Today’s interview is with Michael Santarcangelo. Affectionately known “Santa” to his friends, Michael truly is a catalyst when it comes to changing how people think about information security. He’s helped me throughout my security career and has talked me down during my pre-exam “freak out” sessions on more than one occasion.

Q: Tell us a little about yourself.

I love to learn, connect, and share.

I am a catalyst.

I used to state, apologetically, that I was a “jack of all trades, master of none.” Then I would explain I was a renaissance man – less apologetic. But a few years ago I realized that I am a catalyst, and I no longer apologize.

I’m direct. Candid. And with a good knowledge of self, I am what you see. After watching people tell lies, play games and “work angles” early in my career, I decided against that approach. As a result, I am me.

In my practice, I connect with people, ask questions and share stories that shift thinking and create situations that inspire behavior change. I focus on the positive – acknowledging the good work of the users, amplifying their actions and revealing to them they have the power – and the responsibility – to act to protect information.

Q: How did you get interested in information security?

I asked too many questions.

I was working with Accenture (back in the days before it was Accenture) and on a project where I kept asking questions – about things like pricing spreadsheets being kept on shared drives. This was before “security” existed, so my reward for asking the question was to figure out a solution. When I did, the partners would take me out to nice dinners. It was perfect – I worked around the clock, got fed and learned.

In two years, I probably worked roughly 4-5 years worth of hours, but it was worth every minute. From there, I joined the newly formed global security team and the rest has been a great experience.

Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?

My formal training is Policy Analysis (now called policy analysis and management) from the school of Human Ecology at Cornell University. It’s hard to explain why I chose the major when I did – but looking back, it was a perfect fit for me. In fact, I think more people need to study and become human ecologists.

Human Ecology is considered a “hard social science” – the power is in the blend. The foundation is economics, statistics and other “hard science.” It’s then amplified and improved with the addition of sociology, psychology, business, personal finance and other elements that allow human ecologists to draw on multiple disciplines to solve complex problems.

This translates into the tools and experience to understand policy, economics, people and technology. Better, I can then analyze and explain what I know in an applied way – to get results matched to the situation. And I continue to learn!

As to the balance of my learning – I am curious about everything and am a lifelong learner. Every topic literally fascinates me, and I learn from anyone any everyone.

At one time was a top-rated lead instructor for the CISSP® — and even helped refine and improve a substantial portion of the Common Body of Knowledge. That experience allowed me to develop deep and broad PRACTICAL skills in the entire field of information security (spend enough years explaining leads to as many years doing). As a result, I have good knowledge of the field – especially the fundamentals — but also the realization that my niche now is to connect the right people together while focusing on the human element.

Once I earned the opportunity to join the National Speakers Association, I took the responsibility of being a professional speaker seriously. Professional speakers are hired to get results – so now I dedicate a good portion of time to mastering – and teaching others – the tradecraft of effective communication. I believe the real challenge for most security professionals is communication – and developed some seminars and support materials to be refined and improved in 2010.

As a human ecologist, I’m finally in a place to blend my skills to enhance my skills. In the process of my learning, I connect and share. The cool aspect of this is that the more I share, the more I learn.

Q: What did you want to be when you grew up? Would you rather be doing that?

I always wanted to run a business that helped people. I love what I do – and the way we’re about to do it, so I’m thrilled.

Q: What projects (if any) are you working on right now?

I am in a constant state of thinking, which means I have some projects going on. The big project is just starting – we have rented our house out (instead of selling it) and are heading out to travel North America by RV for the next few years.

We have dubbed our effort “Catalyst onTour” – as we will continue to meet our clients, literally, where they are to influence change.

Beyond traveling to meet, learn, listen and share, we have a different approach to seminars we’re going to unveil in 2010, as well as a few other ways to change the way people protect information that need a bit more time to distill and prepare.

Q: What is your favorite security conference (and why)?

I haven’t really found one that compares to the conferences I have experienced in professional speaking circles. I do enjoy the “hallway” interaction that happens at the security conferences and will advance some small suggestions for the future.

In the meantime, when we travel the country, we invite people to come to our house, enjoy a beverage and sit around the fire to catch up – real campfire chats. I hope you and I get to sit around the fire in 2010.

Q: What do you like to do when you’re not “doing security”?

First and foremost is time with my family. In that process, we like to learn, engage, share – lots of reading, museums, etc.

Q: What area of information security would you say is your strongest? What about your weakest?

As a former CISSP instructor who devoted 6+ years to developing and improving the profession, I have an unusual breadth and depth – and interest set. My strength is absolutely in applying what we know in a way that works in harmony with the power of people – the so-called elusive human element.

