Category Archives: Professional Development

AoIS Interviews Heather Deem, Part 2

Welcome to the second part of Art of Information Security’s interview with seasoned Information Security marketer Heather Deem (part 1 link). In the first part Heather discussed the importance of having reasonable time and resource expectations. In this part we will start off by discussing some low cost marketing techniques.

Erik: Are there any ‘free’ (but effective) marketing activities that organizations can pursue?

Heather:  All Marketing activities have some cost in terms of development or execution time, however, the following activities can be considered “free” or low cost:

Webinars: If the company has an internal content expert available to develop and deliver educational presentations (industry or technology focused, not vendor specific content), and if the company has an enterprise-level web conferencing subscription, the marketing team can host webinars for relatively free.  Partnering with channel partners for joint promotions can also help both companies educate and propel their prospects through the sales cycle.

By-lined or contributed articles: Developing industry-relevant articles for trade journals can be another relatively low cost activity to gain credibility and exposure.  Similar to webinars, this requires an internal content expert to develop the article and either internal PR or an agency to pitch stories to the media.

Erik: What have been some of the biggest misconceptions about marketing that you have experienced in your work with start-ups and growth companies?

Heather:  Two misconceptions spring to mind: the value of producing quality marketing materials, and the time and resources required to roll-out a program that has real impact.

I’ve seen companies who don’t hesitate to spend thousands of dollars to attend a tradeshow or who don’t bat an eye at an egregious entertainment bill submitted by sales, yet they balk or refuse to invest in a graphic designer to create a polished looking datasheet or direct mail piece, or refuse to spend time and money on developing the proper marketing materials for moving prospects and customers through the sales cycle.

The second misconception surrounds the required level of strategy, planning and resources required for successful marketing programs. Some executives underestimate the time required to plan a marketing program or what is required for execution in terms of personnel time, media lead time, engineering contribution to whitepapers, etc.

To develop truly integrated and impactful marketing programs, the marketing team needs to work through and understand the challenges faced by the sales team, the needs of the target market and align these key inputs to develop the appropriate campaigns to support the marketing goals.  Prior to executing these campaigns, companies typically need to develop new or update existing marketing materials to support these campaigns. The entire process can take a month or more.

Erik: So, how can organizations promote marketing and messaging into the culture so that everyone is involved?

Heather:  Establishing clear and effective marketing messaging and materials is the first step.  This includes both internal and external websites, datasheets and presentation content. For example, develop a concise positioning and messaging document for sales, channel partners and other company staff. 

I would also encourage the Marketing team to take advantage of all-hands meetings and either monthly or quarterly internal email updates to educate personnel on the latest marketing activities and messaging development. 

Marketing or corporate executives should also address any marketing challenges that surface and instruct employees on how to respond publically.  For example, if a known competitor is using under-handed sales tactics such as falsifying information about your company or product, executives should clearly indicate how sales and marketing is addressing the issue and reinforce that the corporate communication policy does not condone negative messaging or competitive bashing in retaliation.  Similarly, if a company is dealing with a sensitive press issue, employees should be educated on the appropriate public response. Even if they are not considered company spokespersons, they need to be educated on what or what not to say.

Erik: What do organizations need to do, to determine if their marketing is effective?

Heather:  The two exercises I would recommend are: mapping the marketing programs to the marketing goals for post-program evaluation and soliciting frequent feedback from analysts, customers and channel partners.

Prior to each marketing campaign, map the marketing goals to the campaign or activity and measure the actual results post-program.  This will typically require a pre-defined lead follow-up plan and collaboration between sales and marketing.  Metrics to include may be Cost per Lead, Response Rates, Website Hits, Lead Quality, Opportunities Developed, Opportunities Closed, etc.  Of course these efforts will only be as good as the level of accountability required of both marketing and sales to input and maintain prospect and customer data throughout the sales cycle.

Measuring the effectiveness of messaging and marketing materials can be achieved through feedback from the sales team, prospects/customers, channel partners, and analyst feedback.  It is very important to reach out to all of these audiences to gain a fresh perspective on your messaging and content from time to time.  If possible, try to incorporate feedback from each of these groups, since each group brings a unique perspective.

