Tuesday, October 19, 2010

Unexpected difficulties from life on the road

As far as career highlights go, this past month has been one of the best. I'll never forget my trip to Source Barcelona where I hobnobbed with Really Smart Dudes™, had conversations that may well have changed the course of my business model, and convinced Wim Remes to be EU Director of the InfoSecMentors Project.

But the name of this post is about unexpected difficulties in traveling, not in its virtues.

Nobody will be surprised to hear it when I say that I made a rookie mistake. The conference was actually only two days, but I've been to Europe before, and I knew that if I was going to be human I would need two days beforehand to get over jetlag. Then, as long as I was in Europe, I decided I would stay through till my cousin's wedding. And I'd always wanted to see Italy. And I was set to coordinate Security B-Sides Atlanta in October. Before I knew it I had racked up 26 days away from home.

Now, you industry veterans know before I even say it what my unexpected mistake was. In my excitement to experience the whirlwind
jetset of a lifetime, I had completely abandoned my loving, dutiful significant other. By the time I realized what my trip was really costing me, the damage was pretty severe. I'm grateful to say that all is well now, but it left me thinking "I wish someone had talked to me about stuff like this." The InfoSecMentors Project blog is about advice for careers, but it's also about the ephemeral stuff that you may never realize, but really need to survive in the bigger game. So, thanks to some of the awesome supporters of the project, below are some thoughts from people I respect in the industry on the subject of traveling for work, and keeping that perspective on *what's really important.*

Does traveling for work put a strain on your relationship/family life?

Chris Hoff, someone who regularly crosses continents, said,
"Definitely. There are two aspects that are most difficult; logistics and emotional connectedness. I have 3 kids (6, 9, 14) and another on the way. My wife and I really do work like a transportation team when I'm home and I do most of the cooking so it's very difficult for her to maintain all of it by herself. She does a fantastic job but it's a nightmare trying to plan around three different schedules given the kids' activities.

Then, of course, there is the issue of not being there; not having a spouse, a friend, a dad. That's a terrible price to pay, but given how big of a part of my job this is and has been for some time, we learn to cope and try to quickly settle back into a routine when I get home."
How likely are you to forgo work travel for family reasons?

Following up on a topic he actually covered at
HacKid Con in Boston, Josh Corman said,
"I travel BECAUSE of family, because I am the provider. I hate getting on a plane for work (although many friends/colleagues don't even have income right now.) I travel BECAUSE I love my family. The trade-offs between the Provider, Parent, and Spouse roles are very difficult."
Martin Fisher adds,
"I may not forgo the travel but I work hard to minimize impact. I plan for day-trips instead of 2 day events...2 day events versus a week away...and so forth. Sometimes long trips can't be helped but working hard to minimize the impact pays huge dividends."
How often do you "call home" while on a work trip? Which technologies do you use?

Ryan Russell said,
"At least daily, usually several times per day. At least one voice phone call, frequent texting, sometimes an email. My wife isn't into any social networking, but I see many other couples use that. I will sometimes interact with my older kids on Facebook. When I went to Germany a couple years back, I found my cell not working, and hotel phone ridiculously expensive. I was happy to find that Skype worked really well. (On the really expensive Hotel Internet, but that's not optional. ;) ) We have toyed with gmail video chat, and found it workable. We would probably use that in the future."
So, what's the secret, really?!?!

In classic
Nickerson style, Chris weighs in on this one, touching on points I hadn't even considered.
"HAHAH... I really wish there was one. More than anything, it has to do with the level of understanding of your family. If they have always known you to fly 150k miles a year and only be home on the weekends.... they have their expectations set ( hell, i think Jes gets sick of me being home for more than a few weeks in a row) =)

If you are new to the
JetSetting... communication is the key! Bust your butt on the job... so you can catch that early flight, plan your trips wisely, check in often, speak your mind... (this one is huge) Let them know what you are doing and why. They love ya and will understand. Sometimes there are compromises that can be made (a day here n there) that help them feel like they are part of the process ... not just collateral damage.