My weakest is programming; I understand and appreciate programming, but I’m not a coder and don’t want to be. However, that doesn’t mean I don’t like application security… since it requires people. Just don’t ask me to code or look for application vulnerabilities.

Q: You’ve spoken to people all over the country about managing risk. What, in your experience, is managements most common misconception of “risk”?

I think the biggest misconception of risk lies with security professionals – and what I call “risk reaction.” Our focus, our thought process leads to situations where we see and realize things before others, and that leads to a state where we focus on threats, vulnerabilities and risks more than others.

I think we have a lot to learn from business leaders, decision makers and influencers about the real risk of the organizations.

Q: Tell us a little bit about your book and how it ties into your philosophy on life and security.

When I wrote Into the Breach: Protect Your Business by Managing People, Information and Risk, I had started to look deeper into some of the notable breaches happening – and asked a simple question, “what if breaches are only symptoms?”

The reality is that breaches – which take a lot of attention and capture a lot of money – are only symptoms. If we continue to do what we’ve been doing, we’ll keep getting what we’ve been getting.

My book is for executives to reconsider the challenge with a strategy for their success.

The central element is that individuals must take responsibility for their actions, and be held accountable. I think this is true in life as well as security – so this book does capture some initial thinking on my approach to a lot of things.

What I enjoy is learning about how people who have implemented the guidance not only solve their “security” challenge, but how they adapt it to do more. It excites me, since that was the purpose.

I have more information about the book and a special offer here: http://www.securitycatalyst.com/into-the-breach/team-inspiration-edition/

Q: What advice can you give to people who want to get into the information security field?

Ask questions. Seek answers. Share.

This is part of the reason we started the Security Catalyst Community. And that’ll be coming back stronger in 2010 – with a mentoring component. I’m a fan of the journeyman process, and a bit leary of people who have advanced degrees in security/assurance – but lack the practical, hands-on approach marked with scars, mistakes and the essential components of learning.

To be clear: I think cert programs and advanced degrees are important.

But I evaluate practitioners and professionals on what they can do – including how they can connect with real users/people and communicate. Those that have had their feet to the fire perform better than others.

So if someone is asking for advice, I suggest they find a blend:

• get a mentor
• get broad and diverse experience
• get advanced schooling in the area of their passion/interest

Q: How can people get a hold of you (e.g. blog, twitter, etc.)

website: http://www.securitycatalyst.com
phone: 518.207.3453
email: securitycatalyst@gmail.com
twitter: twitter.com/catalyst
linkedin: linkedin.com/in/securitycatalyst

Today’s interview is with Brian Honan who lives in Dublin, Ireland. I’ve known Brian for a couple of years now and he is never shy to chime in with his ideas. He is also the first person to offer to help if you come to him with a problem.

Q: Tell me a little about yourself.

I am an independent consultant based in Dublin Ireland specialising in the area of Information Security. I have worked for myself for over 5 years now and previous to that held numerous senior management roles both at the technical and business levels, so I like to think that I have a good broad view as to where information security can support the business. I also set up Ireland’s only CERT team, IRISS-CERT www.iriss.ie, due to their being no other body in the country providing such a service. I enjoy writing and have published a book on the ISO 27001:2005 Information Security standard, I am the European Editor for The SANS NewsBites and also write for numerous industry publications.

Q: How did you get interested in information security?

Way back in the late 80s I worked in a the IT support function of a large Irish financial company. PCs were relatively new and I was the “lucky” one tasked with supporting them. Back in those days PCs ran PC-DOS and adding connectivity cards for networks or mainframes required a lot of “hacking” around with the hardware and the operating system. This helped build up my curiosity into how systems and networks worked as I battled to connect PCs to the various business platforms in the organisation. Then one day some of the PCs got hit with a computer virus. In today’s terms it was fairly benign, but back then it was a major issue and there was very little support available. Indeed, finding an anti-virus product was difficult. As a result of that first outbreak I fascinated with the motives and skills shown by the virus writers. That fascination spawned my interest in security as I looked into ways to make the systems I was charged with more secure.

Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?

I do not have a formal third level qualification in IT. Rather my qualification is in Personnel Management. Over the years I have amassed various industry certifications from organisations such as Microsoft, SANS, ISACA, Citrix, HP, IBM etc.