Erik: Heather, you have worked with a number of start-ups. How early in the genesis of a new organization should a marketing plan be developed? 

Heather:   Even if a start-up doesn’t have a dedicated marketing budget, a marketing strategy and plan should be developed before any customer facing activities are initiated.  If hiring a marketing professional (either employee or consultant) is not an option, then this effort can be lead by one of the executives.  The key is to develop a baseline strategy covering product pricing, positioning, messaging and the go-to-market strategy.  Even a rudimentary go-to-market strategy will serve as a foundation for guiding sales and developing marketing materials.  As the company goes to market and gains additional intelligence on customers and competitors and as product enhancements are rolled out, this strategy should be reassessed and revised.

In addition to the marketing strategy, an initial marketing plan should be developed.  While a marketing budget may not be established, you still need to devise a plan for the development of marketing materials such as the website, collateral (datasheets, solution overviews, technical manuals), presentations, whitepapers, demos, product packaging.  Factoring in public relations efforts, such as the development, the out-reach and the response to media and analyst relations should also be considered, even if the company is not planning a formal PR program.

Thought should also be given to how prospect and customer data will be managed.  Even if the company has yet to deploy a CRM system, it is important to plan an efficient process on how this data is maintained, how leads and customers are managed and how this data can be ported to a CRM solution in the future. If the strategy for  managing customer data is not instituted with the sales team from the get-go, management will never really gain solid data to support the business metrics and marketing will loose invaluable data for establishing and managing marketing programs.

Erik:  What are the first steps for companies, especially resource-strapped start-ups, to take in starting their marketing efforts?

Heather:  Refer to my answers regarding the top marketing activities and “nearly free” marketing activities.  Development of even a baseline marketing strategy, marketing plan and marketing materials assessment will go a long way in laying the foundation to drive effective yet budget conscious marketing programs. 

I will also offer a free one-hour “Ask the Expert-Marketing Consultation” to the readers of Art of Information Security blog.   During this session companies can jump start their marketing by gaining free marketing advice specific to their website or marketing plan and bounce ideas off a marketing expert who specializes in the IT Security industry.  Schedule your free session through the contact page at www.candescomarketing.com

Many Thanks to Heather !

Thanks for taking the time for the interview, and for the offer to Art of Information Security’s readers. I hope that it will help provide a more rounded perspective to folks we are struggeling with organizing or understanidng their marketing needs. 

Heather can be contacted through Candesco Marketing.

Cheers, Erik

AoIS Interviews Lee Kushner, Part 2

In the final part of our interview series with Lee Kushner (part 1), Information Security recruiter and career coach, we will jump right in with a discussion of Lee’s “7 Habits of Highly Effective Career Managers”.

Erik: I noticed from your web page that you recently delivered a presentation called “7 Habits of Highly Effective Career Managers”. Can you give us a flavor for what those habits are?

Lee:

  1. Talent or Great Skills
  2. Excellent Communication
  3. An effective network
    • Your network is only good if you can call on it and get a result
    • What are some effective giving strategies?
  4. A Professional Development Plan
  5. They Invest in Themselves
  6. Develop Their Own Personal Brand
  7. Possess Necessary Intangibles (perspective, patience, passion)

Erik: Ok, so how can someone reality check themselves about “having great skills”, or about the kinds of positions they “have great skills” for?

Lee: Talent is the one thing that is critical to being great at what you do, whatever that may be. Without talent, it is tough to achieve greatness. However, one talent could be something as simple as being the “hardest worker” or “never quitting until you figure it out”. The truth is that we are all talented at something – it is important to recognize what that talent is, cultivate it, develop it, and leverage it.

The questions I normally ask people is:

  • Tell me one thing that you do better than most people
  • Tell me the accomplishments that you are most proud of
  • If I asked your peers about your skills, what would they say was your best one

When you answer those questions, you usually come close to discovering your best skills or true talent.

Erik: Communication is one of those elusive soft skills. Many people think they are great communicators, but are so-so. Do you have any concrete advice?

Lee: Most people are lousy communicators because they do not believe that it is a skill. There are classes and courses on how to increase your vocabulary, to communicate with executives, to speak to subordinates, etc.

Ask people around you in your personal life, or anyone who can provide you with an honest answer (without repercussions) about your communication skills – that may be a good guide to see where you really stand.

