Scott Blake – “It never ceases to amaze me what security people won’t share with each other”

December 27, 2006

The 4th episode of the Technology Career Excellence podcast series involves Scott Blake, the CISO in Residence at Echelon One. This podcast is the first of three parts of the interview with Scott. In this episode, we discuss the mission of Echelon One and the nature of the CISO role.

In addition, Scott talks about how important it is to build a network of contacts within your community, and share information widely – this sort of networking is the only way to create the kind of upward spiral of information that is required to become better and faster within a given industry.

Give it a listen…

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

The Risk of Passion

December 27, 2006

Passion is a risk, especially in the large enterprise.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

The Bloom is off the Certification Rose

December 21, 2006

From a recent Computer World Career Watch Article:

Pay for some certifications plummeted in the six months from April 1 to Oct. 1, according to a wide-ranging Foote Partners LLC survey covering 129 certification categories and 124 noncertified skills. The following are some particularly hard-hit certs:
     CompTIA Linux: -43%
     CompTIA Network Technician: -36%
     CompTIA Security+: -33%
     Cisco Certified Design Associate: -22%
     Cisco Certified Network Professional: -22%
     CompTIA Certified Technical Trainer: -22%
     Certified MySQL 4.0 Professional: -22%
     Citrix Certified Enterprise Administrator: -20%
     Microsoft Certified Trainer: -20%
     Microsoft Certified Database Administrator: -20%
     Cisco Certified Design Professional: -18%
     Microsoft Certified Systems Admin: Security: -13%
     Linux Professional Institute certification: -13%
     Cisco Certified Network Associate: -12%

I don’t know that I’m surprised by the trend – as Scott Blake pointed out on our recent teleseminar (podcast up in the next couple of days), the future of IT isn’t really the certified IT pro as much as it is someone who can translate business needs into computer systems.

I once had a long talk with a mentor of mine who asserted that, 100 years from now, the IT staff was going to be the equivalent of operations staff: that IT would be in the same department as facilities, HVAC and the security guards at the door. While I didn’t quite agree, I definitely can’t say that I disagree – at the point that the level of abstraction is high enough that the value added is at the business/contextual level rather than at the level of content, it seems that IT becomes part of the a maintenance function rather than an executive-level business driver (beyond the COO and VP of Operations).

(Aside: I wonder if I should worry, given that I have my CCNA and LPI certs. )

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

The Security Talent War

December 20, 2006

You know, Mike Rothman’s Daily Incite is one of my favorite sources of security news. He recently posted about McAfee’s recent survey on security talent. Rothman’s point:

We security folks need to build a farm system. I’ve supported vendors that sponsor college programs and it would be great to see more of that. But the fact remains that if you can deal with the job (and many can’t), it’s a sellers market for security talent and will remain that way for a long time to come.

Here’s where I’d stand up and applaud if I were in the audience. Bravo, Mike. Well said.

But I think it goes deeper than just building a farm system – we need to build a talent creation system. My goal on every team that I’ve been on in my security career has been to create a system where we could take people who weren’t grey-beard, old-school veterans of security and turn them into extremely capable and high-performing talent in as short a time as possible (usually less than 3 months).

There are three parts to the equation for winning the talent war in information security – I’ll probably be ranti… uh, talking about these parts in greater depth over the coming months. But, the short version is simple:

     1. Hiring For Growth
     2. Creating a Talent Acquisition Structure
     3. Creating a Knowledge Growth Culture

Of these, #1 is easily the most important. Really, building a team of great security people is much like real-estate – the profit is made when you buy the property (as goes the old maxim). Simply put, if you hire correctly, the other two take care of themselves.

Unfortunately, most people don’t do a great job of hiring – we rely too much on interviews and job descriptions that describe the task without describing the actual requirements.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Dealbreakers

December 20, 2006

One of the most important things to understand and get clear on when thinking about your calling and your vision for your life is your values – what truly matters to you and how you want to live your life. This is especially important when searching for a new opportunity. The culture of the organization that you work with has to represent (or, minimally, be accepting of) your values in order for you to be truly fulfilled.

While most people out there talk about values elicitation in a positive frame (“Think about those things that matter to you” type stuff), one of the tricks I’ve found is that choosing a negative frame can help you understand some of your values that you hadn’t thought of before.

My favorite way of asking it: “What, if your company or boss did it, would be a complete deal-breaker for you? What would make you completely disengage?

You may find that you get answers that you wouldn’t have thought of otherwise. I know that I did. While I hadn’t originally thought of it, one of the things that is a fundamental value for me is the culture of taking ideas for their value, rather than by position or other external factor. That is, that everyone’s ideas have equal merit based on the idea, not based on who the speaker is or what their role is.

It’s a value that I’ve always held implicitly and it has been a part of all of the truly fulfilling cultures I’ve been a part of. But I wouldn’t have thought to call it out explicitly unless I looked at what I would notice when that isn’t present in an environment I’m in, and how I react.

What are the dealbreakers for you? What could your company (or prospective company) do that would make you not want to work for them any more?

