Infosec and the Value of Twitter

by kriggins on December 13, 2012

in Career

The title to this post is a bit of a lie. Well...not a lie so much as a bit restrictive. The value of Twitter I am referring to is that of community and mutual support.

I have a friend, we'll call him Bob, who is somewhat early in his Infosec career and had some questions. He was looking for some advice.

He reached out on Twitter asking if anybody would be willing to chat with him about his situation. We spoke last night, but this is not about me. It's about how with one simple request, Bob was able to have chats with five additional people, all of whom I know and respect.

How else would a relative newcomer working for a small company have been able draw on the experience of well-established professionals in a range of industries spread across the globe?

Community, mutual support, knowledge sharing, and, yes, occasionally a kick in the pants. These are the things that the Infosec community on Twitter offers. All you have to do is be willing to be a part of it.

So. The next time someone says you are wasting your time on Twitter, just nod your head, smile a private smile, and move on.

You know different.

And that's all that's important.

To my friends that helped out Bob; Elizabeth (@elizmmartin), Michael (@catalyst), Michael (@securitymoey), Brian (@brianhonan), and Kai (@kairorer), thank you for being who you are.

To the list of people that have helped me over the years I've been on Twitter, too many to name, thank you for being who you are too!


PS - You should follow those folks!


InfoSec Certfication: Worth It or Not?

by kriggins on March 18, 2011

in Career, General

It is a never ending conversation. Is getting an InfoSec certification worth it or not? Of course, the same question can be asked about any industry certification, but that's not the point. Mike and Lee over at InfoSecLeaders are running a survey to delve into this topic. From a recent blog post:

Mike and I want everyone to know that we are off to a very good start for the Value of Certification Survey. We are steadily approaching 750 responses, but we have lofty goals.  The data that we have collected so far, the responses have been very interesting and eye-opening.

Give them a hand and head on over and complete the survey.

You can reach the survery here: Value of Certification Survey




More There Than the Title Says

by kriggins on February 16, 2011

in Career, Risk Management

It is not often that I highlight a single post from somebody else here on Infosec Ramblings, but every once in a while I come across something that deserves to have a bit brighter light shined on it.

Russel has written a post on The New School of Information Security blog entitled Would a CISO benefit from an MBA education? That's a good question and he brings some good thoughts to the table about the issue.

However, there is some additional information in that post and the comments that follow, along with links to other resources,  that anybody who is interested in becoming a CISO should give a read. Truly awesome stuff.

Just to be clear, I do not mean to belittle the original purpose of the article or its content that addresses that question. The question is a good one, Russel's words are great, and he and Eric have a great conversation about that topic in the comments.

Just make sure to read the rest of the reference material too.

As always, comments are encouraged below or you can email me at if you prefer.

If you are interested in getting our content regularly, go ahead and subscribe to the RSS feed. You can also subscribe to have posts emailed to you if you prefer.




The Catalyst Career Compass Program

by kriggins on February 16, 2010

in Announcement, Career

If you are employed, you have a job, but do you have a career? Do you want one? What do you want it to look like?

If you have a career, is it going where you want it to? Need some help from a supportive and objective partner who will lead you through a critical assessment of where you are and where you want to go?

Michael Santarcangelo is starting a new service called the Catalyst Career Compass program over at the Security Catalyst. From the description:

Career Compass Overview

Whether you are currently a Security Professional or want to become one, this highly flexible program will help you set and meet your professional ambitions while serving lifestyle goals.

Set your Career Compass:

  • To prepare for a raise
  • To receive a promotion
  • For career development
  • If you are ready to move into the security field
  • To find a new position (within your current company or outside it)

Michael is truly dedicated to helping others. He is looking to iron the wrinkles out of the program with a first batch of guinea pigs...I mean...beta testers 🙂

Check out the post and let Michael or me know if you are interested in participating. I truly believe that you find great benefit from working with Michael and also a new good friend in the process.



@hevnsnt posted the following message to Twitter this morning.

hevnsnt watching Strand's hacker vids at

There are some nice videos there. Here are the titles of a few with direct links:

Definitely worth spending some time on.


, , ,


Interviewing Tips

by kriggins on December 10, 2008

in Career, Tips

A couple of things have brought this particular topic to my mind recently. First is the amount of layoffs that we are seeing in just about every sector of the economy. Second is last weeks MentorNet topic.