Erik: “Effective Network” – I suspect that you mean something very specific…

Lee: I define an effective network as one that can be called upon on short notice and one that will provide you with a meaningful response to your query. Your network can be made up of co-workers, industry peers, specialists, mentors, and educators. An effective network also has to be willing to offer “candid” communication – be able to freely tell you when you are both heading down the correct path and the wrong one.

Erik: So, having a Linked In account isn’t enough?

Lee: No. Like anything, you get out of it what you put into it. Just clicking on a “Linked Invitation”  does not equal a trusted, meaningful relationship. It is quite the opposite.

Erik: I am very bad with names and faces, however I try to use conferences and large meetings as networking opportunities. One habit I have developed is to write clues to myself on the back of every business card I accept. I write things like, “met Jim at RSA 2008 on Expo floor”, ”Great network threat guy”, etc. Do you have any specific networking habits that you use?

Lee: What works for me is that I like to remember something that is unique about the person that is not necessarily job related: such as an outside interest, a college or university, or something personal. To me,  this allows a connection to be developed that is outside of how you would traditionally think of them, and then you can effectively remember other things about them. However, just because it works for me, does not mean it will work for all.

Erik: What does a Professional Development Plan look like, and whom should I share it with?

Lee:  My thought is that a Professional Development Plan has two parts. The first part represents your current career and the skills that you currently possess. The second part is your long term career goal, and the skills and experiences necessary to qualify for that particular role.

Really what you are doing is performing a “career gap assessment”.

Other components of a career plan should include research on how to attain these necessary skills, a timetable of sorts to actually acquire the skills, and an understanding of the sacrifices necessary to achieve them.

Your career plan should be shared with people who respect and care about you, both personally and professionally. Your professional network can consist of your mentors, your supervisor, your peers, and trusted outsiders. Those can include career counselors, career coaches, executive recruiters, etc.

On a personal level, you need to share this with the people that will share the benefits and suffer from the sacrifices. This is usually your immediate family. Sacrifices can inlcude travel, longer work hours, relocation, and the finances needed for career investments.

Erik: Is personal brand synonomous with reputation?

Lee: In many cases it is, however I think that a personal brand is much more difficult to come by. I mean, everyone has a reputation: some are good and some are bad. However, you traditionally have to work very hard to establish a well respected professional brand.

In today’s culture, professional branding means that you not only have to establish a respected reputation, but you also have to be known for something that makes you unique and your opinions and knowledge “sought after” and relevant.

Erik: Developing a brand is a long term investment. How do you do this so it is not viewed as a “job campaign”?

Lee: You are correct; developing a professional brand will not happen overnight. I believe that many people who have respected professional brands have an inner drive and passion for excellence. It is this passion that usually drives them on a daily basis, and they know of no other way to conduct themselves. My feeling is that if this behavior is viewed as routine and standard, it appears natural, and is only viewed as a job campaign by people who do not share the same level of professional drive or who feel threatened.

Erik: Necessary Intangibles?

Lee: Passion to me is number one. All successful professionals, regardless of field, have a passion for their careers and are driven by an inner quest for excellence.

Patience is another one. Too many people get caught up in the concept of how quickly they can advance, without realizing that they will miss out on the opportunity to learn more and develop their skills.

I think that someone’s work ethic is also a big differentiator. One of my favorite expressions is that the worst thing to be in life is lazy. Someone who is willing to put in the time, effort, and energy to achieve usually finds themselves in positions where they are given extra opportunities to demonstrate their skills.

Erik: Lee, what advice do you have for folks who are currently out of work and looking?

Lee: Two pieces of advice: The first is to “keep your head up” and do not get discouraged. The second is to take this time to reflect as to why you are currently in this situation, and begin to plan accordingly so that it does not happen to you again.

Erik: And for those who are worried about being displaced?

Lee: My best advice would be to be visible when it is time to be visible. This is the time where you have to outshine the people around you, take on additional responsibility, and demonstrate that you are not immune to the current economic conditions.

This is not the time to ask for additional compensation, additional training, or take extra vacation. This is the time to show that you are a team player, hard worker, and are loyal to your current employer.

