Thursday, March 28, 2013

Why Get Out of the Cavern?


InfoSec, like many professions, has a known echo chamber. The same people that joke about it are the same people that contribute to it the most.

The repetition appears in tweets, blog posts, podcasts, and at conferences. 
  • How many panel discussions held at conferences actually have led to known change? 
  • How many presentations and panels at conferences are identical or repeated at different conferences and every year? 
  • How many times has someone posted/tweeted something only to be told that someone else spoke/wrote about the same thing months or even years ago?
  • How often are new speakers and actual new topics accepted and presented at conferences?

While the InfoSec space has a fairly large echo chamber, it is also a rather harsh space in which to work. Someone makes a mistake - tweets goes out, blogs are written, podcasts analyze it, and a TV reporter might conduct interviews about it. How often do people in the InfoSec space praise each other? While it might be difficult to recognize successes in InfoSec, there are far more companies that don't make the news for negative reasons. I would like to think that the people securing the companies are doing something right or well. People that read this are probably thinking that any company not exposed for a compromise must be hiding or not sharing information. If a company is compromised and immediately takes the necessary steps to fix the problem without the company making headlines or killing a twitter feed, is that a bad thing? 

The echo chamber makes me laugh at least once a day with the over use of acronyms and repeated "this doesn't work, we need to change" mentality. As I watch my twitter feed roll by with a fair amount of negativity, I wonder where the leaders are with ideas on how to change and improve the InfoSec space. I believe that many of them are working quietly and implementing controls to keep their company or business safe. I would love hear from them, but suspect they feel safer keeping quiet.

Wednesday, March 20, 2013

Stand Up for Yourself


I was raised to stand up and speak. If someone or something upset me, I was encouraged to address the situation by myself. If I went crying to my mother or father, I was asked "did you tell him/her…?". To transition me into handling situations on my own, my parents would handle some issues on my behalf while I stood there to watch, listen, and learn.

Now that I am well into my 30s, it has been over 20 years since my parents transitioned this responsibility to me. What does this mean? If someone upsets me enough, I confront the person directly. I don't go complaining to someone else to have them handle it. 

Please people - if you are anywhere and something upsets you, talk it out with the source. Assuming most people reading this are well out of grade school, grow up, be an adult, and handle the situation yourself. Organizers of events are not babysitters or parental figures there to take care of the children that inevitably make their way into the event.

Women working in InfoSec trying to get other into the InfoSec space, be leaders, speak up, and act for yourself - at events, in the workplace, and in life. By avoiding these situations and having others deal with the situation you are not empowering women but instead making you, and women in general, look weak. 

Thursday, March 14, 2013

Women In InfoSec

In high school, I studied business courses and architecture because I wanted to design and build homes. In my final year of high school, I took part in a Junior Achievers (JA) program, which was sponsored by a local high-tech company. Long story short - a mentor in this program suggested studying Information Systems because it covered "everything to do with computers" at the time. I read up on it, it was new and sounded interesting, so I figured why not and changed my college focus.

While taking this program, the number of women also taking this program was slim - maybe 4 in a class of 40 people. Did it bother me? Not one bit.

In my work life I have done the following:
  • Provided technical support for a technical documentation department
  • Provided support, training, and documentation for clients of a product data management product
  • Provided technical support and provisioning services at an internet service provider (ISP)
  • Developed and delivered various technical training content
  • Developed developer-focused documentation
In all of these roles, I have worked directly with approximately 20 women and I can name them all. Does it bother me? Not one bit.

Why do I not care about how many women I work with? I want to work with people that speak the same language, know the same stuff or more than me, and enjoy doing what they do. If women are not interested in the IT field, then fine. There are lots of other occupations they can pursue. 

As with any occupation, pursue whatever interests you and do what it takes to get there.

Who knows, perhaps I will go back to designing homes as a career instead of a hobby. 

Monday, March 11, 2013

Blog Purpose

Over the years I have contemplated having a blog. For a couple of years, I even had my full name dot ca registered with the purpose of being a blog and a bit about me. Quickly, I ran into the problem of what I would blog about. What do I have to write about that anyone might be interested in reading? I couldn't come up with anything and eventually let the domain expire.

A few people in InfoSec know me, not because of who I am, but because of my husband. I am ok with this. I like to keep a rather low profile and be the observer rather than the observed. While contributing to the InfoSec space as an educator and writer, many people do not know much about me because my work has typically been owned by the clients for which I write. To find out more about me in my career, check out my LinkedIn profile.

While choosing to move around with and support my husband with his career, I have sat quietly and shared my thoughts privately with him and a few close friends. When my husband has shared stories and work experiences, I have paid attention and remembered names - so that when meeting these people, I can shake their hands and know who they are; at least in some context. I always enjoy seeing the surprised looks on people's faces when I meet them and indicate that I know who they are.

In 2012, we relocated to California to pursue, what seemed like the next, natural progression, in Andrew's career. For me, this meant that I was forced to quit my job of over 6 years (most of it spent working remotely where ever we were living) and find a US-based employer. This new opportunity excited me very much.

As part of living in the US, especially in the Bay area, I have met a lot of the names behind the stories and am being more exposed to the InfoSec space. My purpose for this blog is to share my side of InfoSec and living in California. Some posts might be viewed as "the wife perspective" - and they might be. But this is my blog, my opinion, and my experiences.