Most of us are familiar with the first issue, some on a more personal level than others. The second may be a little more obscure. MentorNet is a great organization that I started participating in last year. From the website:

MentorNet is the award-winning nonprofit e-mentoring network that positively affects the retention and success of those in engineering, science and mathematics, particularly but not exclusively women and others underrepresented in these fields.

Anyway, last weeks topic asked mentors to share with their mentees any tips they might have for interviewing.

Here is what I shared.

One of the best resources I know of that deals with interviewing skills is "Knock'em Dead" by Martin Yate.

That being said, here are a few tips that you might find helpful:

  1. Regardless of what is said about dress for the interview, always show up in business attire. You only have a few seconds to make that first impression. How you are dressed is one of the first weapons you have to make that first good impression.
  2. Make sure you do your research on the company that you are interviewing with. Solid knowledge of what the company does is always a good indicator of an applicant's seriousness. Ask questions that show this knowledge throughout the interview so they know you spent the time to become familiar with the company.
  3. Write out answers to common interviewing questions before you start interviewing.  The book above and many websites have lists of commonly asked interview questions.  You will be much better prepared for them if you have already thought about those questions and written answers to them. Just to be clear, don't read these answers to the interviewer 🙂
  4. Have somebody do mock interviews with you. Have them ask the questions you have prepared answers for. Also have them ask some questions that you don't have answers for.
  5. Write down some questions you have about the company and the person you will be reporting to. Good questions are what's the corporate culture like, management styles, career path, etc. Again, the book above has some great ones. Take the list with you and bring it out when they ask if you have any questions. I did this for my last two interviews and it was viewed positively by both.
  6. Ask about next steps when the interview is shutting down if they haven't already shared them.
  7. Finally, never say 'yes' immediately. If the company pressures you to do so, you might want to think about whether that is a good company to work for or not.

What are your tips for preparing for and excelling in an  interview?



@GeekGrrl posted a note on her blog asking this question:

1) How would you recommend getting started on a career toward Network Security/Network Pen Tester?

She has some follow-up questions to that first one requesting some specific information. Go read her post and then come back.
Okay, here is what I suggested. Obviously, not exhaustive.

Here is a good blog post that might help.

1) Certs -

  • If you want to be technical, I would start with the SANS GSEC cert. Make sure you go for the GOLD cert and not just the silver. This cert will give you a good base to build on.
  • From there, move on to firewalls, ids, etc.  as appropriate.  SANS certs are the best technology agnostic certs around.

2) Cons

  • Defcon - cheap and worthwhile.
  • Keep doing what you are doing, watch and read the presentations after they are posted. Garret Gee over at Infosecevents usually posts links to archives when he comes across them.

3) Associations

  • See if there is an Infragard chapter nearby.  Free and often strong in cyber security.
  • Start a chapter of You will probably learn more and meet more people that can help you doing this than anything else.

4) Books

5) Other

Finally, VirtualBox is a great free virtualization platform for Windows and Linux that will let you setup VMs like DVL to hack against.

Go ahead and offer up your suggestions in the comments.

UPDATE: On the drive home I today, I was still thinking about this question and I realized I left off one things that an individual can do that will probably reap more benefits than any of the items listed above.

Find a mentor.

Find somebody who has been in the business for a while who is willing to let you bounce questions off of them and is willing to give you the benefit of their experience when you hit situations that you are not familiar with. Somebody who can offer you those second opinions that can be so helpful.

Here is a link to a bunch of articles on finding a mentor and the mentoring relationship. The articles are not infosec related at all, but still apply.



What is the Security Catalyst Community?Community

The Security Catalyst Community is a forum where individuals who are interested in or work in the Information Security field can come together and leverage each others strengths and experiences. There are several things that make this forum so great:

  • Everybody uses their real name. That may seem like something odd to bring up, but in my opinion, knowing who you are talking to is part of what it means to be in a community.
  • Very high signal to noise ratio. I would go so far as to say there is no noise on the forums.
  • Very knowledgeable people. When you post something, you are guaranteed to get responses from individuals who have a significant amount of knowledge and experience and are very willing to share it with you.

Where is it?

It is right here! One note, in order to read the forums you will need to register first.  So go do that now and come back when you are done.

What kinds of things get talked about?

