Guest Interview: Hadi El-Khoury and Jimmy Vo "Mentor & Mentee Q&A"

Today, our guest bloggers are Hadi El-Khoury and Jimmy Vo. Hadi and Jimmy are participants in the InfoSecMentors Project as mentor and mentee, respectively. This pair has been kind enough to keep us posted on their progress in the mentorship via updates on Twitter, and they have sent us the interview below where they both weigh in on several questions relating to mentoring in Information Security.

1. How long have you been in the program? Jimmy: Hadi had indicated that we’ve been in the InfoSec mentor program for about 6 months. Time flies when you’re having fun. Hadi: Indeed, mentoring Jimmy has been so enjoyable since he's keen on pushing forward in real life the new ideas and concepts we've been discussing. 2. What are your backgrounds? Jimmy: I am a recent college graduate from Richard Stockton College of New Jersey with my B.S in Computer Science/Information Systems, specializing in an Information Systems concentration. The Information systems concentration was more business orientated, which I found helpful already. I’ve worked part time help desk positions during my undergrad studies. I’ve started my first full time position as an IT Systems Analyst for a small business. I’ve always gravitated towards information security and had an interest in hacking. Most of my undergrad research was centered on information security. I’m currently attending Boston University for my M.S in Computer Information Systems – Security Concentration. Hadi: I hold a post-graduate degree in Network and Information Systems Security from the French Ecole Nationale Supérieure des Télécommunications. Prior to that, I graduated from the Beirut School of Engineering ESIB with a specialization in telecommunications. I am currently a Security Consulting Manager. For the last ten years, I've been dealing with information security and business continuity subjects on technical, organizational and business levels in line with ISMS (Information Security Management System) implementation while taking advantage of quality and business process management aspects for large financial institutions and critical private operators across Europe and the MENA region. 3. What were the main logistical challenges? Jimmy: Hadi resides in Paris, France so there is a six hour time difference. Despite the time difference we meet weekly via Skype. We usually chat for about an hour to an hour and a half about various topics which I’ll go into detail later. Hadi: Indeed, since it's often past midnight Paris time when Jimmy and I meet through Skype, I have to keep a Coke can by my side to regain some energy after a long day at work. 4. What were the covered topics? (Hard Skills) Jimmy: One of my main focuses is business continuity planning. We developed a plan to create a business continuity plan which involved business process modeling, dealing with vendors in regards to SLA, coming up with metrics, determining risks, and various other BCP related topics. We also discussed ways to improve an IT infrastructure, such as concepts like ITIL and other ISO standards. We also discussed various information security topics which deal with metrics, creating security awareness, OS hardening, integrating security into BCP, web application firewalls and securing the SDLC. Hadi: I am always stressing the importance of bridging the gap between the various disciplines governing IT, HR, business process modeling, information security, business continuity, risk analysis, to name of few.... Information security and business continuity are transversal by essence and should be dealt with as such. 5. What skills categories were covered? (Soft Skills) Jimmy: A great amount of emphasis is focused on developing soft skills that are essential to my success. We discussed effective communication with other business units. Hadi discussed the importance of working across different “silos” in order to assist in my organization’s success. There was discussion on persuasion and negotiation techniques. We talked of project management techniques to prevent project failures. Our mentorship was more than being technically able; it was about being approachable and tightly integrating technical initiatives within an organization. Hadi: The best "geek" in the world will remain unnoticed if he doesn't possess a minimum of soft skills, namely the ones just mentioned by Jimmy. When it comes to information security and business continuity, organizations are so reluctant to change their approach that the battle won't be won unless a significant load of soft skills is invested. To support this, I share the following quote from Wall Street Journal Deputy Managing Editor Alan Murray as he was discussing some of the lessons new managers can learn from his new book, "The Wall Street Journal Essential Guide to Management." It reads: "Even best-managed companies aren't protected from this destructive clash between whirlwind change & corporate inertia". IMHO, corporate inertia will exclusively be defeated by soft skills. 6. What was the used approach? (use cases, transversality, feedback, ...) Jimmy: From my perspective, Hadi has coached me rather than taught me. We didn’t spend our Skype sessions on going over step by step of configuring an intrusion detection system. Our discussions are at a higher level, which worked very effectively for me. I can just read a manual or Google a tutorial on deploying an IDS. In the contrary, I can’t read a manual on convincing management on the requirement of an IDS. Sometimes Hadi will assign me “assignments” which we go over during the following meeting. We also discuss interesting InfoSec related articles and try to apply them. Hadi: In addition, I'll just mention the mindset changing "Security by Analogy" approach. Readers can find an excellent example at the ISECOM website here: http://isecom.securenetltd.com/jack.1.0.en.pdf. I personally love the Electrician example, since it constitutes IMHO the very basic foundation of Information Security and Business Continuity. 7. What were the quick wins? (ROI, ...) Jimmy: One of the quickest wins was learning how to deal with salary negotiations. This was a skill that wasn’t taught in college. In the end, I was able to negotiate for more benefits. I was able to implement some initiatives for my organization with the help of Hadi. I see the wins every day at my workplace because of the knowledge and coaching I’m receiving. Hadi: Every Skype session with Jimmy is a quick win by itself since his motivation remains constant and his open mindset is ready to bust a new corporate silo. Jimmy is trying hard to tackle things properly each day despite corporate inertia. These are valuable assets for any wannabe Infosec practitioner. 8. What are the induced projects? Jimmy: My experiences beginning my professional career and discussions Hadi had motivated me to start a blog called Above Technical (.com). There are many technical blogs that focus on the mechanics of technology and/or information security. These skills are very important but the soft skills to communicate with others in an organization are even more important. The blog is focused on what I learn and the tips I’ve gathered in hopes to post some useful content for others. Hadi: Besides naturally contributing to Jimmy's new blog, I'm evaluating the feasibility of a larger scale mentoring program that takes advantage of the InfoSecMentors experience along with online news aggregators like the http://coaching.sekimia.com one. 9. What's new on your bookshelves? Jimmy: The newest book I’m reading is Yes! 50 Scientifically Proven ways to Be Persuasive by Noah J. Goldstein, Steve J. Martin, and Robert B. Cialdini. It’s a book Hadi had recommended for me. Hadi: Jimmy introduced me to the Toastmasters International website. I'm looking forward to delving into their leadership concepts.