The gifts.... well..
thats lame. No need to try to buy it back. Instead... buy 'em gifts at random. It's more fun, and will always be unexpected. This way you are not trying to make an excuse for why you got them some crappy Barcelona t-shirt and a package of gummy bears from Berlin.

But in all seriousness, I have had many first timers work for me in the past and I always tell them that they need to make family first, and take care of them at all costs. (PS. for all you managers out there.... It's on you as well... don't be slave
drive'n your employees just because "you can" and "they don't mind." You have to have some respect for their family life. If you are not sure if you are doing it... read their schedule to your spouse. See if they say "If you had to be gone that much I'd..." or something like it. Employees and partners alike, all need the checks n balances. Spouses, Bosses, and all you Jet Setters... you all have a responsibility to be vocal and make it work together. NO ONE can do it alone."
Hopefully this was helpful, or at least sits in the back of your mind. One of the topics I hear people worry about in this industry is "burn out." I've learned first hand that it's a real concern, and unless you keep your home life happy you'll never survive it.

Friday, October 15, 2010

Suggestions for getting started

One part of participating in the InfoSecMentors project is the support resources found on this blog and over emails. One email in particular goes out to potential mentors and mentees before they meet their match, giving them suggestions for how to start the process. The first step is to bridge the familiarity gap and get to know each other. I've posted this email below, in case you were one of those volunteers who received it many months ago and were looking for a reference.

Hello participants,

If you're receiving this email, it means we have received all of your application information, and we are busy making a match for you! We've had an overwhelmingly successful number of participants, and we've begun making some great introductions. In the mean time, I thought I would create a small list of activities you should expect to do during the beginning phase of your mentoring relationship.

-Email your mentee with an introduction to yourself. Consider including the answers to questions like "What is your favorite duty on your job?" "When are you available and where are you located?" "What was your experience being a mentee in the past?" and "What do you expect from your mentee in this relationship?"
-Decide with your mentee on a single task that you can help them with, and execute.
-Promote your relationship. With their permission, talk about your mentee on Twitter or other forums. This is to increase the mentee's personal brand, and to make it easier for them to seek help or engage the community.
-Introduce them to other people that can help with another specific issue.
-Wash, Rinse, Repeat.

-Create a list of questions for your mentor.
-Email your mentor with an introduction to yourself. Include information about your experiences up to this point, and what goals you have.
-After getting to know your mentor's skill set, decide on a single task that they can help you with. The more specific, the better. (Not knowing what you want to be in 5 years is fine. Start with a goal of learning about your mentor's daily job. Ask questions about their background and style of living. Then ask them to guide you through introductions to other people in different jobs. It is important to be specific and have your questions ready.)
-Keep in touch! While it usually falls on the mentor to make the connection, it is very important for the mentee to *maintain* that connection. Plan on emailing your mentor every few months after your task is completed with updates to your professional life. This will definitely pay off down the road, I promise!

-Continue being adorable.

When you receive your introductions tomorrow, hopefully you will be pleased, but if there is a problem, just email us and we'll make a change. Problems that may arise include schedule conflicts, ethical/NDA conflicts, or you're already best friends and don't want to "go there." No problem. Give us another chance, and please be *specific* about your goals.

And keep an eye on our blog, http://infosecmentors.blogspot.com/. We have some helpful tips, and future blog posts planned interviewing some of you on your progress!

Best of luck,

Founder, InfoSec Mentors

Thursday, October 14, 2010

Mentor vs. Mentee

Hiya ! We've been matching mentors and mentees at lightning speed in the past days and as one would come to expect, we have much more mentees than we have mentors.

At first glance this would seem natural, the infosec people I've met all had one thing in common : their thirst for knowledge. If we pick up a subject, we want to know it all. When it seems we master a subject, a whole new aspect of that same subject jumps from the woodwork. It's an eternal process. We (need to) keep learning.

When I look at the list of people who have subscribed to infosecmentors as a mentee, I sit back and wonder. Among them are people I would love to have as a mentor because I know they possess a wealth of knowledge and more importantly, knowledge that some of the other mentees crave.