If you feel that your displacement is imminent, then you should get your resume prepared and begin reaching out to your network to see if they know of good opportunities for someone with your skill set.

Erik: Are there any Career Management resources you could point folks to?

Lee: I will be frank in saying that unfortunately there are not many Career Management resources specifically targeted toward Information Security professionals. Mike Murray and I are hoping to change that at www.infosecleaders.com. We are planning to produce regular career-driven content specifically geared toward the Information Security community. The initial podcast series ”Career Incident Response” will be posted soon.

In addition, we should also be publishing and releasing the results of our Information Security Career Management series around the time of Black Hat and Def Con this summer. The survey is still open and can be found at www.infosecleaders.com/survey.

Erik: Lee, thank you for taking the time to participate in this interview. I know based on the response to Part 1 that this information is getting a lot of attention and that the Art of Information Security community has really appreciated it.

Lee: Our profession is growing and increasing in popularity. In the future, there is going to be increased competition for the best positions. It will not be enough to only be good; you will have to be better than your competition. It will be imperative to plan accordingly and make regular investments in your professional development to differentiate from your peers.

Many Thanks to Lee Kushner

If you have found this interview helpful, please consider participation in Lee’s professional development survey at www.infosecleaders.com/survey. He has a tremendous passion for helping Information Security professionals develop their careers, and for aiding employers in understanding how to attract, develop, and retain top talent. The survey is Lee’s way of reality checking the advice and council that he gives, and will be shared through his upcoming podcasts and speaking engagements.

Cheers, Erik

AoIS Interviews Heather Deem, Part 1

The Art of Information Security has the great pleasure of interviewing Heather Deem. Heather  is the driving force behind Candesco Marketing, and has extensive experience developing and executing marketing programs for Information Security firms. Given the current economy, Art of Information Security felt that there might be broad interest in Heather’s ideas and insights in marketing Information Security products and services.

For more than ten years, Heather has supported marketing efforts, from framing the strategy to executing on the fine details, for a wide range of technology companies including Websense, Finjan, MarkMonitor, F-Secure, and others. I met her at last year’s RSA conference at one of the networking events, and really appreciate her taking the time for the interview. Let’s jump right in…

Erik: How much of a corporation’s resources and energy (capital, time, etc.) should be reserved for marketing?

Heather:  Many companies underestimate the hours and timelines required for campaigns and programs.  Timelines of course vary depending on a company’s goals, budget, the team’s availability, and turn-around times, but in general, it is advisable to allow the following timelines:

Collateral Development: 3-4 weeks to develop a new datasheet, 1-2 weeks for datasheet revision, 4 weeks to develop a new presentation, and 2-3 months to gain customer approval and develop a case study.

Tradeshows: Reserve booth space about a year in advance in order to acquire the best booth location.  Begin planning 4-6 months prior to the event date.  Start development of booth messaging, collateral, and demonstrations at least 3-4 months prior to the show.  Direct mail campaigns, exhibitor service orders, logo’d giveaways, and advanced shipments should be completed about one month prior to the event.

Online Demand Generation Programs: The first step in planning your demand generation program is to define the target market and the offer.  Is the call to action going to be a whitepaper, webinar, podcast or other?  Creation of a new whitepaper can take 2-4 months; 2 months if outsourcing, 4 or more if using internal sources to develop.  For a webinar, you need lead time to engage and schedule your guest speaker, usually an analyst or customer.  Once the target market has been determined and the development of the offer has started, you need to identify the right media company for promotions. Most media sites typically require insertion orders to be placed 2-3 months out.  While some advertising sites have availability 1-3 weeks out, sites with reputable performance typically sell out key promotional categories or banner spots several months out.

Direct Mail Campaigns: Similar to the online programs above, you need to identify your target audience and offer, but will also need to determine the direct mail list for your campaign.  You may have a solid customer and prospect database for your targeted mailing or you may opt to rent or purchase a 3rd party mailing list.  In both cases, you should take the time to segment the list to the specific contact titles, verticals, or geographic areas which are most relevant to your targeted audience.  It is also worthwhile, especially if utilizing a 3rd party list, to confirm the contact information and the mailing address of each recipient.  Depending on the size and quality of your list, the process of scrubbing the list may take days or several weeks. This step is less necessary if you are mailing an inexpensive post-card, but quite necessary if you have developed a higher quality mail piece or offer.

