Wednesday, June 5, 2013

More Dreaming

Today my favourite analyst and security podcaster Javvad Malik put out the following tweet:



While I am not a "security peep", in that my role does not fall within the jobs that typically report to a CSO/CISO, I work in the security space. I also enjoy the InfoSec community and aim to contribute to it as best that I can.

When I read Javvad's tweet, I saw a bunch of quick responses from various people, while I sat back and really thought about it. Keeping in mind the InfoSec space is global and recognizing that I only know a few people, I thought about this off and on for a couple of hours. I also thought about what InfoSec meant to me and, of the people I do know, who I would love to work with.

The top of my list will always be Andrew Hay. I know many people will assume it is because he is my husband - please do not assume. Not only do I respect Andrew as a person, I admire his work ethic and have worked with him in the past; in fact we met at work.

In addition to Andrew, the following people came to mind:

  • Dave Shackleford: If you have the pleasure of meeting Dave or seeing him present, you will understand why he is on this list. He is a wealth of knowledge, engaged in the community, full of energy, and honest. Dave loves to share what he knows and enjoys a good debate.
  • Wendy Nather: This woman is simply fantastic. For various reasons, she receives a lot of respect from everyone in InfoSec. Wendy, while very knowledgeable, is also a natural presenter and very respectful to everyone around her.
  • Brian Honan: In addition to being Irish, a beer connoisseur, and a rugby fan, Brian is very active in the InfoSec space. He is extremely knowledgeable in various aspects of InfoSec and is simply a great guy, who is also very humble.
  • Matt Johansen: Over the past few years, Matt has really stood out to me in the InfoSec space. I am fairly certain he is the youngest person on my list, but don't let his age fool you. He has moved his way up at WhiteHat Security, presents at conferences, and contributes to the LiquidMatrix podcast.
  • Javvad Malik: Javvad is another great guy. Of all the people in InfoSec, I think Javvad is the friendliest. He's another smart guy that loves to engage in the community and contributes in presentations and through his own podcast.
  • Alison Gianotto: Alison is a fantastic blend of smarts and humour. I started following Alison on twitter because of an interaction she had with someone else. She drew me in with her humour and sarcasm and I haven't looked back. Over the past few months, I have learned more about her and, while I have yet to meet Alison, she has earned my respect and admiration.
  • Jennifer Leggio: Jennifer is like me - she works in the security space - but wouldn't be considered a "security peep". That being said, you'd be hard pressed to find someone who has not at least heard of her. Jennifer is a work horse and probably the most non-security-peep involved in the security space. She has a huge following simply because she brought the InfoSec space together through the Security Bloggers Meetup and everyone respects her.
The main reason this group comes to the top of my list is because I believe they contribute to the InfoSec space positively. Not only are they active in InfoSec, they are a great group to interact with. While many people go on and off my Twitter following list, this group will always remain on it.

Now, if only I could think of a business for us all to work together.

Wednesday, May 29, 2013

Dream a Little Dream

We moved to the US in August 2012. I was very excited for the move because it meant for the first time in years, I was going to be able to pursue a new job in a large area with lots of job opportunities. Since moving down here, I've been trying hard to better work-define me. I know the type of company I want to work for and there are only a handful of canned job descriptions that I submit my resume to.

While my job history does not show an escalation in responsibility, I have worked various jobs that are all connected by my ability to do technical training - whether it be for coworkers or clients. 

My last Canada-based job had me doing lots of things, which I loved. I did product research as well as content and lab development. I was also in a leadership role - a role that had me reviewing the work of junior resources and content from subject matter experts (SMEs), as well as project leading internal and client resources. Unfortunately, there was no room for job advancement and I want to move up.

After a few weeks away from this job I have realized that I miss project leadership. I've applied to senior, lead, and management positions since moving here and been called out by the hiring people for applying to the positions. They read my resume and don't see a previous job title with the similar "senior" or "manager" titles and are not convinced I can lead a group of people. I explain how I have lead various projects (sometimes as many as 12 at one time) while also managing the associated resources and keeping projects on time and budget. I even have a lovely reference letter from a previous client that supports me in a leadership role, which I provide when applying to these roles.

I KNOW I can do these jobs - if I didn't, I wouldn't have applied. 

This morning, Ms. Snipe, who happens to be my most favorite person to follow on Twitter, put out this tweet:



She got me thinking about my work luck. I don't think I have been unlucky with work. I have worked for a variety of companies - different service offerings, different organizational structures, and very different head counts. I have seen and experienced a lot and I have no regrets.

Where I am stuck now is that with almost 20 years experience in tech and training, the last 6+ as a leader, is what can I do to further prove myself as a group leader to get that manager role? 

