July 2013 - J Wolfgang Goerlich

Archive for July, 2013

Wolf in the news

Posted July 19, 2013 by Wolf Goerlich

It has been a crazy week. Here are the highlights:

VioPoint released a case study we did on SDLC.

“This was more than a point-and-click assessment, as it was a top-down analysis of both code and infrastructure,” Goerlich explained. “VioPoint’s team engaged my team and my third-party developers at every stage of the project and the deliverables were on time, to spec, and well-polished.”

InformationWeek published a list of 10 IT Leaders to Follow on Twitter.

Abizer Rasheed, president of managed services provider Effortless 24-7, enjoys Goerlich’s mix of IT expertise and his involvement in the IT scene in the Midwest, where Rasheed works. “Wolfgang shares a unique mixture of insights, tech articles, and local happenings in the Michigan tech scene,” Rasheed says. “He has a wry sense of humor and an ear towards dialog, intertwining humorous anecdotes alongside with his hard-edge technical posts. Wolfgang’s feed is one-of-a-kind among the many IT leaders on Twitter and I find it highly valuable.”

Tripwire highlighted InfoSec’s rising stars and hidden gems: the defenders.

“Goerlich is described as a superb leader who mixes his deep interest and knowledge of technology and security with his management experience and business understanding, as evidenced by his 2012 InfoWorld Technology Leadership and his 2008 IDG Best Practices in Infrastructure Management awards. Goerlich is also a well known podcaster, avid Twitterer, and a co-organizer for events like the BSidesDetroit.”

I thank Tripwire, InformationWeek, and VioPoint for the write-ups. It is gratifying to see the work my team does recognized. I wish I could say we are taking the weekend off. But truth be told, upgrades wait for no one, and this will be a working weekend.

Cheers,

Wolfgang

Building a better InfoSec community

Posted July 15, 2013 by Wolf Goerlich

How can we build a stronger community of speakers and leaders? I have a few thoughts. In some ways, this is a response to Jericho’s Building a better InfoSec conference post. I disagree with a couple of Jericho’s points. To be fair, he brings more experience in both attending conferences and reviewing CFPs. For that reason and others, I have a slightly different perspective.

Engagement should be encouraged, heckling discouraged. Hecklers and those looking to one-up the speaker should be run out of the room. But engagement, engagement is something different: sharing complementary knowledge, and pointing out ideas. Engagement is about raising everyone in the talk.

At the BSides Detroit conference, during OWASP Detroit meetings, and during MiSec talks, we get a lot of engagement. Rare is the speaker that goes ten or fifteen minutes without being interrupted. It is a good thing. If the audience has something to add, let’s get it in the discussion. If the speaker says something incorrect, let’s address it right off. In fact, many talks directly solicit feedback and ideas from the audience. Engagement, to me, is key to building a stronger local community.

Participation should be encouraged, waiting for rockstar status discouraged. I have seen people sit on the sidelines waiting until they had just enough experience, just enough content, just enough mojo to justify being a speaker. The only justification a community needs to accept a speaker is that the speaker is committed to putting the time into giving a great talk.

At local events, we have a mixed audience. I believe that every one of us has a unique perspective, a unique skillset, and a unique knowledge. True, a pen-tester with 20 years of experience might not learn anything from someone with only a few years. Yet not all of our audience are pen-testers. It is the commitment to put together a good talk, practice it, research past talks of similar nature, and solicit feedback that marks someone as a good presenter.

Let me give an example. At last week’s MiSec meeting, Nick Jacob presented on PoshSec. Nick (@mortiousprime) is interning with me this summer and has a total of ten weeks of paid InfoSec experience under his belt. Don’t get me wrong. Nick comes from EMU’s program and has done a lot of side work. But a 20 year veteran, Nick is not.

Nick’s talk was on applying PowerShell to the SANS Critical Security Controls. He structured his talk with engagement in mind. He covered a control and associated scripts for five or ten minutes, and then turned it over to the audience for feedback. What would the pen-testers in the room do to bypass these controls? What would the defenders do to counter the attacks? All in all, the presentation went over well and everyone left with new information and ideas. That is how to do it.

In sum, the better InfoSec communities remove the concerns speakers have about being heckled and being inadequate. A better community stresses engagement and participation. Such communities do so in ways that open up new opportunities for new members while strengthening the knowledge among those who have been in the profession a long time.

That is the trick to building a better InfoSec community.