August 2017 Archives

Introducing Behavioral Information Security

By Ben Tomhave on August 29, 2017 9:37 AM

I recently had the privilege of attending BJ Fogg's Behavior Design Boot Camp. For those unfamiliar with Fogg's work, he started out doing research on Persuasive Technology back in the 90s, which has become the basis for most modern uses of technology to influence people (for example, use of Facebook user data to influence the 2016 US Presidential Election). The focus of the boot camp was around "behavior design," which was suggested to me by a friend who's a leading expert in modern, progress security awareness program management.

Thinking about how best to apply this new-found knowledge, I've been mulling opportunities for application of Fogg models and methods. Suddenly, it occurred to me, "Hey, you know what we really need is a new sub-field that combines all aspects of security behavior design, such as security awareness, anti-phishing, social engineering, and even UEBA." I concluded that maybe this sub-field would be called something like "behavioral security" and started doing searches on the topic.

Continue reading Introducing Behavioral Information Security.

Confessions of an InfoSec Burnout

By Ben Tomhave on August 29, 2017 9:34 AM

Soul-crushing failure.

If asked, that is how I would describe the last 10 years of my career, since leaving AOL.

I made one mistake, one bad decision, and it's completely and thoroughly derailed my entire career. Worse, it's unclear if there's any path to recovery as failure piles on failure piles on failure.

Continue reading Confessions of an InfoSec Burnout.

On Titles, Jobs, and Job Descriptions (Not All Roles Are Architects)

By Ben Tomhave on August 2, 2017 8:16 AM

Folks: Please stop calling every soup-to-nuts, everything-but-the-kitchen-sink security job a "security architect" role. It's harmful to the industry and it's doing you no favors trying to find the right resources. In fact, please stop posting these "one role does everything security under the sun" positions altogether. It's hurting your recruitment efforts, and it makes it incredibly difficult to find positions that are a good fit. Let me explain...

For starters, there are generally three classes of security people, management and pentesters aside:
- Analysts
- Engineers
- Architects

(Note that these terms tend to be loaded due to their use in other industries. In fact, in some states you might even have to come up with a different equivalent term for positions due to legal definitions (or licensing) of roles. Try to bear with me and just go with the flow, eh?)

Continue reading On Titles, Jobs, and Job Descriptions (Not All Roles Are Architects).
« March 2017 | Main Index | Archives | September 2017 »

Search

About this Archive

This page is an archive of entries from August 2017 listed from newest to oldest.

March 2017 is the previous archive.

September 2017 is the next archive.

Find recent content on the main index or look in the archives to find all content.

Categories

Monthly Archives

Pages

  • about
Powered by Movable Type 6.3.7