While I am not overly aggressive, I am very confident in myself and my abilities. I would love any advice - seriously.

Thursday, May 23, 2013

I Wanna Be Heard

A couple of weeks ago I blogged about presenting at BsidesLV. I am definitely excited, but am also quite nervous because I have never presented at a conference before. I am also still new to the conference scene, having only been to a handful of conferences and attended or watched a few talks. 

Even though I have only seen a few presentations, I have learned lots about what is rare at conferences:
  • Great presenters
  • Variety of perspectives
  • Variety of topics between and at the same conferences
  • Variety of presenters between and at the same conferences

What I fail to understand about conferences, is the persistent group of presenters/speakers - I will abbreviate this to PGPs. The PGPs are the same names that seem to get on the list for most of the conferences and talk about the same things. Conferences claim to be better or different than other conferences, yet I have not seen a variety when it comes to the bigger, well known conferences.

This leaves me with two questions:
  • Is this a conference issue where the PGP name and/or company where they work are recognized and almost automatically accepted?
  • Is it a game played by the PGPs to submit as many talks as possible to earn some air miles and share the same word with a lot of the same people throughout the year?

I've been watching my twitter feed as people mention if they have or have not been accepted for BlackHat USA this coming summer. What I have noticed is an increase in new presenters - which is very exciting. I hope there are also new topics to go along with the new faces.

Wednesday, May 15, 2013

You Want to Learn What?


This has been the question posed to me repeatedly while working as a technical writer, trainer, and course developer. Since graduating from college, where I learned C, C++, COBOL, and Visual Basic, software development has changed just a little bit. While I might be long out of full time college courses, I want to continue learning so that I can continue to be an asset to any company. 

I have asked for training in Flash and various programming languages and all requests have been rejected because the company-specific value-add is not apparent. Oddly enough, when an obvious need for software training has come up (client requirement) I have also never received any formal training. The approach has always been "This is what we are using - figure it out"…good thing I am a quick learner and can read a manual.

For an idea of why I think training for technical writers is required, here is a portion from the qualifications section of an active job posting for a Technical Writer:
  • Minimum of 2 years experience documenting some of the following: application end-user guides, system administration guides, API guides or comparable content.
  • Advanced Microsoft Office skills, especially Word, Excel, Powerpoint, and Outlook. SharePoint experience a plus. 
  • Demonstrated ability to write and publish documents using FrameMaker and Adobe Acrobat Professional, screen capture software; Madcap Flare experience a plus.
  • Experience documenting Java, Web Services (SOAP/REST) APIs, comfortable working with code snippets and design/functional specifications a plus

While I know lots of people do not receive company-paid training, for an occupation that requires a base knowledge of technical topics as well as various documentation tools....am I the only person at a loss here?

Back to learning Python I go...

Monday, May 6, 2013

There Is a First Time For Everything


Over the past few years, I have attended the Security Bsides (3x), BlackHat USA (1), Defcon (1), InfoSec Europe (1), and RSA USA (1) conferences. I don't even know how many conferences my husband has attended…but there have been a few to say the least :)

Of all the conferences I have attended, the most enjoyable - for it's diversity, relaxed atmosphere, and openness is Security Bsides. What I love the most about Bsides is the fact that they are not only open to, but encourage new speakers to present. How awesome is that?

I decided this year to take them up on it and have had a talk accepted! While not considered technical, the topic does impact everyone in the IT sector. Here is the information on the presentation:

  • Title: Never Mind Your Diet, Cut the Crap From Your Vocabulary
  • Abstract:
    It is never too inchoate to commence elucidating your obfuscated intelligence. Have you ever really listened to yourself or read what you have written? How many words can be reworded or dropped from a sentence to make your message clearer?

    As a listener and reader, it is hard enough trying to remember the various InfoSec-specific acronyms without surrounding them with various $5 words and extra, fluffy crap.

    In this talk, I will truly show how cheap talk is by not wasting money on wordage.

While I am confident about creating a presentation and have delivered training, I am green when it comes to delivering a presentation at a conference. I am very excited about this talk...hopefully my nerves won't get the best of me. 

Tuesday, April 30, 2013

InfoSec Radio Challenge


Over the past few weeks I have started listening to podcasts, reading more blogs, and following more technical people and businesses on Twitter to increase my information security awareness.

While I have enjoyed the various podcasts and find the contributors fun to listen to, when there are more than 3 people multiple things happen; people start speaking over each other, each person wants to voice an opinion, and the podcast gets too long - I ultimately tune out.

While fewer people tend to keep my attention, unfortunately, I have yet to find a podcast that truly delivers what I am looking for. This might sound crazy, but I am looking for a podcast that operates kind of like a talk show - but with limited speakers and is done in 30-45 minutes.

