Threat is best thought of as being associated with the intent, the opportunity, the ability, and the willingness to commit a malicious act. Attackers, whether planning to assault someone on the street, break into a building, or hack into a computer network begins with the intent to carry out a threat. The want something and are looking for the opportunity to take it. However, they may not possess the tools, skills, or knowledge to commit the malicious or criminal act without getting caught. They must be willing to take the chance. Of course, not every evil bad guy out there thinks these aspects of a threat through, but when the elements come together, they may attack.

Risk requires that something of value be vulnerable and exposed to the malicious act. Risk is reduced by protecting the object of value, which could be your wallet, the 65” LCD television in your living room, or the Personally Identifiable Information (PII) stored on your laptop computer. Objects of value are vulnerable to attack, and exposed to a potential threat. For example, the purse carried by a little old woman in the street is vulnerable to attack because the woman may be too weak or feeble to keep a mugger from snatching it, so the woman reduces the exposure of her purse by carrying it at her waist, tucked between both hands. Were the purse dangling from her outstretched arm, the additional exposure may present the opportunity a mugger needs to steal it.

Risk is mitigated from threat by adding layers of security to the object of value. We lock our doors to keep the casual intruder from walking in and taking our shiny new TVs. We leave our dogs in the house to deter the same intruder, and we may even turn on our alarm systems to make sure that we are alerted to attempted break-ins when away from our homes. Each security measure adds protection to inherent vulnerabilities to attack while reducing the likelihood of being attacked. Most attackers are casual, and will move on to the next opportunity to do damage if their abilities to cause harm are insufficient or their willingness to get caught is too low. 

A non-scientific model of Threat and Risk can be represented like this:

Threat vs Risk Model

In the next blog entry, I will explain Risk Mitigation and provide examples that further clarify the relationship between Threat and Risk.

I have listed a few of the initial blogs I will post below, and welcome you to recommend other topics of interest by commenting.

• Usability versus protection, the security dilemma
• Protecting your home network
• Identifying physical security zones
• Passwords are dead, and why you’re stuck with them
• Risks and rewards of social networking
• Got patch?
• The first rule of self-defense, avoid conflicts

Even though unemployment rates are so low within the Information Security field, acknowledge how fortunate you are to have made it to an interview and value the time that you have with the interviewers you are able to sit with. You have made your way through initial down selection, which can be a crap shoot if you do not have the right search terms in your resume. If you were not in position to leverage your personal networks to get to the interview, you will begin with a clean slate.

Step up to the plate and knock it out of the park. Make sure that you have researched every aspect of the company you are interviewing with. If you know the names of the interviewers ahead of time, research them as well. Especially if they have published academic thesis or dissertations, have published technical white papers, written books, or spoken at industry forums. Having not taken the time to research these aspects of the job tells interviewers that you may either not know what the job is, or are not interested enough in the company or position to fully engage in the process. Let the interviewers know what you have found, and in turn ask them what they have found on you. They will be searching anyway, and it serves as an ice breaker that you can build off of to help you control and focus discussions held during the interview.

Information about you, your life, and career are out there. It is not difficult to learn who you have worked with in the past and build a view of the organizations you have worked for and specific product lines you have supported. Knowing what information interviewers and hiring managers have discovered about you through internet and social media searches also provides you valuable keys which you can use to fill-in the gaps of their knowledge with discussion of work that you would like to highlight. Knowledge is power, and one of the keys to a successful interview is to effectively control the flow of the interviewer as the position’s candidate. 

Interviewers and hiring managers may have reviewed dozens of candidates before you, and there sensitivity to exaggeration is heightened by the time you sit down with them. Show up prepared to discuss the skills and experience you have in I.T. that directly transfer to the Information Security field. Your goal during the interview from that point forward should be to guide discussions in such a way that you are able to elaborate on aspects of the position that the interviewers are introducing.

With a solid game plan, you will find yourself working in the security trenches in no time!

Shh… here’s a dirty little secret I have learned over the years working with recruiters and managers tasked to hire Information Security personnel… they often do not know what the job entails themselves! When they do, the Information Security field is still new and volatile enough that they may not understand what mix of education, certification, and experience to look for in candidates. Ambiguous job requirements end up being used as catch-all’s that recruiters use to quickly eliminate candidates. If terms used in the job posting are not in a candidate’s resume or CV, they may not even be considered.

How does someone looking to enter the field figure out what employers are looking for?

• Read as many job postings seeking Information Security professionals as you can find. Become familiar with the common skills employers are looking for, and read between the lines. Hold off sending out resumes until you can distinguish between different types of information security jobs and apply for those positions that are the best fit for you.

• Research unfamiliar acronyms and jargon used within Information Security job postings. You may find that employers are looking for skills that you already possess, and are simply describing them differently than you are used to seeing in your current field.

• Search for traditional I.T. jobs listing Information Security responsibilities. Information Security is quickly working its way into more traditional I.T. jobs. If an employer takes the time to add Information Security responsibilities to traditional I.T. job postings, they may have a need for security but their Information Security organization may not be mature enough to stand on its own.

• Tailor your cover letter and resume to the position you are applying for. If you feel like you are “stretching” the truth, you may want to look for other options.

No matter what, do not blindly apply for every Information Security job a company has posted. The company’s group of recruiters and hiring managers reviewing resumes for these positions will likely be small. Keep in mind that if you apply for a job that you are not qualified for, you risk your resume not being looked at a second time for another position that you are qualified for. Maximize your visibility and chance for success by strategically applying for positions that are the right fit for your skills and career goals. Impressing a hiring manager the first time you they review your resume may result in your being considered for positions you did not apply for.

Coming Soon… Tip #3: Know what your Information Security skills are.

