Curmudgeon Information Security Officer

blog_ROCKC064After reading the first third of “Disrupted; My Misadventure in the startup bubble” by Dan Lyons I realized that I had been marketing myself all wrong. Hiring managers like the little-emperors of China want happy, go-lucky, youthful, soft individuals to run their security operations. Kudos if you have an awesome hacker handle. As such I wanted to dispel any myths that I might embody any of those “get-along” traits that might make the startup scene happy. As an iconoclast I had to go all hipster and choose a different course. As such here is my no holds barred letter to future employers.


Dear hiring executive;

I will not hold your hand when making decisions. I am not your father figure, and I most assuredly am not a nice guy. I am a fiftyish, bald, fat guy, who drinks 21 year old Scotch and may or may not smoke a cigar. I am former Army, Marines, Law Enforcement, and I have likely been doing high technology security longer than you have been alive. I don’t have a cool hacker handle but I’ve drank vodka with Russian hackers on the Silk Road, and drank really cheap beer with Chinese hackers in Shanghai.

What happens in Vegas stays in Vegas.

Let me tell you about work-life-balance. If I have to work more than 40 hours a week you should fire me. I have failed at leadership and delegation. If you ask me to work more than 40 hours a week you are a failure and waste of management. Shit gets done when you’re not playing Xbox and getting a massage on company time. If you want shit to get done I’ll be in the office at 7AM because I get up and go for a run every morning at 4AM. Therefore if your lazy ass calls me at 11PM I am in bed asleep. I will nuke your eardrums if the office is not on fire.

Be worried if I am smiling.

Why do you want to hire me? I get shit done. Security is a process of continual improvement. If you think it is compliance you’re an over eager simpleton with a penchant for the known. Let the grown-ups help you out. Compliance is to security like a seat belt is to a car accident. If you are driving the company network like an idiot you might not die, but it won’t be pleasant. Real security is provided by people who steer like Mario Andretti, and are as pissed off as Gordon. Wear your seat belt, but have a clue about what is going on around you. If your product is actually any good you will be swapping paint with nation state adversaries. This in the information security community is what we call, “normal”.

I will provide you with specific leadership, guidance, and actionable projects and programs that get done on time and under budget. Listen, I helped rebuild a big chunk of the Internet under the gun. We didn’t get done by on our own, and you won’t have security by yourself. So, I build teams with a deep Rolodex (kind of like your iPhone address book, google it). Some of those people are EVEN OLDER than me. Because they don’t have egos, they think excuses are a personal failing, they don’t whine about structure, and they know how to GET THINGS DONE. They actually are more productive than their youthful competitors.

They also cost more because they get things done.

The people I hire are hunters. They are life takers and heart breakers. They work hard and play harder. They consider it affront to their very soul to not know the networks they secure. The guys are barbarians thumping their chests and flinging shells in abandon. The women, ahh the women, they are the stunning Amazonian queens of security. Evil abandonment and terrifying in their sophistication. The first line of defense is a SOC team that takes no prisoners and hunts. The second line of defense is an incident response capability. The saviors of the day. If the SOC is infantry, the CIRT is the Special Forces.

Maybe your sensitivities can’t handle military metaphors. Too bad.

It is pretty simple. I don’t want to be your best friend and I’m going to be the cop on your network. If you hire me to be the security for your over eager, self-aggrandizing organization, I will chew your application team up and spit out the few bits that remain. I am not a fire fighter and I consider bad coding a crime. Agile, SCRUM, and such are just fine toy processes to make sure nobody is held accountable for security. If you have to use silly things like that and self-actualize away from the waterfall model, may I introduce you to Peter Boehm and his spiral model. Along with your user stories is mine “Think evil”.

I am not a fireman.

I usually get the phone call from some start up after they found out how much Mandiant charges to show up. Maybe I get the call from some senior leader at a company who is a former graduate student. “Help Me Help Me!” I charge a bucket load of money when I’m not busy playing with my kids or riding my motorcycle. See I’m a doctor of breach and I’ll help you get out of one or keep you from having one. Which do you think is cheaper?

If you want actionable, workable, balanced, and probabilistic based security solutions it starts with admitting security is a priority. Since you’re likely not going to let something like security get in the way of mission let me put it to you this way. Your next round of funding is likely going to do a risk assessment of your organization. That will include protecting all that code that is just like Uber for . If you’ve got glorious words on a slide, your black turtle neck is perfect, and your hair is coiffed. Hope I’m not working for the venture capitalist.

To help you succeed I will learn, build, and enable more of your business processes and business lines than the CEO. That is how real security is done. Your information and digital assets are your security crown jewels and they will be protected. The approaches, techniques, and capabilities are not cheap and you should build those expectations into your budgets.

I wear suspenders and a belt. And, combat boots.

Cops wear bullet proof vests because criminals shoot at them. Even then Kevlar will fail. Cops have lights and sirens because crooks still commit crime. There is no security or policing practice that is perfect. You can throw good money after bad, but at some point you have to think mitigation and reality. I will help you navigate that foggy line and determine the best course of action. None is not enough and impacting profits is too much. Where you go in between is a deep and dark pool of intellectual discussion on culture. The answer is likely around 8% of your realized, shadow, and ad-hoc information technology budget. Just trust me on that.

If you want security that is black shirt wearing, Red Bull swilling, always in chaos and heart attack mode. Don’t call me. If you want professionalism that shows up on time, builds a team that is ready, and you have business to get done. I’m an expensive curmudgeon who won’t answer his phone after 7PM. I’m not a slave to your paradigm nor am I a fan of making past mistakes. I am more than willing to watch you screw up from the sidelines.


Huh. My phone isn’t ringing


Leave a Reply