Information Security vs Privacy

Information Security vs Privacy, are the Lines Blurring?

My original title was “Data Security vs Data Protection[…]”, but an unfortunate number of people see these as pretty much the same thing, even interchangeable. Then I chose Cybersecurity instead of Data Security but that doesn’t cover all forms/formats of personal data, so I finally had to settle on Information Security.

As for Data Protection, it’s not, in and of itself Privacy, and so on…

But you see the problem already? If we can’t even agree on common terminology, how are we expected to ask the right people the right questions in order to solve our problems? But I digress…

For the purposes of this blog I have chosen the following definitions of ‘Information Security’ and ‘Privacy’: Continue reading

Make Money from GDPR

How to Make Lots of Money From GDPR

If you’re reading this, you likely fall into 1 of 3 camps:

  1. You are horrified at the concept and can’t wait to tear me a new one;
  2. You actually think I may be able to help you make lot of money; or
  3. You know me and realise that the title is nothing but click-bait

If 1., then good for you, I would do the same. If 2., then you’ve come to the wrong place unless you’re prepared to put in significant effort. If 3., then you’re right! 🙂

However, the fact is that there is a lot of money to be made in GDPR, but you only deserve it if you are providing true, long-term, benefit to your clients. Otherwise, kindly stay away. This goes for consultants and product vendors alike; do business with integrity, there’s simply no need to exploit those less knowledgeable. Unfortunately, the vast majority of people with whom I come into contact still haven’t even read it, leaving the door wide open for those intent on exploitation.

So where is this money I’m talking about? Where is it all going to come from? Simple, almost every organisation doing business in, and with the EU will have to make adjustments of some sort.  Some more than others if you’re following the whole Facebook scenario. There are some that think by ‘hiding’ the data overseas that they have avoided the issue, but these people are naive in the extreme.

Continue reading

Breach Vultures

To All the Breach Vultures: Better Get Your OWN House In Order!

[WARNING: Contains bad language.]

The 3 things I hate most about my chosen field of cybersecurity are, in no particular order:

  1. The proliferation of ‘silver bullet‘ / end-point protection technologies – when security is primarily concerned with people and process;
    o
  2. Security organisations using either F.U.D or regulatory compliance to make money without providing real benefit – with GDPR for example; and
    o
  3. Security ‘professionals’ who bad-mouth other security professionals at the lowest point in their careers – against Susan Mauldin for example.

In 4.5 years and close to 300 blogs I have never used the following words. But for those guilty of 3.;

Fuck you!

Seriously, how dare you!? Especially those who actually had the nerve to say Susan wasn’t qualified because she had a music degree and no other security related qualifications on her LinkedIn profile. Like certifications or even a degree are accurate representations of either a person’s skill-set, or their competence. I have no security relevant degrees, and my certifications were collected by reading a book and passing a pathetic multiple-choice test, but I will happily match my ABILITIES against anyone who does what I do.

More to the point, unless you actually work(ed) for the company that was just breached, you have no idea of what caused the breach in the first place. Yes, you can point to unpatched devices, and a host of other vulnerabilities POST-forensics, but you have NO idea of the business pressures the IS/IT teams were under. And if you think that should not matter, you’re not a true security professional.

I am in no way defending organisations that egregiously ignore security good practices just to increase profit. Nor am I defending the truly incompetent. But unless you have irrefutable evidence that either was the case, keep your opinions and reproaches to yourself. There is no such thing as 100% security, and there is no such thing as unlimited resources. The best you can ever hope for is that you have enough.

In security, a bad guy only has to be right once, security professionals have to be right ALL the time. Eventually we ALL make mistakes. Most of us are lucky, and our mistakes lead to nothing more than a minor event, but for some, the mistakes are career ending. Too often this is not because the people involved actually WERE incompetent, but because of the pressure to resign from the jerks who somehow think they are better. That the breach would not have happened under their watch.

Have you noticed though, that the people who are most critical and vitriolic tend to be mid-level no-bodies who will likely never make to the CISO level?

Do these people actually think that by taking cheap shots at the less fortunate that decent people won’t hate them for it. That Equifax and the other breach victims will suddenly reach out to them for help? That someone who has nothing better to do than kick someone while they’re down is just the kind of person they want on their team?