Every podcast pretty much covers the same big news items of the previous week, but does not have anything new to add to what has already been blogged or tweeted. I want some variety - such as guest speakers, something new, or fun, random facts. 
  • Guest speakers could be on to discuss their expertise in a specific field or perhaps provide a different perspective to an event from the previous week.
  • The something new concept can be anything such as a challenge to listeners to create/develop something new (IT related preferably) and then have them share it on an upcoming episode.
  • The facts don't have to be directly related to InfoSec and can be something simple as "On April 30th, 1803, the US doubled in size through the Louisiana Purchase, which was $15 million dollars." 
I guess what I am saying is that I want to truly learn something from a podcast. I want to finish listening to an episode yearning to tune in again. If such a podcast exists, please let me know!

Wednesday, April 24, 2013

How Flexible Are You?


When developing content around your security product, do you know…
  • How the learners will implement your product?
  • Exactly what the learners need to know to do their job?

How flexible is your training solution?
Can you easily swap content in/out to deliver customized training?
Do you have use cases for various job sectors?
Can you speak the speak of your product in the context of learner needs?

While there are various methods on how to deliver training, if you don't know your audience, the delivery method is irrelevant. When developing training, spend time planning a solution that can be easily tailored to various learners. Create stories to link content between course portions and labs so that learners have the skills and foundation to help build a complete solution with your product. Plan to constantly create new and revisit existing stories to reflect changes in job sectors.

If your training solution is developed effectively, you can easily swap use cases and alter portions of training to meet specific learner needs at a minimal development cost to you while impressing learners with customized training.

Wednesday, April 17, 2013

So You've Got a Thesaurus


You say bifurcate, I say split.
You say multifarious, I say diverse.
You say superannuated, I say old.

When speaking or writing, if you really want people to hear what you are saying and understand the message you are trying to convey, think about the words you use.

If listeners or readers need to take time translating your words then your message might be lost. Unfortunately, you might also make the people listening or reading feel stupid or you might come across as arrogant. You might even lose respect and credibility because people might think you are using big words to hide your lack of knowledge.

So put the thesaurus away and elucidate your obfuscated intelligence.

Tuesday, April 9, 2013

Governments and Corporations Need People Like You and Me


A couple of weeks ago I wrote about the echo chamber and the negativity within the InfoSec community. While there are negatives to InfoSec, and the IT sector in general, the positives will always outweigh the negatives.

What makes IT stand out from other professions?
  • How many job sectors depend on the IT sector?
  • How many job sectors truly have a world-wide community with overall common goals?
  • How many professions provide the opportunity for continual learning and improvement?
  • How many professions have multiple aspects and moving parts to provide constant challenges?
  • Which other job sectors offer multiple, some would say too many, gatherings in various countries throughout the year?
  • How many job sectors evolve consistently enough that the political and legal sectors cannot, and probably will never be able to, keep up?

I love IT…I love how it constantly challenges me and keeps me learning…I love how many people I have met and interact with using tools created in the IT sector.

Wednesday, April 3, 2013

Help Me Help You


Everyone has had at least one, but typically multiple, bad experiences with technical documentation. There really is an easy way to fix bad documentation. Hire someone that has a good base technical knowledge with strong writing skills and include them in the business. The best writer has probably done more than just writing - while this maybe not reflected in a previous job title, it will be apparent in the skill set and aspects of previous job functions. You can test this knowledge by having the writer explain code, describe the product or service from a previous job, or write about a topic related to your product or service. 

If you are fortunate enough to find a strong writer with a good technical background - maximize this resource. If you really want to make you documentation stand out, include your technical writer in every single aspect of the company. The best technical writers are included in development meetings, help address support issues, assist sales and marketing with content, and develop and conduct quality reviews, product testing, and training. More importantly, the best technical writers can do all of this and speak the speak of not only the company, but the product or service being provided.

Crazy, right? The best job that I ever had had me doing support, testing, training, and writing -> I still remember aspects of this product because I was probably more involved in it than most other people in my department. 

Thursday, March 28, 2013

Why Get Out of the Cavern?


InfoSec, like many professions, has a known echo chamber. The same people that joke about it are the same people that contribute to it the most.

The repetition appears in tweets, blog posts, podcasts, and at conferences. 
  • How many panel discussions held at conferences actually have led to known change? 
  • How many presentations and panels at conferences are identical or repeated at different conferences and every year? 
  • How many times has someone posted/tweeted something only to be told that someone else spoke/wrote about the same thing months or even years ago?
  • How often are new speakers and actual new topics accepted and presented at conferences?