Whatever your reason is for not subscribing as a mentor, I ask you to think again. And this is why :

Several years ago I picked up a book at a local second hand book market and I decided to take it with me. That book was "The Cycle of Leadership" by Noel M. Tichy and it describes how top-performing companies stand out because of their ability to develop leaders at every level of their organisation. These companies develop virtuous teaching cycles in order to keep a steady flow of leaders within the company. Most importantly, Mr. Tichy stresses the importance of the teaching and learning being reciprocal. The best teachers are those who are willing to learn from their students.

After I read the book, I started paying attention to this concept. I try to grasp every opportunity to learn from anybody. Sure I can learn a lot from another person, much smarter than me, in my own trade but I learn from the C-level executive, the helpdesk guy, the cleaning lady and my mom too. Sometimes I teach. Not in the classroom sense of the world but I share knowledge. And even then, I'm learning too. By getting feedback, people proving me wrong or people providing completely new insights that challenge me to learn even more. And it's fun !

Let's bring that spirit to infosecmentors! I promise you that being a mentor will not be a boring task and even as a mentor, you'll learn a lot !

We need you !

Mentoring in funny accents ...

I have to be honest. When Marisa came out with the whole infosecmentors idea, I must have been her worst critic. Infosecmentors was launched with the idea of bringing mentors and mentees together during BH/DC in July and I was totally rebuffed. I loved the idea, but I felt excluded since I wouldn't make it to Vegas in 2010. How could I ever participate ? I didn't sign up and let the idea slip away.

Months passed by, 0-day got released, several Patch Tuesdays came and went and somewhere in the back of my mind a thought was lingering: "could I be a mentor or rather embrace my inner n00b and become a mentee?"

Then came September and I flew to picturesque Barcelona to speak at and attend the Source conference. How much did I know my life was about to be changed ? There must have been sangria and tapas involved but then and there I was personally introduced to Marisa. Now, I have to tell you, if you happen to run into Marisa the first thing you notice is the copious amounts of positive energy she exudes. After apologizing umpteen times about my behaviour a few months back, we kept talking about this project and the way she talked about it, the energy she puts into it got quite infectious. Somehow along the way I had a choice to make : either I was gonna be the bystander who criticizes and does nothing or I was going to get involved and give my everything to make this work.

I didn't think twice, or maybe I did but after 2 more cups of sangria it didn't really matter.

Since more and more people from Europe are putting their names down as mentors and mentees and the time difference would require Marisa to either clone herself or outsource the matching process Elbonia, As of now I will be your contact person for this part of the world. Together with Marisa, I'm totally convinced that we will all benefit from the mentor/mentee relationships we want to foster and we're more ready than ever to make this work.

For those that don't know me, I'm @wimremes on Twitter and the rest can be found using Maltego. Now let me get back to finding you the right mentor/mentee and enable you to get as much out of that relationship as possible.


Monday, October 11, 2010

Guest Post: Michelle Klinger "Interview with a Mentor...Mentor R"

As previously mentioned, this is the continuation in a series of interviews with both mentees and mentors on their experience with InfoSec Mentors to date. Individuals have had to have been paired up for at least two months and I also chose to keep the participants anonymous as I thought I’d receive more honest answers, both praise and critique of the program. And with that I introduce the first interview with a mentor.....Mentor R:

Q: What was your reasoning for choosing to offer your time and energy in becoming an infosec mentor? Had you ever been a mentor before (officially or unofficially)?

A: I have been both a mentor and mentee in my career so far. I had never taken part in a formal mentoring program before but I had been “taken under someone's wing”. That person helped me a lot in my career so I wanted to give something back to someone else wanting to get into information security.

I unofficially mentor people in my current role and continue to do so, the work I do with my infosecmentors mentee is largely the same as I do with my two unofficial mentees.

Q: Prior to being matched, had you known of your mentee either personally or through social media forums? Did you request your mentee?

A: No, I hadn’t heard of my mentee Q: beforehand and I didn’t request my mentee.

Q: Was gender a concern when envisioning who you’d be paired with? Why or why not?

A: It wasn’t for me, I’ve worked with and been managed by females all through my career so I’ve never seen gender as a problem. I’ve been exposed to the struggles my own mother had through her career as a female in male dominated industries despite her knowledge and achievements.

