|By Hurricane Labs||
|December 18, 2012 03:33 PM EST||
Five Ways to Hire an InfoSec Consultant
By: Bill Mathews
This is not a nice post. This is not a post about posing great interview questions or how to tell if someone can actually do the job. No, this is a post about how to watch out for people you want to hire to help your company. You know the ones – the con-sultants, the slick ones, the rockstars, the ones you should fear. Some of these guys can be worse than the actual bad guys and here are five things to look for when you’re trying to spot them.
Are they promising you the world? One thing about information security that you should know upfront: there are absolutely no magic bullets. Anyone promising you one from a product or a particular process is lying to you. It requires a blend of products and a blend of methods, no shortcuts will help you – period.
2) Rock Out with Your NOC Out
Are they rockstars? So-called rockstars happen in every industry, it is just human nature and cannot be helped. The problem I’ve seen with most rockstars (almost universally in infosec) is that they are not the least bit interested in your problems. They are interested in getting paid and increasing their already big, and in most cases, undeserved reputations. You really have to be careful with these folks – a lot of them are just naturally talented public speakers so they get it on at various conferences and accumulate massive Twitter followings, making them think that those alone qualify them to dispense advice on applications and networks. In most cases, and sadly I’m not overgeneralizing here, they’ve never had any operational roles so they don’t really know what works and what doesn’t. So if it isn’t in the buzzword dictionary sitting in their blazer pocket, it just isn’t valid in their world. You’ll know these people by their insistence that whatever you’re currently doing is wrong – you should be using the method they developed or their tool they wrote because that is the only way to solve your problem. They won’t really listen to you, usually just nodding along with whatever you say until you hit the keyword they need in order to tell you how cool they are. Of course there are some “good” rockstars, so if you’re set on hiring an allstar look for one who has had operational roles in the past and actually appears to listen. Chance are though if they do that then they are very bad rockstars.
3) Lazy Web
Watch the website. Does it ever change? Chances are if they don’t have time to devote to their own website they’ll never get time to devote to protecting yours. Avoid the companies that never update their website or only list their products and services. Try to find one that offers practical advice and is active in the security community. When you’re looking for an outside company to help with your information security, try to find one that has something of their own to protect – a web service or their own network, many do not. This is a really self-serving one because, well, this is how our website is set up and we have a fairly sophisticated network of our own that we protect.
4) Agree to Disagree
Are they really just that agreeable? Good security people are contrarians, they just are. It is either the industry that attracts them or it creates them, either way few people in it are described as agreeable. If you’re in a pre-sales meeting and the sales person or consultant is constantly agreeing with everything you say, ask them what you need to hire them for if everything you’re doing is so right. I use this technique on a lot of our vendors because they are constantly nodding along and agreeing with everything we’re doing. They’re usually taken aback by that question but it really tells you who you’re dealing with. You need to know, upfront, what they are going to really be able to help you with. It is dangerous to have a security person agreeing with you all the time. Conversely, they shouldn’t be disagreeable for the sake of being disagreeable, you have to strike a balance. This is a tough one because, as I said, the industry is filled with both contrarians and slick-haired salespeople. You need the former but should forego the latter. Someone can be a skeptic or a contrarian without being completely disagreeable or being a miserable person to be around.
5) Auditors in Disguse
Beware the auditor in a security person’s clothing. There are literally thousands of information security consulting companies out there. There are probably as many ways to categorize them as there are letters in the alphabet but let’s take a look at just two. The technical group and the auditor group. Now let me say upfront that I’m not denigrating real auditors here, the people that really do the audit job, I’m denigrating the pretenders here. You will find this very prevalent with companies that do penetration testing or vulnerability assessments. For a proper penetration test you really need a good technical person that can communicate both the technical risks and the business issues associated with that risk or exploit. You’ll be hard pressed to find this in just one person, so you want to hire someone with a penetration testing team as opposed to just some solo testers acting as a team. You’ll have a rough time finding the right team and you’re bound to make a few mistakes, but you really do need the best of both worlds.
Now penetration testing service companies come in two flavors – again the very technical and the not-so-technical auditing tester. Penetration testing is difficult and is very technical, so you cannot rely on a person just checking boxes to call your network well tested. You need someone who is doing more than just running a scanner and calling it done, you need a person who can actually exploit the vulnerabilities found. This is a skill that requires some sophistication and usually doesn’t lend itself well to “normal” people. You never want an auditor performing a penetration test and, vice versa, you would never want a penetration tester performing an audit. Why these two things are fused together so much is beyond me. If you’re hiring for a penetration testing company then hire for that, if you just need some audit work then hire for that – but do not hire one set of people and think you’re done, they are entirely different skills.
