Chaordic Mind

As January of this year rolled around, I hadn’t planned on changing jobs but I knew the year ahead would be interesting.  During my tenure at Verizon Business I learned quite a bit and met many wonderful people.  When I decided to join the company two years prior I did so because of the people.  One lesson I learned long ago is to rank my job by: (1) what I will be learning and (2) who I will be working with.

Tenure with Great People

The most wonderful thing about working for Verizon Business was working with the RISK Intelligence team, led by people like Wade Baker and Alex Hutton.  These gentlemen and their team are responsible for the famous Data Breach Investigations Report (DBIR) and the Verizon Enterprise Risk and Sharing (VERIS) risk modeling tool.  Many companies put out research reports but few focus so much on making their methodology transparent and unbiased.

One of my favorite projects from 2010 was working with the Verizon RISK team on the first annual Verizon PCI Compliance Report (PCIR).  It was hard work, and needed to happen alongside an already heavy work load, but it’s one of the most important projects I’ve worked on.  The reason why is that it analyzed reports and data over the two years prior – of actual assessments – and portrayed the results openly.  This year, Martin McKeay is taking over the PCIR and kicking it up a notch by providing even more ways of splicing the data.  I can’t wait to read it!

My eternal three items for improving the information security industry (in response to Josh Corman asking) have been:

1. Education, education, education
2. Flexibility of controls
3. More data for risk modeling

It’s the #3 that the RISK Team at Verizon is famously known for.  In fact, security researcher, Anton Chuvakin recently referred to the DBIR as “a piece of juicy awesomeness that only comes once a year”.

It’s Good to have Options – but hard to Choose

I hadn’t planned on moving on but when a good opportunity came along for me to grow and learn, I had to take it.  I received a number of casual job offers during RSA 2011 week, during which Martin and I presented on PCI compliance in the Cloud and the entire Security B-Sides team had a successful BSidesSanFrancisco event.  Nothing was compelling enough to make the big switch.  Then came Square.

Thanks to Sam Quigley, I had the awesome opportunity to contract at Square, a mobile payments startup in San Francisco. Square is not just another startup, it’s a company that is going to revolutionize the payments and social landscape.  They make payments simple and elegant.  Check out the TechCrunch post/video of Jack Dorsey’s famous “bridge” speech as to why they will be the Apple of payments.

Why will Square succeed?  Because they are a company of people following their passion and have a community of customers who love them.

Although I love the company, and will pimp them every chance I get, I decided to take another path.  I still love the people I met at Square and the lessons I learned.  So here are a few of those lessons:

1. Follow your passion, passionately.
2. Everyone in the company is part of idea creation, but it’s the leader’s job to be the “editor” of these ideas.
3. Ideas that are not used do not get discarded, they go “on the shelf” for later use or re-evaluation.
4. Measure everything.  ”If you cannot measure it, you cannot improve it” – Lord Kelvin
5. Don’t fail fast; iterate fast.
6. Know and tell your story well.

I cannot emphasize this last part enough.  Watch Jack Dorsey tell his story at Stanford.  He does so without slides or prompts.  He knows his passion and his direction and can articulate it easily.  How many of us can tell our story this well?

Knowing your story and being able to articulate it helps us live the direction we want to go instead of just zig-zagging through life.

Conclusion

Although Square is a great company and will change the world, I believe that my work there would not be as impactful as it would at another company.  I’ve decided to take a job as Director of Threat and Vulnerability Management (TVM) at PricewaterhouseCoopers (PwC).  Here I will be able to follow my passion and have an enormous impact.

My fundamental passion is empowering people to have a greater impact on the world around them.  At PwC, mentor programs are built into the DNA of the company and I’ll be able to help grow a team.  Much like I do with Security B-Sides, I’ll be able to leverage a team of people to be more than the sum of their parts.  I have some great plans for working in a leadership position at a multi-national and well-respected firm.

Much like at Verizon, at PwC I’ll be able to work with a smart team of professionals such as Gary Loveland and Mark Lobel who curate the PwC Global Information Security Survey.  I’ll be able to move beyond PCI compliance and focus on helping companies manage risk, however it makes the most sense for their company.