Q: Has your mentor suggested or encouraged you to engage in social media (i.e. Facebook, Twitter, and LinkedIn)? Have you? Why or why not? If you have, has aided in your original goals?

A: I’m the mentor in this pairing but I suggested my mentee set up a blog which has helped build his profile in the web application security community. I also encouraged my mentee to be more active on Twitter and get involved in “conversations”.

Q: Was your pairing public via social media (i.e. Facebook, Twitter, and LinkedIn) either by you or your mentee? What was the reasoning behind the decision?

A: It was made public, by both of us. We had multiple reasons, we were happy to be paired together. I wanted to spread the message about the infosecmentors program as well. Obviously no one gets to see everything we discuss but we feel making some things public has helped, I know of people who have applied to join the program after reading about our work and pairing.

Q: For the initial meeting/conversation did you have a set idea of what you wanted to communicate regarding the mentor/mentee relationship? What did that initial communication entail?

A: I guess the fact I’m in Ireland and my mentee is in Las Vegas limited our choices when it came to communicating with each other. We have almost exclusively communicated via email, quick/small queries via DM’s and we spent a day together at DEF CON discussing future projects etc.

Q: What is your take on assigning “homework” or tasks to your mentor?

A: I am the mentor in this pairing, but if my mentee wanted to assign me “homework” I’d not be against the idea as long as they respected the fact I sometimes have no time to do this kind of work.

Q: Since your pairing, would you say that you were accurately paired with your mentee? Do you feel that you have the knowledge and skills to guide the mentee towards his/her goals?

A: Yes, definitely. I think we were are a great pairing, I felt this way just from our email conversations but after a lot of one on one discussions in Las Vegas I feel we both think alike and have the same work ethic and attitude towards information security.

Q: Would you say that being a mentor has taken up a significant amount of personal time?

A: No, if anything I sometimes feel like I should be giving more time to this but I just can’t spare much time when work and outside work projects get busy.

Q: If you could re-do any aspect of your interaction with your mentee to date, what would it be and why?

A: Probably spend more one on one time when I was in Las Vegas, given the distance between the pair of us one on one meetings are probably only going to happen once a year.

If you want to be interviewed, please contact me at securityindepth at gmail dot com

Monday, October 4, 2010

Guest Post: Dan Burrowes "Passion to Drive Action"

Today, our guest blogger is Dan Burrowes. Through his participation in the InfoSec Mentors Project, I learned that Dan has a fascinating perspective on what the Information Security community is like in Japan. He has offered to share an essay on the power of communication and letting your passion drive you. Dan can be found at his bi-lingual blog: http://akibako.com/

I'm an English teacher. In Japan. Moved here from the States seven years ago. It pays the bills. Before this, I was in IT, but long story short, right now I'm not.

It's funny how life works. Sometimes you close one door in your life, and you think that it's closed for good. In the meantime, you look for another door, only to find one and discover that it looks eerily like the last. However, when you open it, the landscape looks different. It's clearer. You can see clearly now exactly which path you are meant to take. You passion has been found. This is infosec for me.

In this revelation, you also realize that your progress down this new path is equal only to how much effort you expend. Your passion drives you to take action. You ask when you don't know, you take initiative, and you seize every opportunity you're given.

But you quickly realize that you can't do it alone. No one can do it alone. Nobody who has ever done something great accomplished it in the vacuum of their own solitude. You need somebody to ask when you don't know. Somebody to help you turn your initiative into progress. Somebody to give you opportunities and guide you to begin creating your own.

Somewhere in the back of their mind, everyone knows this, but they often don't act. They wait, believing that greatness will seep into them as if by osmosis.

Well, guess what? You can't wait. You need to start somewhere. This was true for me, as well...so I did.

I took my Japanese language studies seriously. I went back to basics, studying networking, protocols, and programming. I read white papers, watched presentations, and listened to podcasts. I was learning a lot. But I was still in a vacuum. I needed to interact, however social networking was never my forte. Marisa Fagan gave a talk and wrote a blog post about how to prepare for a career in infosec. The simplified premise is that you need to socially integrate into the community and be active in it.

