Chaordic Mind

As January of this year rolled around, I hadn’t planned on changing jobs but I knew the year ahead would be interesting.  During my tenure at Verizon Business I learned quite a bit and met many wonderful people.  When I decided to join the company two years prior I did so because of the people.  One lesson I learned long ago is to rank my job by: (1) what I will be learning and (2) who I will be working with.

Tenure with Great People

The most wonderful thing about working for Verizon Business was working with the RISK Intelligence team, led by people like Wade Baker and Alex Hutton.  These gentlemen and their team are responsible for the famous Data Breach Investigations Report (DBIR) and the Verizon Enterprise Risk and Sharing (VERIS) risk modeling tool.  Many companies put out research reports but few focus so much on making their methodology transparent and unbiased.

One of my favorite projects from 2010 was working with the Verizon RISK team on the first annual Verizon PCI Compliance Report (PCIR).  It was hard work, and needed to happen alongside an already heavy work load, but it’s one of the most important projects I’ve worked on.  The reason why is that it analyzed reports and data over the two years prior – of actual assessments – and portrayed the results openly.  This year, Martin McKeay is taking over the PCIR and kicking it up a notch by providing even more ways of splicing the data.  I can’t wait to read it!

My eternal three items for improving the information security industry (in response to Josh Corman asking) have been:

1. Education, education, education
2. Flexibility of controls
3. More data for risk modeling

It’s the #3 that the RISK Team at Verizon is famously known for.  In fact, security researcher, Anton Chuvakin recently referred to the DBIR as “a piece of juicy awesomeness that only comes once a year”.

It’s Good to have Options – but hard to Choose

I hadn’t planned on moving on but when a good opportunity came along for me to grow and learn, I had to take it.  I received a number of casual job offers during RSA 2011 week, during which Martin and I presented on PCI compliance in the Cloud and the entire Security B-Sides team had a successful BSidesSanFrancisco event.  Nothing was compelling enough to make the big switch.  Then came Square.

Thanks to Sam Quigley, I had the awesome opportunity to contract at Square, a mobile payments startup in San Francisco. Square is not just another startup, it’s a company that is going to revolutionize the payments and social landscape.  They make payments simple and elegant.  Check out the TechCrunch post/video of Jack Dorsey’s famous “bridge” speech as to why they will be the Apple of payments.

Why will Square succeed?  Because they are a company of people following their passion and have a community of customers who love them.

Although I love the company, and will pimp them every chance I get, I decided to take another path.  I still love the people I met at Square and the lessons I learned.  So here are a few of those lessons:

1. Follow your passion, passionately.
2. Everyone in the company is part of idea creation, but it’s the leader’s job to be the “editor” of these ideas.
3. Ideas that are not used do not get discarded, they go “on the shelf” for later use or re-evaluation.
4. Measure everything.  ”If you cannot measure it, you cannot improve it” – Lord Kelvin
5. Don’t fail fast; iterate fast.
6. Know and tell your story well.

I cannot emphasize this last part enough.  Watch Jack Dorsey tell his story at Stanford.  He does so without slides or prompts.  He knows his passion and his direction and can articulate it easily.  How many of us can tell our story this well?

Knowing your story and being able to articulate it helps us live the direction we want to go instead of just zig-zagging through life.

Conclusion

Although Square is a great company and will change the world, I believe that my work there would not be as impactful as it would at another company.  I’ve decided to take a job as Director of Threat and Vulnerability Management (TVM) at PricewaterhouseCoopers (PwC).  Here I will be able to follow my passion and have an enormous impact.

My fundamental passion is empowering people to have a greater impact on the world around them.  At PwC, mentor programs are built into the DNA of the company and I’ll be able to help grow a team.  Much like I do with Security B-Sides, I’ll be able to leverage a team of people to be more than the sum of their parts.  I have some great plans for working in a leadership position at a multi-national and well-respected firm.

Much like at Verizon, at PwC I’ll be able to work with a smart team of professionals such as Gary Loveland and Mark Lobel who curate the PwC Global Information Security Survey.  I’ll be able to move beyond PCI compliance and focus on helping companies manage risk, however it makes the most sense for their company.

Most of all, we as a firm will leverage the talented and ambitious professionals that make up PwC.  I always thought that the Big4 sold products and services, but the reality is that their only service is their people.  I look forward to working with a group of talented professionals and helping them grow as a team.

When interviewing at PwC, I was asked a question I will never forget.  “Anyone can sell themselves.  How will you sell your team?” It’s true that you reach a point in your career when it’s simple to sell yourself, but the true measure of a leader is how well they grow, position, and market their entire team.

I look forward to the challenge and am excited to see what the future brings.

