More Dreaming

Today my favourite analyst and security podcaster Javvad Malik put out the following tweet:

While I am not a "security peep", in that my role does not fall within the jobs that typically report to a CSO/CISO, I work in the security space. I also enjoy the InfoSec community and aim to contribute to it as best that I can.

When I read Javvad's tweet, I saw a bunch of quick responses from various people, while I sat back and really thought about it. Keeping in mind the InfoSec space is global and recognizing that I only know a few people, I thought about this off and on for a couple of hours. I also thought about what InfoSec meant to me and, of the people I do know, who I would love to work with.

The top of my list will always be Andrew Hay. I know many people will assume it is because he is my husband - please do not assume. Not only do I respect Andrew as a person, I admire his work ethic and have worked with him in the past; in fact we met at work.

In addition to Andrew, the following people came to mind:

• Dave Shackleford: If you have the pleasure of meeting Dave or seeing him present, you will understand why he is on this list. He is a wealth of knowledge, engaged in the community, full of energy, and honest. Dave loves to share what he knows and enjoys a good debate.
• Wendy Nather: This woman is simply fantastic. For various reasons, she receives a lot of respect from everyone in InfoSec. Wendy, while very knowledgeable, is also a natural presenter and very respectful to everyone around her.
• Brian Honan: In addition to being Irish, a beer connoisseur, and a rugby fan, Brian is very active in the InfoSec space. He is extremely knowledgeable in various aspects of InfoSec and is simply a great guy, who is also very humble.
• Matt Johansen: Over the past few years, Matt has really stood out to me in the InfoSec space. I am fairly certain he is the youngest person on my list, but don't let his age fool you. He has moved his way up at WhiteHat Security, presents at conferences, and contributes to the LiquidMatrix podcast.
• Javvad Malik: Javvad is another great guy. Of all the people in InfoSec, I think Javvad is the friendliest. He's another smart guy that loves to engage in the community and contributes in presentations and through his own podcast.
• Alison Gianotto: Alison is a fantastic blend of smarts and humour. I started following Alison on twitter because of an interaction she had with someone else. She drew me in with her humour and sarcasm and I haven't looked back. Over the past few months, I have learned more about her and, while I have yet to meet Alison, she has earned my respect and admiration.
• Jennifer Leggio: Jennifer is like me - she works in the security space - but wouldn't be considered a "security peep". That being said, you'd be hard pressed to find someone who has not at least heard of her. Jennifer is a work horse and probably the most non-security-peep involved in the security space. She has a huge following simply because she brought the InfoSec space together through the Security Bloggers Meetup and everyone respects her.

The main reason this group comes to the top of my list is because I believe they contribute to the InfoSec space positively. Not only are they active in InfoSec, they are a great group to interact with. While many people go on and off my Twitter following list, this group will always remain on it.

Now, if only I could think of a business for us all to work together.

Dream a Little Dream

We moved to the US in August 2012. I was very excited for the move because it meant for the first time in years, I was going to be able to pursue a new job in a large area with lots of job opportunities. Since moving down here, I've been trying hard to better work-define me. I know the type of company I want to work for and there are only a handful of canned job descriptions that I submit my resume to.

While my job history does not show an escalation in responsibility, I have worked various jobs that are all connected by my ability to do technical training - whether it be for coworkers or clients. 

My last Canada-based job had me doing lots of things, which I loved. I did product research as well as content and lab development. I was also in a leadership role - a role that had me reviewing the work of junior resources and content from subject matter experts (SMEs), as well as project leading internal and client resources. Unfortunately, there was no room for job advancement and I want to move up.

After a few weeks away from this job I have realized that I miss project leadership. I've applied to senior, lead, and management positions since moving here and been called out by the hiring people for applying to the positions. They read my resume and don't see a previous job title with the similar "senior" or "manager" titles and are not convinced I can lead a group of people. I explain how I have lead various projects (sometimes as many as 12 at one time) while also managing the associated resources and keeping projects on time and budget. I even have a lovely reference letter from a previous client that supports me in a leadership role, which I provide when applying to these roles.

I KNOW I can do these jobs - if I didn't, I wouldn't have applied. 

This morning, Ms. Snipe, who happens to be my most favorite person to follow on Twitter, put out this tweet:

She got me thinking about my work luck. I don't think I have been unlucky with work. I have worked for a variety of companies - different service offerings, different organizational structures, and very different head counts. I have seen and experienced a lot and I have no regrets.

Where I am stuck now is that with almost 20 years experience in tech and training, the last 6+ as a leader, is what can I do to further prove myself as a group leader to get that manager role? 

While I am not overly aggressive, I am very confident in myself and my abilities. I would love any advice - seriously.

I Wanna Be Heard

A couple of weeks ago I blogged about presenting at BsidesLV. I am definitely excited, but am also quite nervous because I have never presented at a conference before. I am also still new to the conference scene, having only been to a handful of conferences and attended or watched a few talks. 

Even though I have only seen a few presentations, I have learned lots about what is rare at conferences:

• Great presenters
• Variety of perspectives
• Variety of topics between and at the same conferences
• Variety of presenters between and at the same conferences

What I fail to understand about conferences, is the persistent group of presenters/speakers - I will abbreviate this to PGPs. The PGPs are the same names that seem to get on the list for most of the conferences and talk about the same things. Conferences claim to be better or different than other conferences, yet I have not seen a variety when it comes to the bigger, well known conferences.