Let me ask you this: When was the last time you saw someone getting berated by his/her team for missing a penalty / field goal / you name it? You probably can’t remember, and why? BECAUSE THEY ARE ON THE SAME FUCKING TEAM!!

There are only 2 sides to cybersecurity; the good guys and the bad guys. Choose which side you’re on and stop being part of the problem.

[If you liked this article, please share! Want more like it, subscribe!]

Certifications

Can Your Career Outgrow Your Cybersecurity Certifications?

In Security Certifications Are Just the Beginning, I tried to explain that collecting cybersecurity certifications at the beginning of your career actually makes sense. However, it’s always your experience that will eventually be the difference between success and mediocrity.

Then, in So You Want to be a Cybersecurity Professional?, I qualified that even at the start of a career, certifications are only a small part of what you need to make a positive impact. Once again, it’s only the experience you gain by doing the work that gets you where you want to be. There are no shortcuts, especially on the ‘technology track’.

I have very recently had reason to reflect on the other end of the career spectrum. Not at the end of a career obviously, but at its height. Are the ubiquitous CISSPs, CISAs, CRISCs and so on certifications of the cybersecurity world actually worth it? Do they add anything significant. Can your career actually outgrow any use you may have had for them?

My current reflection actually germinated a few years ago when I spent an inordinate amount of time ‘collecting’ my Continuing Professional Education (CPE) hours. I spent way too long going over my calendar, email, and other sources to gather this information just to enter it FOUR times; one for each certification. I think I’ve done this every year for the past 4.

Now I’m being audited by a certification body. While I fully accept the reason for this, it means I not only have to gather another year’s worth of CPEs, I now  have to dig out a load of ADDITIONAL information for the previous year’s entries!

Given the nature of my business, I simply don’t have the time. More fairly, I took a serious look at the benefits I get from these certification and have now chosen not to MAKE the time. Basically, there are no benefits that I can see. At least there are no benefits that outweigh a day or more of my billable time.

Benefits need to be tangible to the self-employed. My employer is not paying for me to maintain these certs, this is out of my pocket.  So from my perspective, if you contact me regarding a contract of some sort, and request a list of my generic cybersecurity certifications, I can only assume one or more of the following;

  1. You are a recruiter trying to match acronyms to a job description;
    o
  2. You are a company looking for a cybersecurity expert but have no idea of the right questions to ask; and/or
    o
  3. You have no idea who I am (no arrogance here, cybersecurity is still a surprisingly small community).

In theory, you should aim to be immune to all of the above. If your CV/resume, LinkedIn profile, and/or reputation etc. speak for themselves, it’s your previous accomplishments that will set you apart. If you are still relying on certifications to get you in the door, then there’s a very good chance you should be focusing more on personal PR than studying for your next acronym.

For example, I have been in business for myself for 4 years and still have no website or sales function. The contacts that I have made over the course of my career keep me fully occupied. That suggests to me that the cybersecurity community in general means a hell of a lot more than any association. My peers help me every day.

This is something you have to earn. Not by being liked [thank God], but by being a genuine ‘practitioner’. Certifications can never give you this credibility.

But, I am NOT saying every certification can be replaced, some you have to have to perform a function (like ISO 27001 LA). It’s the ones you get from just reading a book, or receive for free as long you pay the annual fee (I was literally given CRISC for example). Do I really need to maintain a cert that I didn’t even earn?

In their defence, there is a lot more to these certification bodies than just the acronyms, and I have never taken advantage of these extracurriculars. Once again, I am just not prepared to make the time when I have clients paying for my time.

If only the CPEs could be earned by doing your job! Every new client, every new scenario, every new regulation you learn ON the job should absolutely count. I spend at least 3 hours a week writing this blog, but none of that time counts either.

Who knows, maybe this is a terrible mistake, but it’s with a certain sense of relief that I’m letting my certifications die.

[If you liked this article, please share! Want more like it, subscribe!]

Recruiter

How to be a GREAT Cybersecurity Recruiter

To be clear, I am not, nor have I ever been a cybersecurity recruiter. I’m not even saying I have what it takes to be one. What I’m saying is that, like cybersecurity itself, being a recruiter is very simple. Bloody difficult, but simple nonetheless. What’s more, cybersecurity recruiting is also about People, Process, and Technology. Always in that order, and luckily the only technology you need to be a great recruiter is a phone and a laptop.