Whether or not those qualifications added value to my information security career is hard to quantify. It is difficult to know whether or not you got a particular role purely based on the number of acronyms you have on your CV. However, I would say that they have added value to me personally in that they confirmed to me that I was competent in the technologies I worked with. It was good to have a third party confirm your own skills. I am a firm believer in rating someone based on their ability to do the job in a professional manner and I have worked with many talented people who did not hold any official information security certifications. So if anyone is looking to seek a certification my best advise is that you do so for your own selfish reasons and not because it is the latest and greatest certification that is appearing in the job adds.

I believe that my qualification in Personnel Management has given me a unique insight into the field of Information Security. While being knowledgeable in the technical aspects of information security, one of the key elements in Information Security is people. Knowing what motivates and drives people is invaluable when designing information security programmes. Also being aware of the Human Resource and Industrial Relations that are integral when dealing with people is also invaluable when making key decisions in relation to information security issues.

Q: What are some of the issues, specific to Ireland, that you run into from a security perspective?

Ireland is a small country with a population of around 4 million people which tends to lead to an attitude that “we are too small for anyone to hack us”. Unfortunately this is not the case and to help address the issue I established Ireland’s first CERT team, The Irish Reporting and Information Security Service (IRISS www.iriss.ie). In the year that we have been operational we have been very busy dealing with numerous issues, primarily shutting down phishing sites hosted on compromised Irish based websites.

The other main issue I see is that many companies believe that information security starts and ends with the deployment of a firewall and some anti-virus software. They tend to forget that technology is only one part of the puzzle and they need to also ensure the other elements of people and processes and also properly dealt with.

Finally I often come across the problem where companies’ do not understand their legal obligations under the Irish Data Protection Act and there is also a lack of awareness, especially within the SME sector, of the PCI Data Security Standard (PCI DSS).

Q: Do you think that computer users in Ireland are more or less susceptible to information security exploits or malware? Why?

I don’t think that Irish computer users are any more or less susceptible to information security exploits or malware. I would say they are as equally susceptible as users in other countries. But the problem is not just at the user end, I think overall as a profession we have failed to properly educate end users on how to deal with the various threats that are out there. This is not just a failure in how we educate end users against the various security threats but also in the technology we use to defend ourselves, the underlying technology used on our networks and our computers, and finally how we tackle international crime.

Q: What do you find is the hardest security concept to explain to senior management? How do you approach it?

The biggest challenge I find is explaining that information security is not just a technology problem but a business problem and needs to be dealt with in the same way as any other business problem. I find the best way to deal with this is to explain information security problems in the terms of the risk they pose to the business. When the business can see the potential bottom line impact a security threat can pose either in terms of Euros or reputation then they tend to pay more attention.

Q: What did you want to be when you grew up? Would you rather be doing that?

At one stage when I was growing up I started my own band and had ambitions of becoming a rock star. There are times when I am in the middle of an ISO 27001:2005 audit or other information security project that I think would I rather be doing this or be in a 5 star hotel room with a bunch of groupies?

Q: What projects (if any) are you working on right now?

I am working on a number of customer projects assisting the achieve ISO 27001 compliance/certification. I am developing a ISO 27001 based risk management product that I hope to launch in 2010. Running the IRISS-CERT is keeping me busy, especially as we hope to soon become accredited with TF-CSRIT and FIRST. I have a number of writing opportunities that I am exploring, one of them will be blogging for Infosecurity Adviser http://www.infosecurityadviser.com/. There are also a number of other projects I am working on in relation to cloud computing and managing the security around that area.

Q: What is your favorite security conference (and why)?

Being based in Dublin the better security conferences require me to travel. So I am selective about which ones I go to as I want to ensure my time is well spent. So it would not be fair for me to pick one conference over another. I would though recommend local chapter meetings of the ISSA, ISACA and here in Ireland the Irish Information Security Forum. Local meeting provide a great opportunity to meet and share experiences with your peers while also getting to attend some good presentations.

Q: What do you like to do when you’re not “doing security”?

Relaxing with the family.

Q: What area of information security would you say is your strongest? What about your weakest?

My strongest would be in the areas of information security management, developing information security programs, designing and architecting a secure network infrastructure. My weakest area would be in application security – I never had the patience to write or examine code and have the utmost respect for those with skills in that area.

Q: What advice can you give to people who want to get into the information security field?

The best advice I can give is to communicate. Working in this field can be very challenging, fun and rewarding. But be warned that many businesses and organisations see information security as a necessary evil so don’t be surprised when the business doesn’t put the same priority to issues as you do. Learn to communicate to the business in terms they can understand. Communicate with your peers and others in the field, that way you can learn from them and they can learn from you. The bad guys who are trying to attack your systems are sharing information with each other, so those of us defending our systems need to also share information so we can better defend ourselves.