While the InfoSec space has a fairly large echo chamber, it is also a rather harsh space in which to work. Someone makes a mistake - tweets goes out, blogs are written, podcasts analyze it, and a TV reporter might conduct interviews about it. How often do people in the InfoSec space praise each other? While it might be difficult to recognize successes in InfoSec, there are far more companies that don't make the news for negative reasons. I would like to think that the people securing the companies are doing something right or well. People that read this are probably thinking that any company not exposed for a compromise must be hiding or not sharing information. If a company is compromised and immediately takes the necessary steps to fix the problem without the company making headlines or killing a twitter feed, is that a bad thing? 

The echo chamber makes me laugh at least once a day with the over use of acronyms and repeated "this doesn't work, we need to change" mentality. As I watch my twitter feed roll by with a fair amount of negativity, I wonder where the leaders are with ideas on how to change and improve the InfoSec space. I believe that many of them are working quietly and implementing controls to keep their company or business safe. I would love hear from them, but suspect they feel safer keeping quiet.

Wednesday, March 20, 2013

Stand Up for Yourself


I was raised to stand up and speak. If someone or something upset me, I was encouraged to address the situation by myself. If I went crying to my mother or father, I was asked "did you tell him/her…?". To transition me into handling situations on my own, my parents would handle some issues on my behalf while I stood there to watch, listen, and learn.

Now that I am well into my 30s, it has been over 20 years since my parents transitioned this responsibility to me. What does this mean? If someone upsets me enough, I confront the person directly. I don't go complaining to someone else to have them handle it. 

Please people - if you are anywhere and something upsets you, talk it out with the source. Assuming most people reading this are well out of grade school, grow up, be an adult, and handle the situation yourself. Organizers of events are not babysitters or parental figures there to take care of the children that inevitably make their way into the event.

Women working in InfoSec trying to get other into the InfoSec space, be leaders, speak up, and act for yourself - at events, in the workplace, and in life. By avoiding these situations and having others deal with the situation you are not empowering women but instead making you, and women in general, look weak. 

Thursday, March 14, 2013

Women In InfoSec

In high school, I studied business courses and architecture because I wanted to design and build homes. In my final year of high school, I took part in a Junior Achievers (JA) program, which was sponsored by a local high-tech company. Long story short - a mentor in this program suggested studying Information Systems because it covered "everything to do with computers" at the time. I read up on it, it was new and sounded interesting, so I figured why not and changed my college focus.

While taking this program, the number of women also taking this program was slim - maybe 4 in a class of 40 people. Did it bother me? Not one bit.

In my work life I have done the following:
  • Provided technical support for a technical documentation department
  • Provided support, training, and documentation for clients of a product data management product
  • Provided technical support and provisioning services at an internet service provider (ISP)
  • Developed and delivered various technical training content
  • Developed developer-focused documentation
In all of these roles, I have worked directly with approximately 20 women and I can name them all. Does it bother me? Not one bit.

Why do I not care about how many women I work with? I want to work with people that speak the same language, know the same stuff or more than me, and enjoy doing what they do. If women are not interested in the IT field, then fine. There are lots of other occupations they can pursue. 

As with any occupation, pursue whatever interests you and do what it takes to get there.

Who knows, perhaps I will go back to designing homes as a career instead of a hobby. 

Monday, March 11, 2013

Blog Purpose

Over the years I have contemplated having a blog. For a couple of years, I even had my full name dot ca registered with the purpose of being a blog and a bit about me. Quickly, I ran into the problem of what I would blog about. What do I have to write about that anyone might be interested in reading? I couldn't come up with anything and eventually let the domain expire.

A few people in InfoSec know me, not because of who I am, but because of my husband. I am ok with this. I like to keep a rather low profile and be the observer rather than the observed. While contributing to the InfoSec space as an educator and writer, many people do not know much about me because my work has typically been owned by the clients for which I write. To find out more about me in my career, check out my LinkedIn profile.

While choosing to move around with and support my husband with his career, I have sat quietly and shared my thoughts privately with him and a few close friends. When my husband has shared stories and work experiences, I have paid attention and remembered names - so that when meeting these people, I can shake their hands and know who they are; at least in some context. I always enjoy seeing the surprised looks on people's faces when I meet them and indicate that I know who they are.

In 2012, we relocated to California to pursue, what seemed like the next, natural progression, in Andrew's career. For me, this meant that I was forced to quit my job of over 6 years (most of it spent working remotely where ever we were living) and find a US-based employer. This new opportunity excited me very much.

As part of living in the US, especially in the Bay area, I have met a lot of the names behind the stories and am being more exposed to the InfoSec space. My purpose for this blog is to share my side of InfoSec and living in California. Some posts might be viewed as "the wife perspective" - and they might be. But this is my blog, my opinion, and my experiences.