learn/become more familiar with, conferences to attend, ideas/concepts to embrace) better for 2011.” Just like a life or career coach, let’s break this down into three categories we want to apply leverage:

• Job – by leveraging delegation either assigning tasks to others or taking on tasks of others
• Career – maintaining networks (social, physical, electronic) to help make you better (smarter, more employable, etc.)
• Business – turning cost centers into revenue centers

LEVERAGE your JOB

Long ago I had a manager who believed you could delegate anything. I thought this strange because to me there are some things you can easily get done yourself but assigning to others will take much longer. The problem with my old mindset is that you end up thinking you are the best person to perform 80% of tasks thus taking up all your time and preventing you from leveraging the skills of others. Remember, delegating is not just about getting other people to do work it’s about assigning tasks based on area of expertise or helping someone improve and expand their skill set.

Task #1 is to delegate to others tasks that can help them grow or maximize their skills to complete a project. Sometimes you won’t even know how a task will help someone grow until they complete it.

Task #2 is to time-share between those individuals who have taken on tasks and help them complete the task in a successful manner. Assigning and walking away is often worse than never assigning at all. For delegation to work you need to foster growth in those who are taking on the task and provide them the resources necessary to be a success. Sometimes these tools are connections, access to resources, providing experience, or building confidence in their own abilities. Sometimes these tools are timelines, deadlines, project management skills – whatever it is the individual needs to get things done.

LEVERAGE your CAREER

I landed my first job out of college via a job fair at the University. I landed my second job via Lee Kushner, a professional recruiter. Every job after that has been something I created myself or offered to me via my network of connections. Beyond the simple job search, leveraging your network of connections can be critical to almost every success you see in your personal career. When people talk about networks they may be discussing a wide range of topics including: social networks (twitter, facebook, linkedin); physical networks (co-workers, neighborhood friends, hackerspaces, meetups); or electronic networks (irc, email, phone calls). Everyone has a different way of leveraging these networks but we all do it – either to keep in touch with friends or build communities.

Task #1 to grow and farm your network is to make smart connections. You need to keep in touch. You need to help other build connections. Growing and farming a successful network is not about helping you get something out of it but helping your network get something out of being connected to you. It’s a strange thing in that regard that the most connected of us are not always the smartest individually but they are able to connect you to a smart or capable person in the area of your interest.

One of my end-goals is to “connect smart people” and so every time I meet someone I think of someone else I can connect them to. Working on a Bay Area art project? Reach out to Chris Rusak. Interested in lock picking? Reach out to Deviant Ollam. Want to know about creative data exfiltration techniques? Reach out to Iftach Ian Amit. Social Engineering? Mike Murray and Jayson Street. Need a job and are a skilled professional? Lee Kushner. The list goes on and on. Photography, life coach, physics, startup company … you name it and I’ve got a person for you to connect with.

Task #2 (and here is the tricky one) is to leverage your network to create a bigger/better network. But why you ask? Isn’t it time to “harvest” the network? No, never, nada. The hard thing for people to wrap their heads around with networking is that the benefits to you are natural side effects not pre-planned end-goals.

Community growth is organic and as such so should be the way you leverage them. For example, after starting Security B-Sides I though we could leverage the 10-15 events to help solve the “big problems” facing the information security community. Although not a bad goal, the idea that I could direct the solving of these “big problems” was an incorrect assumption. Instead, I encourage companies to get involved in the community and organically solicit interested participants in helping them solve specific problems they are facing. This type of involvement helps complete the organic virtuous circle of helping the community help itself.

I said it best via twitter:

Every time I think tools are for making products someone reminds me that tools are made to build more tools.

LEVERAGE your BUSINESS

Few people other than the CEO and CFO within a company think about things such as “cost centers” vs “revenue centers.” For example, the sales and delivery departments may be revenue centers while the marketing and IT department may be cost centers. Companies need to stop accepting these as a way of life and begin to think of ways to turn cost centers into revenue centers.

Case Studies:

IBM realized long ago that their internal IT department was really good at providing one great company with IT services. If the IT department could do good things for one company why not let it do good things for many companies? IBM stopped thinking of IT as a cost center and turned it into IBM Professional Services and expanded the services offered to create an amazing organization.

Kaspersky Labs realized early on that marketing can be a cost center, but only if you let it. They created a separately branded news company, ThreatPost, that grew into an organization until itself. Instead of hiring staffers to write all the articles they turned their marketing people until content farmers, connection people who wanted to write about smart things with an audience of readers who wanted to learn. In doing so they maximized their staff abilities to create more than any one individual could. ThreatPost has since expanded from the US into Latin America with locally written articles in Spanish and Portuguese.

Goldcorp had a problem in that it didn’t know where next to mine for gold. Instead of keeping it geological data secret it opened it up to the community and offered a prize for who could come up with the best place to mine for gold. This was a big risk as no other companies were offering up their valuable geological data online for anyone, including their competitors, to access. The payoff was huge and direct in their monetary return.

Task #1 is to re-examine the parts of your company from marketing and HR to IT and supply-chain-management. Every part of your company that is a cost center may have the potential to be a revenue center. Start questioning why you do things the way you do? Why do we write our own marketing materials? Amazon has users write book reviews for them. Why do we pay people to solve problems? Many companies have developed APIs and allow others to write plug-ins to their software. Find ways of letting other people solve your problems for you.

Task #2 is to pick one thing you want to convert from a cost center to a revenue center and focus on it alone. Like a scientist trying to determine the key factor in an experiment, do not get over zealous and try to convert everything at once. Remember that you are learning and want to take it one step at a time. Find one thing to revolutionize and become very good at. Wash, rinse, repeat.