Depending on your offer and the complexity of your direct mail piece, it may take 2 weeks to 1 month to develop content, design the graphical layout, and print the direct mail piece. You will need to allocate another 2-3 weeks for mailing house services and delivery.

The above examples illustrate very rough timelines, but hopefully provide a baseline for planning typical marketing projects. While I’ve worked on and successfully delivered similar projects within shorter timeframes, it is advisable to integrate ample timelines into your project planning to avoid rush fees, team pressure, and depletion of resources which may be needed for other team projects/goals.

Erik: What are the top marketing activities that every organization should make happen?

Heather:  Development of a Marketing Strategy & Plan, and Development of Marketing Materials & Tools.

While this advice sounds almost too simplistic to relay, I cannot tell you how many companies tend to overlook or half-bake their marketing strategy or plan, yet have high expectations of marketing activities which have been based on undefined goals and limited budgets.

Strategy: Identify your target market and develop your positioning, messaging, go-to-market plan, and marketing goals as these elements will serve as a tool for making informed decisions and will be the foundation for your marketing plan and materials.  Ensure that key decision-makers from executives to sales are aligned on these areas.  For example, based on the revenue goals, how many raw leads does marketing need to produce each quarter to support sales, and conversely, does sales have enough resources to appropriately handle follow-up for this volume of leads?

Plan: Based off the marketing strategy and goals, develop the tactical plan to meet the marketing objectives. This plan should include an estimated timeline and campaign results.  Identify if the allocated budget and resources will sufficiently meet the marketing goals.  If not, additional investments in marketing may be required, or the marketing goals may need to be readjusted.

Some companies may feel overwhelmed, not know where to start, or feel that their limited marketing funds don’t justify a full-blown marketing strategy or plan; however, in start-ups, where ever dollar and hour counts, planning is even more crucial as there is less margin for error or waste. Advance planning will strengthen the management of marketing by helping you stay goal-focused, adequately allocate resources, avoid spikes and dips in lead generation, and reduce gaps in your marketing materials.

Marketing Materials: This is one area that deserves more scrutiny. Organizations tend to focus more on lead generation and creating awareness, overlooking or undervaluing the necessity of creating and maintaining a proper marketing library of collateral and tools.  Frequent development and updating of marketing materials is vital to supporting the sales team and channel partners, and for propelling your prospects and customers through the sales cycle.

Almost every company has a datasheet, sales presentation ,and whitepaper, but many overlook other essential marketing materials like positioning briefs for the sales and channel team, ROI calculators, customer case studies, flash demos, and frequent development of new industry whitepapers or webcasts. These tools are like the oil that keeps the sales and marketing engines running smoothly and helps transport prospects through the sales cycle.

Look for Part 2

The second part of this interview with Heather will be posted in a few days. Stay tuned…

Cheers, Erik

 


AoIS Interviews Lee Kushner, Part 1

Given the current economic situation, professional development and job searching are on many people’s minds. As a result, I saw no better time to get perspective on these topics from a true industry insider.

Lee Kushner is the President of LJ Kushner and Associates, LLC, an executive search firm dedicated exclusively to the Information Security industry and its professionals.  For the past thirteen years, Lee has successfully represented Fortune 2000 companies, information security software companies, information security services organizations, and large technology firms in enabling them to locate, attract, hire, and retain top level information security talent.  Throughout his career, he has provided career management and career coaching to information security professionals at various stages of their professional development.  He is a regular speaker and industry contributor on topics that include career planning, interview preparation, and employee recruitment and retention.

Erik: With 13 years of recruiting Information Security professionals, how has your position as a recruiter changed and evolved?

Lee: When I began recruiting 13 years ago, not many people had ever heard of a recruiter who specialized in Information Security – so there was a great burden of proof on my part to demonstrate that I understood both the technology and the industry to candidates.  Information Security professionals are a skeptical bunch.  It was very important to establish credibility and earn trust, by only promising what I was able to deliver.

I believe that after 13 years, both my firm and I have established a solid reputation and credibility within the industry and among the professionals.   Most of the people that we have worked with, we have done so for quite a while, throughout their career development.    Many of those professionals have passed on their positive experiences to their peers – and our reach has expanded.