It took me a little while before I truly understood this. The point of this integration is not to create a platform for narcissistic drivel. The point is that the more connected you are to the community, the more you'll get back in return. Being part of the community means that people will help you, people will teach you, and people will inspire you. But it won't happen unless you become involved.

Keep in mind that "the community" can be looked at in two ways. One is the larger, international infosec community — the global entity comprised of practitioners, researchers, and analysts. Here, infosec rockstars travel the globe to do their thing because of their expertise and notoriety. But rockstars don't become rockstars without first busking on local street corners and honing their skills in the neighborhood garage. This is the other way to look at the infosec community: the local entity. This entity is local in language and region — it is a microcosm of the global version. The international and local spheres cannot exist independently; they are the same group, just different scopes.

Since one of my primary infosec goals is building my infosec career in Japan, I realized that I needed to start to integrate myself locally. The challenge was daunting. I'm not a native speaker, so I was linguistically separated from the community. I didn't know anyone else in infosec, so I was socially separated from the community. My city lacked a hacking group, so I was physically separated from the community.

So I decided to make a community. A local one. A group didn't exist with the goals I envisioned, so I created the Kyoto Information Security Users' Group: a mailing list and monthly hands-on learning sessions to ask when you don't know, turn your initiative into progress, and give you an opportunity to share, teach, learn, and do. So I do so. In Japanese. Every month. It scared the crap out of me at first. Me, the only non-Japanese speaker, getting up to lead a hands-on session about ICMP attacks to thirty people who are most definitely more knowledgeable than myself.

I wasn't an expert in the topic. I found my language ability failing me. But I wanted to share what I knew, recognizing that the outcome would ultimately be that *I* learned something. Nothing happens until something *happens*. You need to be an active participant if you want to learn. You need to introduce yourself if you want to be part of the community.

But all of this requires that you be able to communicate. Regardless of whether you use your native language, or your second (or third, or fourth...), it's imperative to hone your linguistic communication skills. You become hyper-aware of this issue when you live in a country that speaks a different language from your own. On one hand, you become painfully cognizant of your deficiency in your host country's tongue, yet you also begin to realize the true power that you wield in your native tongue. Communication is power. You can attack someone's argument; you can defend your own; you can convince; you can enlighten; you can garner trust and respect. It is a direct reflection of who you are and what you know.

Having command over both written and spoken language is absolutely essential because ultimately, the entire field of infosec deals with discovering, parsing, and advising on written and spoken communique.

Take a theoretical pentest of a Japanese software company. Information gathering would be practically impossible if you can't read Japanese names, addresses, or documents.

A great deal of your social engineering engagements wouldn't get too far if you didn't look and speak like a native Japanese. (Though playing the "helpless foreigner" role can give you a different avenue for access.)

Jump to the penetration phase of the assessment. You've discovered two software development servers hosting what seems to be only half of the company's key software. The servers are named "nobunaga" and "hideyoshi". You can't find the company's main assets. If your cultural knowledge were up to snuff, you'd presume that there also exists a server somewhere named "ieyasu". (Tokugawa Ieyasu did ultimately become the most powerful of the three warlords, so he'd rightfully be holding the crown jewels.)

Finally, good luck writing your report...in Japanese. And giving your final briefing to the client's executives...in Japanese. And advising the company's IT staff...in Japanese. Your career depends on your ability to communicate effectively, yet it's hard to be authoritative about your knowledge if you can't eloquently express yourself.

This situation applies to any language, whether it's Spanish, Slovak, or Swahili. It even applies to English. Even if your entire infosec career never extends beyond your native language, you still have the task of eloquently expressing yourself to other people through written and spoken forms.

Being in infosec is a lot more than just the technology. Whether you've already got a mentor, or you are still crossing your fingers hoping that the program will send you that special email, it's still up to you to take initiative in your education. Your path as an infosec mentee starts even before you become one. Become involved in the community — even if that means that you have to be the one to create it. What you create locally will eventually make you connected globally. Lastly, always remember the power that you have to communicate. Never stop striving to polish your communication skills be it in your first language, or your second.

Make your passion drive your action.