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Top 3 Counter-Intuitive Marketing Tips

December 15, 2006

While (as Mike Rothman points out) my job title has never formally had the word “marketing” in it, I’ve been a marketer for years – building a personal brand, a team that people want to be on, or a well-trafficed blog, or a small business are all jobs that have marketing in their job description. From that perspective, here’s my Top 3 Counter-Intuitive Marketing Tips:

1. Consistency is key – Rothman is right. Consistent effort and messaging is the key to having any success. And it’s a slow growth effort – note that I never once said that marketing was a QUICK fix. Just that it’s the fix.
1′. Consistency is the hobgoblin of little minds – Doing the same thing over and over again in the same way is guaranteed to reach some of the people some of the time. But pushing your message through multiple channels and in multiple different ways is the only way to really get through to a significant number of people out there.
2. Pick a Position that You Want and Drive Towards It – one of the keys to success is to know how you want to be positioned, and to drive your efforts and messaging toward establishing that position.
2′ Positioning is developed only in relationship to your customers – Positioning requires that you interact with your customers. And, no matter what you want your position to be, their interaction with you will decide your true market position. If you build a Hyundai and sell a Hyundai, all the marketing in the world won’t position you as a Ferrari.
3. Marketing is a 100% Full-time All-Out Effort – you should be spending 100% of your time marketing. Whether your job is to deliver product, be the CEO, or the security administrator, you should be spending all of your time spreading your message and getting everyone clear on who you are and what you are delivering.
3′ Marketing is a One-Time Event – Marketing is simple: decide who you are and what needs that fills. Then, go make noise by doing that as well as possible and let everyone know about it while you’re doing it. Spend no time on “marketing” and all of your time on being front-and-center as the best you that you can be.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

5 Tests to Determine if You’re an Employer of Choice

December 14, 2006

I was talking the other day with a friend about what it means to be an employer of choice, and we started discussing the typical failure of organizational self-awareness. Neither of us could really think of an employer that didn’t refer to itself as an employer of choice nor one who thought that they hired the best people and made them happy. (Remember, everyone’s people are their #1 resource).

So, I put together a list of quick and simple tests that will help anyone determine if they’re failing to really be an employer of choice.

1. Walk through the sales department at 9AM and then again through the R&D/IT department at 5:30 PM and count the people. Do this on three consecutive days (not near Christmas). Worry if you find less than 50% of people in attendance across all 3 days.

2. Announce an extremely well-rewarded referral program (or announce a significant bonus for one open but non-specialty position if you have a current referral program). Make the payment at least 30% higher than what you would consider an “outstanding bonus”. Worry if you have less than a full pipeline of resumes after 2 weeks.

3. Google your company’s name and make a sentence describing your company out of the first 10 adjectives that you find that weren’t generated by your own PR and Marketing efforts.

4. Search for your company’s name on MySpace. Note what people have to say on their MySpace pages about work.

5. Read your employee’s personal blogs. Worry if you don’t know where any of them are or if you think they don’t have blogs.

Any one of these may not be indicative of a problem in and of itself. But if you find yourself not performing well on multiple of these tests, it’s worth considering that perhaps you’re not treating your employees as well as you should be.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Lee Kushner – Building a Great Security Career

December 14, 2006

In this entry of the podcast, I talk with Lee Kushner about the security world and how to build a career in it. His wit and humor, as well as his knowledge and wisdom are evident as we cover a wide range of topics around security and how to make a living and a life in it.

We also tell the amazingly interesting story of how we met, which I alluded to in this post and how serendipity often comes of building an incredible network.

Check out the podcast here.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

A New Model for Coaching

December 5, 2006

My recent foray into the Learning Annex series has me thinking about a lot of things. But the one that comes up the most prominently this morning is around coaching.

When he was on stage, Tony Robbins had a bit of a rant about the lack of results-focus in life coaching. And that was really driven home to me while watching the Raymond Aaron talk. Raymond Aaron offered a “Monthly Mentorship” program, where he promised that you would see a massive increase in your income based on the work that he would do with you. (Which mostly seemed to focus on the idea that if you keep your desk and house clean, there will be “room for money to flow into your life”. I can’t help but doubt that one.)

But, for all of his boasting about results, his program had a cost that wasn’t tied to results at all. In fact, you pay Raymond Aaron whether you get results or not.

I’ve been wondering if there’s another model for coaching out there. Is there a model where coaches are incented to get results through the structure of their compensation?

Melina and I were talking about whether a model similar to that which recruiters and realtors use would work for coaching careers – take the person’s salary at the time that you start working together, and get paid a small amount (e.g. $150/month), plus an incentive plan (e.g. 5% of any increase in income that happens after you start working together).

I know that there are a few coaches that read this blog – what do you think of this? Would it work? What are the upside and downside to the idea?

If you’re not a coach, would you be more likely to use a coach if you knew that you’d only pay them if they got results?

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Podcast – Tim Keanini on Networking, Creativity and Tech Skills

December 4, 2006

Recently, Tim Keanini of nCircle and I sat down to talk about how TK has created an incredible career in IT and Information Security.

Through the conversation we had, we touched on quite a few interesting topics, including the ones above, as well as the importance of focus and passion, the way that you keep yourself engaged over the long term, and the importance of synthetic knowledge.

Download the podcast here.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Forget the Parachute, Let Me Fly the Plane

Learn the same processes that the most successful people follow to find the job of their dreams!

Get your copy now!

Read more...

Frustrated sending in your resume and getting no response? Sign up today for “10 Hidden Secrets of Successful Resumes”!