It is my hope that through the years of working in the industry we have been able to help elevate the recruitment profession and inspire a different response when people hear the terms “recruiter” or “head-hunter”.

Erik: I understand that Mike Murray and you are working on a podcasting series called “Career Incident Response”? What is that about?

Lee: Mike and I have been speaking on the topic of Career Management for quite some time at RSA Conferences, DefCon, and The Source Conference.  We came up with the idea for a “Career Incident Response” podcast series due to the fact that so many people were coming to us either because they were a victim of a layoff, felt that a layoff was imminent, or had witnessed bad things happening to their industry peers.

The Career Incident Response podcast series will be outlined like a training course.  It will provide a guideline to what people can expect – from items that include evaluating your work situation,  the personal and emotional impact of job loss, how to effectively search for a position,  how to prepare your resume, and some basic ways to address difficult interview questions.

Note: The Podcast Series is scheduled for release on or about May 15th, 2009 on  http://www.infosecleaders.com.  Art of Information Security will post an announcement when the release happens.

Erik: If someone is working with a recruiter, what should they be doing to get the most value out of that relationship?

Lee: I believe that the most important item is honesty, which is driven by trust.  People generally like to keep things close to the vest when they are engaged in a job search and become cryptic about things such as timetable, other opportunities, their current work situation, and compensation.  The more accurate information that a recruiter has, the better that they can help assist you.

The other thing is that people should work with recruiters that understand their profession and can provide them with something more than a job description.  It should be imperative that the recruiter has industry experience, no matter which industry you are in.

For example,  if I was a real estate attorney, I would want to work with recruiters that either placed attorneys, or ones that worked with real estate clients.

Erik: What are some signs that people are working with the wrong recruiter for them?

Lee: The biggest sign is when they do not add any value to your search process that goes beyond the current opportunity that they are working on.  Many recruiters comb job boards and social networking sites, looking for key words, without understanding how they fit in.

Information Security is not a “key word” business.  There are many different segments of our industry and it is comprised of many different skill sets.   If a recruiter cannot differentiate between these skills and how you fit, then you are probably working with the wrong one.

Erik: If you could communicate one thing to someone who is trying to manage their career, what would that be?

Lee: The one thing that I would stress would be to strive to differentiate from your peers.  The industry is going to become more and more competitive, and competition for the best positions is going to increase, being able to tell that story is going to be critical to achieving your long term career goals.

Erik: In your practice, what are some of the key differentiators that you are encouraging people to pursue?

Lee: I hate to be vague, but the best thing that I can tell anyone is to make consistent investments in their career and career development.  This can include certifications, training, personal development, career coaching, etc – but investing in yourself and your career is going to be critical to differentiating from your peers and competition.

I have three rules when addressing self investment:  

  1. Any investment in your career is a good one
  2. You get what you pay for
  3. If you do not invest in yourself, do not expect anyone else to

Erik: You in fact have been working on a Career Investment and Differentiation presentation. What are some of the key points you are trying to communicate?

Lee: The key point of this concept is that it is up to you – the individual – to manage your career.  You are the one that has to seek out guidance, and plan for your future.   Do not expect your company to do it for you – you will reap the ultimate reward – so you should plan on making consistent sacrifices to attain these goals.

Erik: So, how much overlap should someone expect between their employer-driven professional development and their personal professional development?

Lee: Whatever you can gain from your employer’s personal development plan – by all means get.  However, you should understand why the employer is providing you with that stipend – it is so that it benefits them – not you.   If there is overlap – consider yourself fortunate.

Do not be tied to your employer’s career development plans – because you most likely have different plans for your career than your employer.   Develop your own career plan – and understand your skill deficiencies and try to find ways to eliminate them .  

Erik: So, you are really proposing that people treat their career as an asset that requires ongoing maintenance, just like their 401 (k) or home?

Lee: I believe that it is not only important to work “in” your career, but to work “on” your career.

Investing in your career and your personal development is the most important investment that you can make – because it is the one that you have the most control over.  In addition, once you learn something and develop a skill, it cannot be taken away from you (unless you decide to neglect it).

You can make very effective arguments that career acceleration produces the most effective long term financial rewards and improves the quality of your life.

