Thursday, December 22, 2016

Job Opportunity - Cloud Security "Special Forces"

I do not usually post non GIAC focused job postings and have deep concern with the use of "Special Forces", but it sounds like an interesting job so here is the link:
http://jobs.jobvite.com/careers/servicenow/job/oaQd4fw1?__jvst=Employee%20Referral&__jvsd=s3WsTfw4&__jvsc=LinkedIn&bid=n2aSYyw5

Monday, December 5, 2016

CISO - In project planning define what "it" is

I reviewed project plans from four teams of really smart technical people today and after doing so, I am a bit troubled. One of the big problems in cybersecurity is that management is not convinced cyber-techies have any idea of what they are doing. Management may be right.

Two of the plans were, to be kind, minimalistic. Maybe a half page of cryptic notes. The third looked like a government RFP with 12 pages of writing for a 100 hour effort and the forth struck a balance between using as much paper as possible and actually laying out the work breakdown structure.

All four plans had the same serious flaw. They did not put any effort in defining what "it"is. This is one of the classic communication failures. The boss knows, (or at least thinks), she knows what she wants. So she directs her team, "build me a framus". So they go to work to build a framus, but they don't wait to define what "it" is. The most common definition of course is a vintage stringed instrument. However, for people familiar with the space program and that still have a moonshot flight jackets with the mission patches know it can be a synonym for a gizmo, or gadget, or more recently app or chatbot.

This is not a new problem, everyone has heard of garbage in - garbage out. However, hearing about a thing and dealing with it well are separate issues.

The good news is that this was not an effort to deflect an asteroid from striking the earth. All four were graduate level programs to increase the documented level of cybersecurity defensive information.

The bad news is the first week of the assignment is dedicated to the planning part. If we are dedicated to creating the next generation of cybersecurity leaders, we are going to have to solve the problem of teaching them to define what "it" is or we will end up with every imaginable framus.