Of course, there is no 100% guarantee when it comes to the hiring process – you almost never see their true colors until it’s just too late. Be sure to keep sharp and use a little common sense when following these guidelines. If there’s anything else you think you should look out for, leave it in the comments!
The Internet of Things. Cloud. Big Data. Real-Time Analytics. To those who do not quite understand what these phrases mean (and let’s be honest, that’s likely to be a large portion of the world), words like “IoT” and “Big Data” are just buzzwords. The truth is, the Internet of Things encompasses much more than jargon and predictions of connected devices. According to Parker Trewin, Senior Director of Content and Communications of Aria Systems, “IoT is big news because it ups the ante: Reach out ...
Jul. 31, 2015 07:00 AM EDT Reads: 401
Where the Network Got Invited to the Party By @LMacVittie | @DevOpsSummit #DevOps #Docker #Containers #Microservices
At DevOps Summit NY there’s been a whole lot of talk about not just DevOps, but containers, IoT, and microservices. Sessions focused not just on the cultural shift needed to grow at scale with a DevOps approach, but also made sure to include the network ”plumbing” needed to ensure success as applications decompose into the microservice architectures enabling rapid growth and support for the Internet of (Every)Things.
Jul. 30, 2015 08:15 PM EDT Reads: 1,769
Modern DevOps Tool Kit By @Logentries and @NewRelic | @DevOpsSummit #DevOps #Containers #Microservices
Auto-scaling environments, micro-service architectures and globally-distributed teams are just three common examples of why organizations today need automation and interoperability more than ever. But is interoperability something we simply start doing, or does it require a reexamination of our processes? And can we really improve our processes without first making interoperability a requirement for how we choose our tools?
Jul. 30, 2015 08:15 PM EDT Reads: 413
Designing the IT Architecture of the Future with Adrian Cockcroft | @DevOpsSummit #DevOps #Docker #Containers #Microservices
Our guest on the podcast this week is Adrian Cockcroft, Technology Fellow at Battery Ventures. We discuss what makes Docker and Netflix highly successful, especially through their use of well-designed IT architecture and DevOps.
Jul. 30, 2015 08:00 PM EDT Reads: 780
[slides] A New Architecture for the Internet of Things By @JKirklan | @ThingsExpo @RedHatNews #IoT #M2M #InternetOfThings
Explosive growth in connected devices. Enormous amounts of data for collection and analysis. Critical use of data for split-second decision making and actionable information. All three are factors in making the Internet of Things a reality. Yet, any one factor would have an IT organization pondering its infrastructure strategy. How should your organization enhance its IT framework to enable an Internet of Things implementation? In his session at @ThingsExpo, James Kirkland, Red Hat's Chief Arch...
Jul. 30, 2015 07:30 PM EDT Reads: 1,395
This week, I joined SOASTA as Senior Vice President of Performance Analytics. Given my background in cloud computing and distributed systems operations — you may have read my blogs on CNET or GigaOm — this may surprise you, but I want to explain why this is the perfect time to take on this opportunity with this team. In fact, that’s probably the best way to break this down. To explain why I’d leave the world of infrastructure and code for the world of data and analytics, let’s explore the timing...
Jul. 30, 2015 05:45 PM EDT Reads: 379
Take the Long View with Digital Transformation By @IoT2040 | @ThingsExpo #IoT #M2M #API #Microservices #InternetOfThings
Digital Transformation is the ultimate goal of cloud computing and related initiatives. The phrase is certainly not a precise one, and as subject to hand-waving and distortion as any high-falutin' terminology in the world of information technology. Yet it is an excellent choice of words to describe what enterprise IT—and by extension, organizations in general—should be working to achieve. Digital Transformation means: handling all the data types being found and created in the organizat...
Jul. 30, 2015 05:00 PM EDT Reads: 1,089
Alibaba, the world’s largest ecommerce provider, has pumped over a $1 billion into its subsidiary, Aliya, a cloud services provider. This is perhaps one of the biggest moments in the global Cloud Wars that signals the entry of China into the main arena. Here is why this matters. The cloud industry worldwide is being propelled into fast growth by tremendous demand for cloud computing services. Cloud, which is highly scalable and offers low investment and high computational capabilities to end us...
Jul. 30, 2015 04:45 PM EDT
[slides] Workloads and Public Cloud at @CloudExpo By @utollwi | @ProfitBricksUSA #DevOps #Containers #Microservices
Public Cloud IaaS started its life in the developer and startup communities and has grown rapidly to a $20B+ industry, but it still pales in comparison to how much is spent worldwide on IT: $3.6 trillion. In fact, there are 8.6 million data centers worldwide, the reality is many small and medium sized business have server closets and colocation footprints filled with servers and storage gear. While on-premise environment virtualization may have peaked at 75%, the Public Cloud has lagged in adop...