Most of all, we as a firm will leverage the talented and ambitious professionals that make up PwC.  I always thought that the Big4 sold products and services, but the reality is that their only service is their people.  I look forward to working with a group of talented professionals and helping them grow as a team.

When interviewing at PwC, I was asked a question I will never forget.  “Anyone can sell themselves.  How will you sell your team?” It’s true that you reach a point in your career when it’s simple to sell yourself, but the true measure of a leader is how well they grow, position, and market their entire team.

I look forward to the challenge and am excited to see what the future brings.

Although you may know me more for my musings on traffic theory and becoming immortal, this post focuses on the increasing ease of exchanging money within our daily lives.

In the Beginning

You see, in the beginning was the bank and the bank stored all the gold.  Accessing the gold required going to the bank and withdrawing it for use in the market place.  As new modes of communication evolved the methods of exchanging money became easier and easier.  You now have ATMs replacing banks for dispensing cash, e-commerce replacing brick-and-morter, and PayPal replacing Western Union.  (Ok, so perhaps replaced is a strong term, instead these services supplemented the older forms of exchanging funds.)

Throughout time one thing that held true was the relationship between the merchant and the consumer.  The merchant was typically a company and the consumer an individual.  Common area market places such as eBay helped break down the walls and enabled individuals to sell items to other individuals, but still these required a virtual store front.

New Merchant Class

The term merchant is slowly being democratized in the open market place as individuals accept and exchange digital funds through fluid, simple, and inexpensive methods.  There are a number of factors that influence this new merchant class, so let’s go into a few.

1. Increasing number of Payment Service Providers: The affect of Web 2.0 and social media applications have catalyzed the marketplace for new methods of exchanging money in both a virtual environment (Facebook, Second Life, Zynga) and via emerging payment methods (Spreedly, PayPal PayFlowPro, iPhone applications).  The lines between the individual and the merchant are blurring to the point that exchanging funds can be done more fluidly than ever before.
2. Increasing number of payment integrators: With this increase in the number of payment service providers comes a wave of new businesses that aim to support the new merchant population.  With new merchants come new point of sale third parties who wish to sell them services and support.  More and more service providers are appearing with an ever greater list of services they are offering to the new merchant class.  Each of these new services providers may act as a vector or path through which an attacker can access payment data.
3. Becoming a merchant is easier than ever: In addition to the new methods of accepting payments, merchants can go mobile faster than ever.  Instead of accepting cash only at the local farmers market, the new merchant class will gladly accept major payment cards via their Square or VeriFone PAYware enabled iPhone.  This level of service, once reserved for more established merchants, is now being disseminated into the hands of the masses.
4. Chip and PIN increasing: Chip and PIN or EMV has seen great successes in reducing card present fraud in Europe and Asia.  This technology recently jumped-the-pond and was adopted for implementation in Canada.  It’s only a matter of time before merchants in the US begin to see Chip and PIN technology rolled out to their personal cards and then to their retail locations.
5. Cost cutting is key: Previous approaches to compliance were via the mass adoption of security technology.  These days merchants are more cost conscious and agile in their approach towards compliance and security.  The new merchant class calls for reduced costs through new technology such as point-to-point encryption and “tokenization”.  They are happy to exchange the flexible use of payment data for the security and cost savings of scope reduction.  They are looking for overlapping regulatory controls to kill multiple birds with one stone.  They don’t want point solutions but instead comprehensive approaches towards security.  They want strategy, flexibility, and mobility instead of “solutions”.
6. Training and education needed: In order to achieve these goals: adopt new technology, reduce scope, and leverage internal employees there is a great demand for education and how they can achieve all this.  The need is stronger than ever for an educated merchant class who understand the tradeoffs and can make strategic decisions that balance not just compliance but also business directions.

Future of Electronic Money

Today we see the break down from traditional models and democratization of technology that equips and enables mobile merchants.  Taking this to its natural evolution we will next see the seamless move towards person-to-person transactions where exchanging money is as simple as taping your mobile phone against that of another.

• Want to split the dinner bill five ways? Put all your cell phones back to back and shake them in unison and the bill plus tip is split five ways and paid!
  
• Do you owe your friend $10? Pay them via email!

The barriers of exchanging proverbial gold are dissolving and those that enable this new future will be the ones who survive and rise to the top.