Recently in work-jobs Category

I have a visceral reaction every time I encounter yet another article bemoaning the so-called "talent gap" or "labor gap" in cybersecurity. Having been in and out of the job market several times over the past decade (for better and, more often, for worse), I can honestly say this is utter nonsense. The roots of this clamor began more than a decade ago in DC as federal agencies grappled with modernizing, making use of the annual Sept/Oct budget season to decry how poor and helpless they were in order to justify demands for ever-increasing budgets. Local universities (such as UMUC) quickly caught on to the marketing plan and rapidly launched a cybersecurity degree program. Meanwhile, ISC2 helped ensure that the CISSP was a mandatory component for hiring in many positions.

While I am still in the midst of a job search (one that's a year old at this point), I find I need to speak out on the recent TechCrunch OpEd piece "Too few cybersecurity professionals is a gigantic problem for 2019" in order to address some of the nonsensical statements made that really have no business being taken seriously. The author does get a couple things right, but not enough to compensate for perpetuating many myths that need to be put to rest.

Today marks the end of my first week in a new job. As of this past Monday, I am now a Manager, Security Engineering, with Pearson. I'll be handling a variety of responsibilities, initially mixed between security architecture and team management. I view this opportunity as a chance to reset my career after the myriad challenges experienced over the past decade. In particular, I will now finally be able to say I've had administrative responsibility for personnel, lack of which having held me back from career progression these past few years.

This change is a welcome one, and it will also be momentous in that it will see us leaving the NoVA/DC area next Summer. The destination is not finalized, but it seems likely to be Denver. While it's not the same as being in Montana, it's the Rockies and at elevation, which sounds good to me. Not to mention I know several people in the area and, in general, like it. Which is not to say that we dislike where we live today (despite the high price tag). It's just time for a change of scenery.

I plan to continue writing on the side here (and on LinkedIn), but the pace of writing may slow again in the short-term while I dedicate most of my energy to ramping up the day job. The good news, however, is this will afford me the opportunity to continue getting "real world" experience that can be translated and related in a hopefully meaningful manner.

Until next time, thanks and good luck!

Soul-crushing failure.

If asked, that is how I would describe the last 10 years of my career, since leaving AOL.

I made one mistake, one bad decision, and it's completely and thoroughly derailed my entire career. Worse, it's unclear if there's any path to recovery as failure piles on failure piles on failure.

Folks: Please stop calling every soup-to-nuts, everything-but-the-kitchen-sink security job a "security architect" role. It's harmful to the industry and it's doing you no favors trying to find the right resources. In fact, please stop posting these "one role does everything security under the sun" positions altogether. It's hurting your recruitment efforts, and it makes it incredibly difficult to find positions that are a good fit. Let me explain...

For starters, there are generally three classes of security people, management and pentesters aside:
- Analysts
- Engineers
- Architects

(Note that these terms tend to be loaded due to their use in other industries. In fact, in some states you might even have to come up with a different equivalent term for positions due to legal definitions (or licensing) of roles. Try to bear with me and just go with the flow, eh?)

I'm not completely sure why, but I've been holding off writing this post for a couple months now. Maybe, in part, I didn't want to jinx myself. Maybe, in part, I didn't want to open myself up to criticism or ridicule for Yet Another Job Change in such a short period of time. But... I think the time is now right to more publicly announce and talk about this transition, so here goes...

In mid-June I left Ellucian, where I'd been slamming my head against the wall for several months, and joined New Context as a "security architect" (or, as I put it on LinkedIn, "person of interest"). The title itself is somewhat irrelevant as it's not overly representative of my current responsibilities, which include biz dev, research / thought leadership, product management, and yes, likely, some consulting.

I plan to provide more updates in the coming months about some of the things I'm working on, such as around our Lean Security business management model, but I'll hold back on that for now.

In the meantime, if anybody wants to catch-up, or if there's interesting in bringing us in, please feel free to reach out! New Context has a very senior team that's very deep in areas like agile software development, DevOps engineering and infrastructure, as well as - of course - security. We have several awesome partners, too (a list that's constantly growing). If we can't help you out directly, then it's very likely we can connect you with someone who can.

I'm pleased to announce the formation of Falcon's View Consulting! This new business will initially be available on a part-time basis to provide security architecture advisory, "consulting CISO," and cybersecurity product marketing and strategy services.

More details will provided in the near future, but until then I wanted to get the official word out there. Feel free to ping me on Twitter (@falconsview) or email me (tomhave-at-secureconsulting-dot-net) for more information. I look forward to hearing from you!

Today, Friday the 13th, is my last day with Gartner. I've been onboard for almost exactly 21 months now and have learned quite a few things about how the analyst world works. But... it's time for a change. It's time to get back to more of a field role where I can feel like I'm making a difference, seeing the needle move little by little. This is something you don't typically get to see as an analyst because, out of the hundreds of interactions you have each year, /maybe/ 10% result in some form of feedback, and only a small portion of that feedback is particularly meaningful.

On Monday I start my new role as security architect with a local, public company - K12. They're a leading provider of online education services, which I find interesting and exciting. In many ways, this will be a green field opportunity for me, working as part of an enterprise architecture (EA) team as they pivot into more of a DevOps style approach. More than anything I'm greatly looking forward to getting back to more hands-on work where I can see the fruits of my labors.

I'll be reviving this blog in the coming weeks as I start to get my feet wet with various projects. I'll also be putting up a couple retrospective posts about my time as an analyst. I've received a handful of queries from folks interested in working for the company, and so one of these posts will specifically target that audience.

Overall, I'm very much looking forward to the new opportunity! I can't wait to see how well my theories play in the real world. There are lots of exciting options to be pursued here, ranging from security analytics to risk analytics to SecDevOps automation. :) Now to see what sticks and what doesn't!! :)

Hey folks! Secure Mentem is hiring! If you have any interest in working in a top-notch org doing security awareness as a service, then this is it! Details below:

Secure Mentem is looking for skilled security awareness practitioners to help serve our growing customer base from the Fortune 500 and beyond. The people will be expected to implement our patent-pending methodology of creating awareness programs, and providing the required level of support in implementing and maintaining the resulting programs.

You will use our proprietary assessment tools to determine the organizational culture and business driver, and then working with our team, design the customized program. Should there be a security awareness manager (SAM) in place, you will work to make that person look brilliant. If there is no SAM, then you will provide the defined level of support to help implement and maintain the program. You may also be called on to help clients with independent awareness efforts such as program design, implementation, internationalization, metrics, phishing program implementation, creating and/or staffing events, social engineering, content development, and other tasks associated with security awareness programs. Experience in multiple organizations and multiple industry sectors preferred.

Secure Mentem focuses on the human aspects of security. We pride ourselves on providing comprehensive security awareness solutions that are tailored to our clients' culture and the organization.

To apply, please send your resume, with a cover letter, to Samantha@securementem.com.

Join Us! SRMS has an opening!

We're hiring for the Security & Risk Management Strategies (SRMS) team within Gartner for Technical Professionals. Full details here.

Continue reading here...

Greetings! Today I bring you news of a job change.

As of this morning, I am officially onboard at Gartner. I'll be a Research Director within Gartner for Technical Professionals (the former Burton Group). I'll be reporting to Phil Schacter, and working with friends Anton Chuvakin and Erik Heidt.

Overall, I am incredibly excited for this move! It will mean less blogging here on this site (not that I've been able to post much lately anyway), but I will be getting a blog setup over in Gartnerland soon enough, and will do my best to post references back to that page as appropriate.

In answer to the question everybody asks: No, I don't know what coverage area(s) yet. Soon, though! :)