Jul. 30, 2015 04:00 PM EDT Reads: 2,203
SYS-CON Events announced today that HPM Networks will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. For 20 years, HPM Networks has been integrating technology solutions that solve complex business challenges. HPM Networks has designed solutions for both SMB and enterprise customers throughout the San Francisco Bay Area.
Jul. 30, 2015 03:45 PM EDT Reads: 448
The Software Defined Data Center (SDDC), which enables organizations to seamlessly run in a hybrid cloud model (public + private cloud), is here to stay. IDC estimates that the software-defined networking market will be valued at $3.7 billion by 2016. Security is a key component and benefit of the SDDC, and offers an opportunity to build security 'from the ground up' and weave it into the environment from day one. In his session at 16th Cloud Expo, Reuven Harrison, CTO and Co-Founder of Tufin,...
Jul. 30, 2015 03:00 PM EDT Reads: 488
MuleSoft has announced the findings of its 2015 Connectivity Benchmark Report on the adoption and business impact of APIs. The findings suggest traditional businesses are quickly evolving into "composable enterprises" built out of hundreds of connected software services, applications and devices. Most are embracing the Internet of Things (IoT) and microservices technologies like Docker. A majority are integrating wearables, like smart watches, and more than half plan to generate revenue with ...
Jul. 30, 2015 02:30 PM EDT
Jul. 30, 2015 02:00 PM EDT Reads: 285
One of the ways to increase scalability of services – and applications – is to go “stateless.” The reasons for this are many, but in general by eliminating the mapping between a single client and a single app or service instance you eliminate the need for resources to manage state in the app (overhead) and improve the distributability (I can make up words if I want) of requests across a pool of instances. The latter occurs because sessions don’t need to hang out and consume resources that could ...
Jul. 30, 2015 01:00 PM EDT Reads: 181
[session] DevOps State of Mind By @RedHatNews | @DevOpsSummit #DevOps #PaaS #Jenkins #Kubernetes #Docker
Rapid innovation, changing business landscapes, and new IT demands force businesses to make changes quickly. The DevOps approach is a way to increase business agility through collaboration, communication, and integration across different teams in the IT organization. In his session at DevOps Summit, Chris Van Tuin, Chief Technologist for the Western US at Red Hat, will discuss: The acceleration of application delivery for the business with DevOps
Jul. 30, 2015 12:45 PM EDT Reads: 1,114
Growth hacking is common for startups to make unheard-of progress in building their business. Career Hacks can help Geek Girls and those who support them (yes, that's you too, Dad!) to excel in this typically male-dominated world. Get ready to learn the facts: Is there a bias against women in the tech / developer communities? Why are women 50% of the workforce, but hold only 24% of the STEM or IT positions? Some beginnings of what to do about it! In her Opening Keynote at 16th Cloud Expo, S...
Jul. 30, 2015 12:00 PM EDT Reads: 2,053
What’s New in the World of Application Analytics By @MikeAnand | @DevOpsSummit #DevOps #API #APM #Microservices
Software is eating the world. The more it eats, the bigger the mountain of data and wealth of valuable insights to digest and act on. Forward facing customer-centric IT organizations, leaders and professionals are looking to answer questions like how much revenue was lost today from platinum users not converting because they experienced poor mobile app performance. This requires a single, real-time pane of glass for end-to-end analytics covering business, customer, and IT operational data.
Jul. 30, 2015 12:00 PM EDT Reads: 1,308
Approved this February by the Internet Engineering Task Force (IETF), HTTP/2 is the first major update to HTTP since 1999, when HTTP/1.1 was standardized. Designed with performance in mind, one of the biggest goals of HTTP/2 implementation is to decrease latency while maintaining a high-level compatibility with HTTP/1.1. Though not all testing activities will be impacted by the new protocol, it's important for testers to be aware of any changes moving forward.
Jul. 30, 2015 11:30 AM EDT Reads: 158
[video] An Interview with @ProfitBricksUSA CEO @AchimWeiss | @CloudExpo #DevOps #Docker #Containers #Microservices
"ProfitBricks was founded in 2010 and we are the painless cloud - and we are also the Infrastructure as a Service 2.0 company," noted Achim Weiss, Chief Executive Officer and Co-Founder of ProfitBricks, in this SYS-CON.tv interview at 16th Cloud Expo, held June 9-11, 2015, at the Javits Center in New York City.
Jul. 30, 2015 11:15 AM EDT Reads: 1,123
You often hear the two titles of "DevOps" and "Immutable Infrastructure" used independently. In his session at DevOps Summit, John Willis, Technical Evangelist for Docker, covered the union between the two topics and why this is important. He provided an overview of Immutable Infrastructure then showed how an Immutable Continuous Delivery pipeline can be applied as a best practice for "DevOps." He ended the session with some interesting case study examples.
Jul. 30, 2015 10:15 AM EDT Reads: 166