You can find Hadi El-Khoury on LinkedIn and Twitter.

You can find Jimmy Vo on Twitter and at his blog, AboveTechnical.com.

Guest Post: Michelle Klinger "Interview with a Mentee...Mentee T"

This is the continuation in a series of interviews with both mentees and mentors on their experience with InfoSec Mentors to date. Individuals have had to have been paired up for at least two months and I also chose to keep the participants anonymous as I thought I’d receive more honest answers, both praise and critique of the program. And with that I introduce an interview with a mentee.....Mentee T:

Q: What was your reasoning for engaging an infosec mentor that you were not able to do on your own?

A: To be honest, it was the experience really. I was looking for a way to broaden my horizons, and talk to all the people I could. I'm relatively new to the community, and one of the most important things that I've found, as well as the most rewarding, is just to talk to people. When I heard about the starting of the project, I was one of the first to pitch it to others.

Q: Prior to being matched, had you known of your mentor either personally or through social media forums? Were you hoping for someone “well known” in the social infosec social circle?

A: I was definitely aware of my mentor, and I think my mentor and I had mentioned each other on twitter once or twice, but had never actually conversed. Was I hoping for someone well known? I had no preference, really. One of the most important things about a project like this is coming into it with an open mind. Particularly as a mentee, you're really after someone who is well, smarter than you. So you have to throw out a lot of your preconceived notions and just go with the flow. (Also, wow, that was incredibly hippie-ish.)

Q: Was gender a concern when envisioning who you’d be paired with?