Stay Tuned for Part 2 (link)

In the second part of our interview with Lee, he will discuss his recent presentation entitled “The 7 Habits of Highly Effective Career Managers”.

Cheers, Erik

Pro Dev: Who are We? What is Our Role?

I was recently  in New York for a two-day briefing on emerging technologies from a key technology partner. During the morning session the presenter asked a number of questions of the room as he worked through his deck.

At one point he asked: “Who likes their Information Security guy ?”

I raised my hand, to which he quipped: “Well, they aren’t doing their job then!”

To which I quipped: “Actually, I do my job quite well.”

Stereotypes…

In ancient times, skillful warriors first made themselves invincible,

and then watched for vulnerability in their opponents…

- “Formation”, Art of War, Sun Tzu, 6th century B.C.

The core of Information Security is Risk Management. The pursuit isn’t an “invincible” password policy, but one that provides reasonable protection against known threats. The goal is often not an “invincible” application, but one which is hardened appropriately and also still usable.

But all too often, many practitioners jump right to NO – I WON’T ALLOW IT. this leap is made without understanding the whole of the problem, or the real risks that are specific to the situation.

Now, there are folks in Information Security (and HR, accounting, etc.) who have to say NO because corporate policy, procedure, etc. require them to. This is really not the case that I am exploring here. Here, I want to focus on the role of the Information Security Architect, Consultant, Vulnerability Manager, Risk Manager, CISO, etc. when they are working with the business and IT partners.

Solid Risk Management requires a partnership between the folks who are the Subject Matter Experts in the risk space, and the folks who have a business or organizational need that must be met.  The right or proper answer often isn’t the Black-and-White “We never allow X” (sometimes it is ;-) ), but generally “We usually avoid X, due to these risks, but in this case we can compensate by applying these additional controls” or “We usually don’t permit X, but in this situation it isn’t problematic due to Y”.

I spent a lot of 2007 learning this lesson.

This lesson was taking hold enough that I started researching some of the business literature on this topic. It was then that I ran into Organizational Consulting: How to Be an Effective Internal Change Agent by Alan Weiss, and this definition on page 4:

Organizational Consultants are basically advisers to management who must provide objective, pragmatic, and honest advice to their clients. If there is a trusting relationship, then the clients will always be confident that their best interests are being served, no matter how threatening, contrarian, or painful that advice may be.

 Organizational Consulting is a book on becoming an effective internal change agent. In a way, when I am acting in an Information Security (Architect, Consultant, Advisor, fill in the blank…) role, I see myself being responsible for not just managing the risk issue at hand, but engaging my IT/LOB/etc in such that they can understand why and how the final state came to be.

So, let’s paraphrase Alan’s definition some…

Information Security Consultants are basically advisors to Information Technology and Line of Business partners who must provide objective, pragmatic, and honest advice to their clients, with the objective of managing risk for the benefit of the organization as a whole.

If there is a trusting relationship, then the clients will always be confident that their best interests are being served, no matter how threatening, contrarian, or painful that advice may be.

It has been my experience that when I take the time to…

  • Listen and demonstrate genuine interest in the business problem at hand
  • Educate the key players about the risks that various approaches contain
  • Make those risks tangible, using examples and data when available
  • Work with them, not against them

…that my success rate is very high ! “Success” being defined as both getting the Information Security risks managed, getting the underlying business need met, and being re-engaged pro-actively by the people I worked with the next time around.

Of course, all of these are relationship-building behaviors. All to often, relationship-building is thought of as lunches and golf games, neither of which I do much of. Relationship building is about how you treat people when you are working with them. No one cares that you played golf with them once if you won’t help them solve the problem at hand. Helping them find a way to meet their business needs risk appropriately builds relationships.

Of course, saying NO is a lot less work… for a while….

Cheers, Erik

( If you enjoyed this, check out more Professional Development on AoIS )

CISA and CISSP Preparation

Recently I have received a number of questions seeking preparation tips and insights for the CISA and CISSP certifications. I hold both of these certifications, and passed them both on the first attempt using very different preparation approaches. I took the CISA first, and based on a few lessons learned, I radically changed my preparation plan for the CISSP.