Q: How can people get a hold of you (e.g. blog, twitter, etc.)

My Email is brian.honan@bhconsulting.ie
My company website is www.bhconsulting.ie
My twitter handle is @brianhonan
My own blog is www.bhconsulting.ie/securitywatch
My Infosecurity Adviser Blog http://www.infosecurityadviser.com/view_profile/brian_honan/752/
My book “Implementing ISO 27001 in a Windows Environment” can be found here: http://www.itgovernance.co.uk/products/2207

Today we interview Nick Owen. I had the pleasure of meeting Nick at SecTor 2009 and he has a wealth of knowledge in areas that most people struggle in.

Q: Tell me a little about yourself.

I’m best described as a serial entrepreneur. WiKID is the fourth start-up in which I have been actively involved. For the record, I am 1-1-1, though the tie is a bit generous.

I live in Atlanta, Ga, with a beautiful wife, three lovely children, one cat, one fish, and six chickens with a frustrated (so far) hawk as a neighbor.

Q: How did you get interested in information security?

My second startup did electronic bill presentment and payment services. I was in charge of operations and thus security. I hired Caleb Sima’s group from ISS to do a pen test. I later invested in SPI Dynamics.

Q: Do you find it difficult to juggle a family AND a startup? What is the biggest sacrifice you’ve had to make as a result?

For the first two start ups, I spent a lot of time at the office. You spend a great deal of time thinking about and discussing what you need to do to succeed. You worry a great deal about things that aren’t always tremendously important, like what the competitors are doing. That also was the time when Netscape came out, Yahoo started, Java debuted, etc, so it was a very interesting time. Now, I have a pretty good idea of what our strategy is, I know what part of the market we’re targeting, etc, so I typically work from about 8-6 and rarely work on weekends. That being said, I always think about work and I worry that I’m not always “there”.

My “pay” is not always “regular”, but luckily I have a spouse who is very tolerant of this fact. I actually think this is good for my children. They are by no means spoiled :).

I have to say that it is a great time to start a company. Why? Because the economy will only get better from here. So, if you can start a company, you will be sitting pretty as the economy recovers.

Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career

I have a BA in History and an MBA, making me both ignorant and evil, which seems like a great basis for information security.

Q: Why do you think a mix of History and an MBA provides a good basis for infosec?

In all seriousness, I believe that you go to school to learn to learn, not to actually learn facts or a specific skill. History teaches you strategic thinking, trend recognition and how to write (though I seem to have forgotten the grammar part). I have over time picked up a lot of tactical information about security, giving me what I think is a well-rounded view.

I got my MBA to increase my marketability as management material, but also to round out the skills I thought I would need to be an entrepreneur. I knew I needed to be a jack-of-all-trades.

When I first started blogging, I did a number of posts on why ROI is a poor measurement, how to come up with a cost of capital for a project, etc. I realized that I had to focus on our market and I got a bit frustrated by it. I may pick that back up, but I still not sure that any information security people would actually use it.

Q: What did you want to be when you grew up? Would you rather be doing that?

I think I always wanted to be working for myself. When grown ups asked me what I wanted to be, I usually chose an inanimate object, such as a fire hydrant.

Q: What projects (if any) are you working on right now?

I would like to get some time to do some blogging, exploring some concepts around ‘best practices’ and how to measure the financial impact of information security investments.

Q: What is your favorite security conference (and why)?

I probably had the most fun at DefCon, but SecTor was great. I liked the fact they had limos pick up the speakers at the airport. I have never come off a plane to find my name being waived by someone.

Q: What do you like to do when you’re not “doing security”?

I’m on the board of my children’s school, the Waldorf School of Atlanta. I have a garden where I primarily grow tomatoes and various hot peppers, which I often use to make my own hot sauce.

Q: What area of information security would you say is your strongest?

I have written a good number of tutorials on how to integrate two-factor authentication with a bunch of different network devices and applications. If we get too far from authentication, chances are I am making it up.

Q: What advice can you give to people who want to get into the information security field?

Explore the numerous open source tools in information security, choose any that are of interest and contribute. Contributing doesn’t mean just code. It means feature requests, documentation, bugs, etc. Doing documentation is a great resume stuffer. You are essentially saying “I know how to learn to use a tool and I know how to document my work”. How valuable is that to a potential manager?

Q: How can people get a hold of you (e.g. blog, twitter, etc.)

The much neglected WiKID corporate blog: http://www.wikidsystems.com/WiKIDBlog and on Twitter: @wikidsystems