As you might know, I love Security B-Sides.  One of the many benefits of participating in BSides has been the fact that, not only is it a free event, but it raises money for charities – primarily the Electronic Frontier Foundation (EFF).  The short story is that the EFF defends the digital rights of those who could not otherwise.  They are the ACLU of the digital frontier.  I respect their work greatly and feel safe knowing that they will be there for me one day if the need arises.

Individually, I only donate so much but by leveraging a platform on individuals we can do so much more.  That is what I love about communities.  You can accomplish more than any one individual, and (properly driven) chaordic communities can do (measurably) more than any structured group.

In addition to money raised from the BSides events, there are speaking events that I do for which I’m precluded from monetary compensation by my employer.  No worries, I just ask that they donate the money to the EFF.  Win!

Here’s a short accounting of the monies I’ve helped raise for the EFF.

• Security B-Sides SanFrancisco 2010 ($1,000)
• Security B-Sides LasVegas 2010 ($2,893)
• Unnamed speaking event ($250)
• Unnamed speaking event ($1,000)
• PCI #HugItOut with @JoshCorman @McKeay @RealGeneKim ($1,000) and matching funds for Hackers for Charity ($1,000)

Folks, we are getting close to raising $6,143 for the EFF in one year.  Considering the average donation might be $100/year this is over 61 years worth of donations.  (Ok, so the math is strange, but it’s my math.)

In addition to this, Security B-Sides have a semi-strategic relationship to cross support each other.  We will help individuals help raise money for the EFF at their BSides event (if they wish) and the EFF will help promote and publicize events that do so.  Win-win.

One of my favorite rules to live by is that “nothing is impossible, the impossible just takes longer.”  This is a short story about how the underdogs leveraged their collective to create something much greater than the sum of their individual parts.  Security B-Sides was born out of a realization that all physical events are bound by two most structured rules, that of space and time.

No we are not talking about physics but the simple fact that regardless of the number of smart people in the world all physical events will only have enough physical room for X number of people across Y amount of time.  For many conferences this means physical walls constraining the number of presenters and attendees across a time period of a few days.  Thus a problem arises:  The scarcity of those limited seats increases in proportion to the interest in them.

The Internet is a natural solution with sites like BrightTALK hosting virtual conferences.  Online you are not limited by space and time with every piece of information now accessible any time of day to (virtually) anyone on the planet.  Don’t get me wrong, I’m a huge advocate of social networking but I equally believe that in the absence of physical networking the online social world is little more than high-speed news flashes.  The ghost of the machine is the physical flesh and bone behind them.

Why Security B-Sides?

Security B-Sides is the first do-it-yourself (DIY), grass-roots, open security conference in the world.  B-Sides does to physical events what the Internet did to TV and radio — it expands the spectrum of conversation and gives voice to those further down the long tail.  These events are by security professionals and for security professionals.  It works like this:

1. Not many people have the experience to organize and host a conference.  In addition most events cost money and lots of it.
2. Oh sure, we could do it all for you but where would the fun be in that?
3. Instead of creating an event, we’ve created the infrastructure, tools, and documents, basically conference-in-a-box.  We are lowering the barrier to entry for anyone to create their own local event.
4. And let’s make it free, open to everyone, and publish all the details about how we did it online.

Yeah, that sounds a whole lot better.  Sounds easy huh?  Only by working together can we make the impossible easy.  Only through collaborative, chaordic design do we find order in chaos.  I greatly appreciate the following quote by Dee Hock, Founder and Chairman Emeritus, Visa Inc.

“It is no failure to fall short of realizing all that we might dream.

The failure is to fall short of dreaming all that we might realize”

Birth of a New Machine

I believe that small unconferences are the natural expansion of all events and have been for quite some time.  After the exclusive FOO Camp (Friends Of O’Reilly) a small collective used PBWorks to launch the Barcamp movement.  These small, 1-day events expand the level of physical interaction.  They are more than stuffy sales pitches but typically driven entirely by the geeks that love them.

It is by volunteers alone that these events occur, as people come together to create a day long shrine to knowledge and innovation.  Most recently ZACon, in South Africa,  launched with a great volume of speakers.  Most of the speakers and attendees helped organize the event in one way or another.  They published video recordings of all the talks along with their presentation materials online for free.

The geeks rise again as BSidesBay launches next Saturday (12/12) at HackerDojo in Mountain View, CA.  This event is a tribute to the DIY culture that exists in Silicon Valley and around the world.  Here’s how it works:

• How do I register? Add yourself to the list.
• How do I suggest topics? Add them to the list.
• What materials will be discussed? Check the list and bring your own ideas to share.
• Can I get a list of attendees? For sure, it’s all open and online.
• Will my friends be there? Only if you bring them or they forget to bring you.

Can events like this really work?  They can and do work very well.  Check it out and let us know what you think.

This is only the first of many Security B-Sides events.  Check out the main page and look follow information via twitter or the mailing list (low volume).