The key to determining where your skills and Information Security career aspirations lie requires that you assess your existing I.T. background, identify fungible skills that easily transfer apply to security, and present their relevance to employers in relation to job descriptions they have posted. Even though job postings for Information Security professionals are often written ambiguously, jobs in the field do align with categories seen across I.T., including operations, administration, engineering, research, and management. 

Continue Reading… Tip #4: Be honest with yourself about your career aspirations.

• Operations – Security systems are designed to allow organizations to protect, detect, and respond to security events that occur within their enterprise. Operations personnel are needed to monitor security events and coordinate response actions. Candidates possessing a technical background, a fundamental knowledge of information security, and the ability to effectively communicate across management and I.T. staff excel as security operators. Though there may be negative perception of operations staff working in a help desk environment, security operations can serve as a stepping stone in your career that will allow you to network and build relationships with the people in your organization that support security specializations you eventually want to work in.

• Administration – The line between traditional I.T. jobs working with network devices, hardware and operating systems, and applications development are rapidly blurring with their information security counterparts. Configuring and maintaining I.T. infrastructure requires personnel possessing highly specialized skill sets. The same goes for configuring and maintaining the security aspects of those systems. It is much easier for someone who specializes on a particular technology platform to transition into a security role for that and related technology than it is for candidates with a security background who lacks technical experience. Use this to you advantage and focus your current career on understanding the security aspects of systems you work with today.

• Engineering – Security engineering is more akin to systems engineering and architecture than it is to building and configuring I.T. systems. If you have a solid background in requirements development and sufficient technical experience to know how to identify requirements that will break a system, this may be a good field for you to pursue. Opportunities are out there for candidates that can understand and decompose I.T. systems into subsystems, understand how systems are interconnected, and understand how to translate security requirements into practical solutions that I.T. teams can implement through appropriate security policies, controls, and mechanisms. The pace at which I.T. evolves and hackers are able to identify and exploit vulnerabilities makes security engineering a continual and rewarding challenge.

• Research – Security research is simply a nerdaliciously sexy path to pursue. Take a pinch of curiosity, a smattering of technical know-how, a whole lot of OCD, and you have the perfect security researcher. Security research is an interesting path within information security in that education and certification take a back seat to experience. If your thing is not just being able to build a system, but rather knowing everything about what a system is made up of, and then being able to break it, this is the field for you. It is also the most difficult path to excel in. Successful security researchers are often products of their own success at single-mindedly focusing on the hard security problems. Whether from an attack or a defense perspective, this is a path where the sky is the limit for the best researchers, and the rest are just ignored. If you can hack it… go for it.

• Management – Sure, you can work as a manager or in other leadership positions within a security team. However, my intent is not to describe what is needed to have a “C” in front of your title. Information Security Management involves auditing systems against security governance and regulations that companies are required to stay in compliance with. It you are experienced leading I.T. teams through rigorous change management processes, you will find that you are also well suited for Information Security Management roles. Begin reading up on security standards published by NIST and ISO, as well as adjacent regulations governing HIPPA, Sarbanes-Oxley, PCI, and others listed in job listings. A working understanding of the terminology, ins-and-outs of each will be needed to positions yourself as a competitive candidate. 

Continue Reading… Tip #5: Be honest with you interviewer.

To succeed with this tip you must be open moving. The willingness to relocate in today’s job market can result in landing exactly the job you are looking for. Be aware though, corporate budgets are tight and you may have to also be willing to fund your relocation if you do land that dream job as an Information Security professional.

If you are willing to make the jump in 2013 and move to a new job market, start by taking a look at nerdwallet’s top 10 cities for job seekers. Chances are high that information technology and security jobs will be found in these fishing holes. From good to great, the most promising cities to look at include:

1. 1. Austin, TX
   2. Washington, DC
   3. San Francisco, CA
   4. Denver, CO
   5. Houston, TX
   6. Fort Worth, TX
   7. Dallas, TX
   8. Seattle, WA
   9. San Antonio, TX
   10. Charlotte, NC

Continue Reading… Tip #2: Know what employers are looking for from Information Security applicants

Don’t Panic! Opportunities will open up so long as you have the knowledge, skills, and understanding of how to best position yourself to compete for them. 

These five tips can help you get a leg up on the competition.

Tip #1: Focus your search on where the jobs are.

Tip #2: Know what employers are looking for from Information Security applicants. 

Tip #3: Know what your Information Security skills are.

Tip #4: Be honest with yourself about your career aspirations. 

Tip #5: Be honest with your interviewer.

Continue Reading… Tip #1: Focus your search on where the jobs are.

White Crane Basic Forms: Hakutsuru So

by Sensei Danita Clarke

I have studied martial arts for nearly 30 years. My training has included Shito Ryu karate, Aikido, kick boxing, and military combatives. For the past six years I have studied Shorin Ryu karate and White Crane Kung Fu under Sensei Danita Clarke. White Crane Kung Fu has proven the most enjoyable style of martial arts I have studied, and this year I have had the pleasure of publishing Sensei Clarke's first iBook, "White Crane Basic Forms Workbook: Hakutsuru So".

The first edition of the iBook is available through the iTunes store, and additional editions are being developed as apps for multiple platforms.

"White Crane Basic Forms Workbook: Hakutsuru So" lays out the concepts, stances, and sequences of movements that students should be familiar with before seeking advanced training in White Crane Kung Fu. 

The workbook is organized by grouped sequences of movements. Video, photos, and textual descriptions for each sequence are presented side-by-side for students to reference while practicing.

In addition to step-by-step descriptions that guide students through their first White Crane kata, there are:

• 3 full length videos of Sensei Clarke performing the kata. Once slowly, once broken into the form's 15 sequences, and once at full speed.
• 15 videos showing the individual sequences.
• Nearly 100 photos showing individual postures and basic stances used throughout the kata.