This leaves me with two questions:

• Is this a conference issue where the PGP name and/or company where they work are recognized and almost automatically accepted?
• Is it a game played by the PGPs to submit as many talks as possible to earn some air miles and share the same word with a lot of the same people throughout the year?

I've been watching my twitter feed as people mention if they have or have not been accepted for BlackHat USA this coming summer. What I have noticed is an increase in new presenters - which is very exciting. I hope there are also new topics to go along with the new faces.

You Want to Learn What?

This has been the question posed to me repeatedly while working as a technical writer, trainer, and course developer. Since graduating from college, where I learned C, C++, COBOL, and Visual Basic, software development has changed just a little bit. While I might be long out of full time college courses, I want to continue learning so that I can continue to be an asset to any company. 

I have asked for training in Flash and various programming languages and all requests have been rejected because the company-specific value-add is not apparent. Oddly enough, when an obvious need for software training has come up (client requirement) I have also never received any formal training. The approach has always been "This is what we are using - figure it out"…good thing I am a quick learner and can read a manual.

For an idea of why I think training for technical writers is required, here is a portion from the qualifications section of an active job posting for a Technical Writer:

• Minimum of 2 years experience documenting some of the following: application end-user guides, system administration guides, API guides or comparable content.
• Advanced Microsoft Office skills, especially Word, Excel, Powerpoint, and Outlook. SharePoint experience a plus. 
• Demonstrated ability to write and publish documents using FrameMaker and Adobe Acrobat Professional, screen capture software; Madcap Flare experience a plus.
• Experience documenting Java, Web Services (SOAP/REST) APIs, comfortable working with code snippets and design/functional specifications a plus

While I know lots of people do not receive company-paid training, for an occupation that requires a base knowledge of technical topics as well as various documentation tools....am I the only person at a loss here?

Back to learning Python I go...

There Is a First Time For Everything

Over the past few years, I have attended the Security Bsides (3x), BlackHat USA (1), Defcon (1), InfoSec Europe (1), and RSA USA (1) conferences. I don't even know how many conferences my husband has attended…but there have been a few to say the least :)

Of all the conferences I have attended, the most enjoyable - for it's diversity, relaxed atmosphere, and openness is Security Bsides. What I love the most about Bsides is the fact that they are not only open to, but encourage new speakers to present. How awesome is that?

I decided this year to take them up on it and have had a talk accepted! While not considered technical, the topic does impact everyone in the IT sector. Here is the information on the presentation:

• Title: Never Mind Your Diet, Cut the Crap From Your Vocabulary
  
• Abstract:
  It is never too inchoate to commence elucidating your obfuscated intelligence. Have you ever really listened to yourself or read what you have written? How many words can be reworded or dropped from a sentence to make your message clearer?
  
  As a listener and reader, it is hard enough trying to remember the various InfoSec-specific acronyms without surrounding them with various $5 words and extra, fluffy crap.
  
  In this talk, I will truly show how cheap talk is by not wasting money on wordage.

While I am confident about creating a presentation and have delivered training, I am green when it comes to delivering a presentation at a conference. I am very excited about this talk...hopefully my nerves won't get the best of me. 

InfoSec Radio Challenge

Over the past few weeks I have started listening to podcasts, reading more blogs, and following more technical people and businesses on Twitter to increase my information security awareness.

While I have enjoyed the various podcasts and find the contributors fun to listen to, when there are more than 3 people multiple things happen; people start speaking over each other, each person wants to voice an opinion, and the podcast gets too long - I ultimately tune out.

While fewer people tend to keep my attention, unfortunately, I have yet to find a podcast that truly delivers what I am looking for. This might sound crazy, but I am looking for a podcast that operates kind of like a talk show - but with limited speakers and is done in 30-45 minutes.

Every podcast pretty much covers the same big news items of the previous week, but does not have anything new to add to what has already been blogged or tweeted. I want some variety - such as guest speakers, something new, or fun, random facts. 

• Guest speakers could be on to discuss their expertise in a specific field or perhaps provide a different perspective to an event from the previous week.
• The something new concept can be anything such as a challenge to listeners to create/develop something new (IT related preferably) and then have them share it on an upcoming episode.
• The facts don't have to be directly related to InfoSec and can be something simple as "On April 30th, 1803, the US doubled in size through the Louisiana Purchase, which was $15 million dollars." 

I guess what I am saying is that I want to truly learn something from a podcast. I want to finish listening to an episode yearning to tune in again. If such a podcast exists, please let me know!

How Flexible Are You?

When developing content around your security product, do you know…

• How the learners will implement your product?
• Exactly what the learners need to know to do their job?

How flexible is your training solution?

Can you easily swap content in/out to deliver customized training?

Do you have use cases for various job sectors?

Can you speak the speak of your product in the context of learner needs?

While there are various methods on how to deliver training, if you don't know your audience, the delivery method is irrelevant. When developing training, spend time planning a solution that can be easily tailored to various learners. Create stories to link content between course portions and labs so that learners have the skills and foundation to help build a complete solution with your product. Plan to constantly create new and revisit existing stories to reflect changes in job sectors.

If your training solution is developed effectively, you can easily swap use cases and alter portions of training to meet specific learner needs at a minimal development cost to you while impressing learners with customized training.