FYI, the official preparation information, qualification requirements, exam requirements, etc. can be found at:

Are You Ready ?
A few basic questions to ask yourself to gauge how ready you are:

  • Do I meet the spirit, and not just the letter, of the experience requirements ?
  • Has there been sufficient diversity in my experience ?

Both of these exams cover a very broad spectrum of subjects. It is my personal belief that the experience requirements exist as an aid to whittle test takers down to candidates who have the professional experiences required to be successful, and to discourage people from taking the exams before they are ready. If you truly meet the background requirements, then you should have had some contact with many of the core topic areas for the exam.

If you are looking at the core content of the examination, and do not believe that you really have the breadth of exposure to be able to describe and discuss each domain at a high level, then you may be better served by delaying the exam in favor of working with your management to gain broader professional experience.

Five Step Approach to CISA or CISSP Exam Preparation

  1. Perform an initial benchmark and assessment of your readiness
  2. Read a “survey” level preparation guide cover to cover
  3. Perform a secondary benchmark, and compare your readiness
  4. Review official, or “deep dive”, preparation materials on areas identified as your weaknesses
  5. Re-benchmark, and repeat targeted reviews until ready

For the first certification that I prepared for, I did not perform the first three steps outlined above. I went directly to the official source materials and began trying to review them cover to cover. I passed the exam, but I also spent a lot of time & energy reviewing things that I already knew “well enough”, and was burned out when reviewing the areas which could have been richer learning opportunities. No matter what your professional background, no one knows-it-all or does-it-all, so there is always an opportunity to learn new things while you are preparing for the certification exam. The goal of this five step approach is to focus your time where you have the greatest learning opportunities. Hopefully this focuses your time and energy in the most rewarding way.

Performing the Benchmarks
For the Benchmarks, I like to complete a timed half-length or full-length examination.

It is my feeling that a half-length exam is long enough that fatigue, maintaining focus, and pace are all stressed, as they will be on examination day. This of course requires access to a large set of test questions or sample tests, preferably with explanations of incorrect answers. In addition to commercial third-party test preparation tools, there are good (and free) test preparation quizzes available from www.cccure.org.

Survey Materials
I find the “Exam Cram” series to be very useful survey literature. I purchase books from this series when I want a high-level and quick handling of an entire subject matter area. As a result, I own survey books from the series in topic areas which I have no intention of pursuing certification for. Obviously the books I recommend for these certifications are:

Deep Dive Materials
There are exam preparation materials available from a variety of sources that fit the bill in this area. What we are looking for are books that contain solid coverage of the areas where benchmarking has shown the most significant need for improvement. In addition to the materials from (ISC)2 and ISACA that I list below, consult your local library – often they will have books that fit the bill. (And, of course, consider arranging a donation of good materials if they do not.)

Final Thoughts
Good luck on your journey toward Information Security or Audit certification. One word of caution: Make sure that you have realistic expectations about what actually being certified will mean. Although I do think being certified helps a person establish credibility more quickly, and is helpful when searching for new employment, often people are underwhelmed by the “Congratulations, that’s nice” from their current employer. If your expectation is that a big raise, bonus, promotion, etc. is hinging on your being certified, then I would strongly encourage you to reality-check that with peers in your organization.

Cheers, Erik

Google Trends: CISSP vs CISA

What is the gold standard certification for Information Security professionals? Is it the CISSP, the CISA, or something else?

Well, I recentry learned about Google Trends, which is an analysis tool from Google that allows you to see how often specific search terms are being entered into the Google search engine. So, just for fun I thouigt I would try comparing CISSP and CISA:

Google Trend Data CISSP vs CISA

The Google trend data would seem to indicate the overall interest in Information Security certiications has been declining, and that there is little to no difference in interest levels between the CISSP and the CISA.
Cheers,
Erik

Art of Info Sec 001: Quick Business Case

Art of Info Sec 001: Quick Business Case

Here it is !

This is the first podcast in the series I have planned. This is a slidecast of the Quick Business Case presentation which I recently delivered at RSA Europe (and similar to the presentation I delivered at RSA USA back in February).

As this is my first foray into this media – combining audio podcasting with presentation slides – please accept a few production glitches and provide feedback.

Cheers,

Erik Heidt