Instead of talking about topic areas and what different aspects of Information Security are discussed, let's take a look at a few recent posts:

Don Weber posted a question about how to measure whether a security team is overburdened or not. A great discussion followed with helpful tips on how to gather metrics that can be used to answer the question.

Allen Baranov is in the unenviable position of inheriting a couple of IPS devices and was looking for some guidance on best practices on managing rule sets. Again, several folks stepped and shared their experiences which provided a good base to start from.

Jay Benson was looking for diagram of how WPA2 actually works for a presentation he is giving and the theme of folks helping out continues as a couple folks pointed him to some resources that might be of help.

Fred Donovan posted an observation about, "Hacker Safe" and a letter sent our to customers regarding their site being hacked last month. A very interesting discussion followed that is worth reading.

The last item I would like to mention is one that was also posted by Don. It was posted in October of last year, but has seen some recent activity. It poses the question "How do you do Email?" A great set of posts follow in which people share their strategies for dealing with our overflowing inboxes.

Who participates?

Here is a bunch of folks who participate and have blogs. Yes, it is a long list, but it is worth your while to visit these blogs a regular basis.

The Security Catalyst (Michael Santarcangelo) |
The Network Security Blog and Podcast (Martin McKeay) |
Security Ripcord Blog and Podcast |
Education Security Incidents (Adam Dodge) |
An Information Security Place (Michael Farnum) |
Andy, IT Guy (Andy Willingham) |
Andrew Hay |
Scott Wright (Security Views) |
Security Renaissance |
Marcin Wielgoszewski |
John Biasi |
Chris Hoff |
RioSec Security WebLog (Chris Byrd) |
James Costello |
Harlan Carvey, CISSP |
Jon Robinson |
Chris Harrington |
John Gerber |
Steve Mullen |
Rory McCune |
Rebecca Herold |
Randy Armknecht |
Didier Stevens, CISSP |
Amrit Williams |
David D Bergert, CISSP, CISA |
Justin Clarke |
Andrew Storms |
Lori MacVittie |
Rob Newby |
Andrew Mason |
Andy Steingruebl |
Security Thoughts (Allen Baranov) |
Jeff Stebelton |
Brad Andrews | Brad on Security
Anton Chuvakin |
Eric McMillen |
Dana Hendrickson |
Tyler Reguly | &
Keith Kilroy |
Peter Giannoulis |
Walt Conway |

Um..this post is long, how do I join again?

Simply go to and click on the register link. You will not regret it.

Kevin Riggins


Are you an Information Security Evangelist?

by kriggins on April 4, 2008

in Career

EvangelistMirriam-Webster defines Evangelist as follows:

1: often capitalized : a writer of any of the four Gospels
2: a person who evangelizes; specifically : a Protestant minister or layman who preaches at special services
3: an enthusiastic advocate <an evangelist for physical fitness>

I'm pretty sure you are not one of the writers of any of the four Gospels. While you may be a minister or lay speaker on religious topics, that isn't really what I am talking about either.

So that leaves the third definition to look at; an enthusiastic advocate. There is something that anybody can do. So let's restate the questions: Are you an enthusiastic Information Security advocate?

Not my job

Now I am sure at least one of the three of you who are reading this is muttering, "Not me, I'm not in the Information Security department. Its not my job." Don't hang up yet. I'm talking to you too 🙂

Of course we want the Information Security personnel in our organization to be enthusiastic advocates. We rely on them to protect our information assets. But they can't do it by themselves. They need the help of those around them. The job is just too big and too far reaching for one small band of people to tackle.

I'm not Enthusiastic about much of anything.

Okay, maybe enthusiastic isn't the right word. How about just plain advocate. Someone who believes in something and is willing to promote it.

So how do I do that?

Since we are not talking about preaching to the masses and enthusiasm may be a stretch for some. How about quietly influencing those around you by your actions. You know the cliche: "Actions speak louder than words". If we are educated and aware, a whole other topic we will be exploring, and conduct ourselves in a manner that displays said education and awareness, we are likely to have a greater impact on our surroundings than any amount of emails or announcements or posters or threats from above.

How do I become educated and aware?

It's your turn Information Security folks. We need to make sure that we are providing many opportunities for those who rely on us to obtain the education and awareness training that will help them help us. Our E&A programs are as important as, maybe even more important than, our firewalls, IDSes and other technical controls.

I will end this by asking the questions again: Are you an Information Security evangelist? If not, why?