Infosec: Be All You Can Be

Wednesday, August 22, 2012

Randall Frietzsche


If you are reading articles on this site, it is likely that you are an Infosec professional. 

Now notice that I didn't say that you work in Information Technology, I said you are an Infosec professional.  We are quite lucky to work in such a field where we really identify ourselves with our profession. 

Whether we're support technicians, operators, managers, directors or even CISO's, we are first Infosec professionals.

So what is an Infosec professional?  Like the Samurai or the Knights of the Round Table, we're really warriors, we're soldiers in a battle of good vs. not-so-good.  We craft our skills, we increase our knowledge, we strive to be better than those who might do our Enterprises harm, breach our castle walls and loot our treasures of data and services.

We really work in a field where we must continuously improve, continuously stay on our toes.  We must constantly assess, reassess, quantify, categorize, watch logs, review alerts, and respond with as much skill and expertise as we can, in order to combat and remediate the constant threat.

We find ourselves engaged in reading blogs like this one - seeking out that extra little nugget of knowledge that we might put in our pocket - one that might come in handy in a pinch.  We seek to deepen our knowledge so that we can be more effective in applying not just a technical fix, but a real strategy, like building layers of moats around our castles.

It's really a pleasure to get paid to do something most of us would probably do for free.  So as we strive to improve our battle skills, our strategic military vision, we must take full advantage of the vast resources at our disposal. 

Join the ISSA, ISACA, Infragard, OWASP - join Toastmasters or your local Kiwanis.  Read constantly - books and blogs and whitepapers.  Attend security conferences.  Do all you can to be all you can as an Infosec Professional. 

Considering the endless number of teenagers sitting at home trying to learn how to hack, who someday might look to breach your castle walls, it is your duty, really to all our collective benefit, to be the best Infosec Professional you can be.

This is my first article on Infosec Island - I look forward to learning from you as well as offering some sage advice from my twenty years of experience in private security, law enforcement, Information Security, and the martial arts. 

We are ultimately all brothers and sisters in the honorable fight to protect those who depend on us, on our skills, on integrity, and our ability to end the day safe.  I am proud to serve next to you on that battlefield.

Possibly Related Articles:
Security Training
Information Security
Enterprise Security Training Information Technology Security Information Security Infosec Professional Skill Set
Post Rating I Like this!
CP Constantine We're warriors eh? really..soldiers you say? Ok. show me the graveyard for fallen cyber-warriors. Where's the benefit fund for the Widows of infosec professionals killed in action.

We are IT professionals, with a blend of skills and roles drawn from several other professions into the mix. insurance, finance, fraud all have lots of people that perform pretty similar roles and apply similar skills and models of thinking.

What's the difference? They'd not so damn pretentious as to try and paint themselves in the colors of military and law enforcement.

Sorry, but this kind of ridiculous hyperbole is a good chunk of *what is wrong* with this industry right now, and serves only those who are in this business to line their own pockets and aggrandize themselves.
Randall Frietzsche Hi CP - it's symbolism - not meant to be taken literally. As a former law enforcement officer I can assure you I do understand the difference.

One comment I make in presentations is that I came from law enforcement into IT because I get shot at less. I think this tongue-in-cheek is important to make sure our audience understands that we're the good guys - we are here to serve and protect. Service is the same, the method of doing so is vastly different.

However I appreciate your honest comment.
CP Constantine Yeah, it's tough to get into this without it coming over as personal. But this is the issue right now, there's far too much hyperbole and symbolism going around right now, and not enough truth and humility. The hacker underground has been infamous for this kind of chest-beating bravado for decades - and look at the trouble that always caused for them. Now I'm watching the same kind of thing happen in the professional realm, fueled by the chickenhawks and secret squirrels of the world. (who almost universally seem to be the people with the slimmest understanding of the issues or the implementation).

It's a predictable, but spurious reaction: in the face of our continued failures to achieve measurable progress in our field, we instead turn to inflating the image of the opponent as some unknowable evil, that we are fighting some grand battle against.

Information security is about writing software, and developing business processes. The sooner we can come to terms with the utter mundanity of what is actually required to do the job right, the sooner this industry can stop riding its own ego and getting some actual work done. Far too much hunting for cool, shiny distractions.
Randall Frietzsche Amen, brother. I agree 100% that the real job of an Infosec pro is very mundane and it is that day-to-day mundanity that is the backbone of the effective program. There isn't anything sexy or exciting about watching logs or reviewing reports, but that's really part of the core tasks in doing the job right.

I think what you're saying is that we should be focusing on this day-to-day and make sure we get that right, instead of beating our chest and missing the point. I agree, and since this was only an introductory post, hopefully you'll see that rich content as opposed to chest-beating.

However there isn't anything wrong with symbolism - leaders use it everyday to motivate the troops.... (oops, did it again) :)

CP Constantine Heh. But yeah, you're certainly right on the money in one regards, when we're not falling over each other trying to be the grand poobah in this field - there's a hell of a lot of solidarity and community in the core field. Look at the support for Brad Smith, for one. So yeah, I'll agree on that one, it's not symbolism per se that's bad, it's just symbolism for its own sake that's part of the problem (or even worse, the self-serving symbolism we call FUD).
Ian Tibble CP, We are indeed IT professionals - i just say this emphasise the connection with Information Security and Information Technology (did you notice there was a word that was in each title there - almost as if they have something in common)? But yes, security is a new kind of new thing which is why we keep screwing it up - has to be said though, we don't seem to be learning much and evolving. Plenty of dishonest folk in infosec still claim a certain disconnect between security and IT - actually it's not about information at all. Apparently.

I still have nightmares about the downturn of the early 2000s where one's perceived economic viability became inversely proportional to one's intellectual capital.

So yes, CP I feel your pain. Randall - welcome to infosecisland ..hehe (demonic laugh).
Randall Frietzsche Hi Ian

Thanks for the comment and the welcome.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.