A: Not in the slightest. There are a lot of infosec chicks who are significantly smarter than me, and a lot of dudes who are as well. Like I said above, it was really about making the connections and conversations.

Q: Has your mentor suggested or encouraged you to engage in social media (i.e. Facebook, Twitter, and LinkedIn)?

A: I'm actually more active on social media than my mentor. Mentor did make a point to remind me to be careful what I say out there, but that wasn't much of a stretch more than what I already do. It's an often forgotten art, the act of not spewing every little thought on to the interwebs. Actually, if you watch my stream really closely, you'll see me tweet something, then within a minute or two, delete it after some thought.

Q: Was your pairing public via social media (i.e. Facebook, Twitter, LinkedIn) either by you or your mentor? What was the reasoning behind the decision?

A: It was actually kind of a game to see if people could figure it out. Even about 6 months or so later, once we had pretty well, if not officially ended the mentor/mentee relationship, that some folks were still trying to catch hints. But we never officially made it public. Just never felt the need, I suppose. Now, though, I wonder if that might have put some necessary pressure on the relationship.

Q: Did the initial meeting/conversation meet expectations? What did that initial communication entail?

A: The initial conversation actually threw up some red flags for me. Our initial introduction was through email (we didn't meet in person until BH/DC), and I went ahead and took the lead, since every conversation should be a two way street, by sending a few questions in my mentor’s direction. Just a few things like how mentor got 1st infosec start, what some of my mentor’s day to day duties and such are, and a few other questions just to get to know my mentor better. And while my mentor acknowledged that emails were received, I didn't receive a full response to those questions for about 2 weeks.

Understandably, that's a little rough on the start of what's supposed to be a back and forth relationship, just by definition of a mentor/mentee relationship. I understand being busy, I was in the process of writing and preparing a talk myself, but this definitely started us off on a rocky footing.

Q: Have you made any major changes or decisions based on advice or direction from your mentor?

A: Well, I'd like to say I have, since I received such advice as "Stay in school." "Don't let your ego get ahead of you." But I don't know that those are really personally specific, so I guess the answer is no.

Q: Were you given any “homework” or assignments to complete and did you actually do them? Did you see value in the tasks assigned?

A: In an odd turning of the tables, I was actually the one issuing homework. I was looking for feedback on my talks, and my topics, so I assigned my mentor to watch the recordings. However, I don't think that was ever done, so I suppose there wasn't much value from the assignment if it never got done.

Q: Do you feel the mentor you were paired up with was an accurate match?

A: That's a hard, hard question to answer. I think we had some similarities to be sure, and since I still don't have much of a direction in mind, just getting to know someone new was kind of rewarding. However, I am still definitely disappointed, thinking about what could have come out of it. Even meeting in person never lit much of a fire. This is an organic thing, it has to be nurtured and grown, which requires effort on both sides of the table. If that never happened, nothing ever grew, and then I don't know that we could call the match accurate. The important thing, though, is that I learned something from this, even if I'm not totally sure what I'm it is quite yet.

Q: If you could re-do any aspect of your interaction with your mentor to date, what would it be and why?

A: That's a loaded question, particularly after my comments above. Is there stuff that I would change? Hell yes. I'd love to have gotten to know my mentor a little better. I wish we could have shared a bit more than the IM conversations and a few hours of surface chat at BH/DC. I was in an area where I was trying to make some decisions and more than a line or two would have been greatly appreciated.

However, I don't want my story to be a discouragement. More a...disclaimer, I think. As you go into your mentorship/menteeship, be aware this is definitely a relationship. It has to be a two way street, or this isn't going to work. Take a look at your time commitments before joining the program. This whole post could have been avoided early on, if my mentor had waited until a period where mentor had a little more time on his hands. And not even a whole lot, but enough to answer an email every few days. Just something to think about…..

Looking for other mentors/mentees...If you'd like to be interviewed, please contact me at securityindepth at gmail dot com