So while I cannot talk directly about the challenges faced by recruiters, I have however been on the other side of the process as both a candidate and a hiring manager. I can say that in almost 20 years I have yet to meet a recruiter for whom I would go out my way to recommend. Not one. In 20  years.

Not. One. *

So if you are a recruiter who has engaged with me in the past, yes, this applies to you, without exception. If you want to know why, read on, and then be honest with yourself. Did you really provide the kind of service I describe below? Do you now?

The most frequent piece of advice I give anyone new to cybersecurity is to take your ego out the equation. That may sound odd coming from me, but even though I know a lot more than my clients about cybersecurity, it’s not about me. Of course I know more than my clients, that’s why they hired me! It’s about using my knowledge for the client’s benefit, not for appreciation, and certainly not for money. Both of those things should take care of themselves if I did my job correctly.

Again, this is no different from what you should be doing as a recruiter.

As a recruiter you have not one client, but 2, regardless of whom you represent; the candidate, and the hiring company. While this makes your task twice as difficult as mine, what you do is no more complicated. Like it or not, you are in the service industry, and neither the candidate nor end customer care what you want. But if that’s all you care about, you will rightly fail. Harsh, yes, but you chose this career.

Anyway, here’s my advice for what it’s worth.

How to be a Great Recruiter.

  1. Know what the hell you’re talking about – No, you don’t have to be an expert in cybersecurity, but there’s a very good chance the hiring company isn’t either. They will ask the wrong questions, it’s your job to give them what they need, not what they asked for. If you’re representing a person, you need to know their skill-set enough to determine a good fit. This means you have know what cybersecurity actually is, and no, not just the buzz-words and acronyms.
    o
  2. Know what the candidate wants – You have a responsibility to your candidates to help grow their career. This is their livelihood, and they trust that the power you have over their success is not misplaced. If all you care about is getting them off your plate and on to the next candidate, you are betraying their trust. If you don’t see your candidates as lifelong relationships, why are you doing this? Go sell used cars instead.
    o
  3. Send CVs that have been PROPERLY vetted – It’s tempting to scattershot all of your ‘cybersecurity expert’ CVs at every cybersecurity related job opening in the hope one sticks. Don’t. Do you homework, and if you don’t have someone that fits, pass. As a hiring manager I dismissed recruiters that consistently wasted my time. Earn the right of first refusal by being totally candid, that’s the most you can ask for with the amount of competition out there.
    o
  4. Provide unvarnished feedback – No matter how bad the feedback, pass it on completely unvarnished. If you don’t have the courage to do that, at least provide SOME feedback. I’ve lost count of the number of times a recruiter was all over me while I was still a viable candidate, then completely disappeared when it fell through. Obviously I didn’t get the job, which was bad enough, but for me to have to work that out by myself over the course of the next few weeks is unconscionable. While you may not be able to help your candidate from screwing up the next time, you’ll at least have a candidate who’ll talk to you again.
    o
  5. STAY in touch – Careers in cybersecurity can change on a dime, if you don’t maintain a relationship with your candidates you will become worthless. I’m not saying call every day, but is once a month too much to ask for a 30 minute catch-up? If it is, again, why are you doing this, you’re supposed to actually like people. Besides, if I trust you, who do you think is going to get all of my referrals?
    o
  6. Be pro-active – As a recruiter, you have unparalleled access to the demands of the market. What possible reason could you have for not feeding that back to your candidates? By steering them into fields of high demand you are helping both them, and yourselves.
    o
  7. Love what you do – No-one wants to work with someone who could not care less about what they do. Love it, or get out.

Recruiters in every field have a horrible time fighting against their negative image. An image they have earned as a profession from being so filled with dross. Unfortunately cybersecurity is getting that way thanks to ambulance chasing vendors. Now combine the two; cybersecurity recruiter. The odds are against you, but it strikes me that anyone encompassing the above would be a beacon in an otherwise dismal landscape.

For those who have the temerity to ask for exclusive deals up front, try earning it instead. Given the state of recruiting these days it should not be that difficult.

Finally, at the end of my blog; Cybersecurity Recruiters, The Gauntlet Is Thrown! I stated my ultimate purpose was to find the great recruiters I know are out there.

I’m still looking.

[If you liked this article, please share! Want more like it, subscribe!]

I have in fact met one since, but they quit! 🙂