I observe three basic types of people working in the IT field: kings, sages, and cogs.

The King

The king is one who has complete control over how they are going to orient a given IT shop. He creates strategy and manages the implementation of that strategy. Most importantly, he can come up with his own ideas and implement them. Think director, VP, CTO, or CIO.

1% of the workforce.

The Sage

The sage is the person that everyone listens to. He may not get to (or even be in the position to) implement the changes he proposes, but when he proposes a solution to a problem it gets taken seriously by those who can make the changes. Think high quality consultant.

9% of the workforce.

The Cog

A cog is an employee in a large organization who simply implements the vision put forth by someone else. He has no real pull with the kings of the organization and is not respected as a sage. This is the average IT worker bee.

90% of the workforce.

Which Are You?

In general, to attain fulfillment in IT one must be either a king or a sage. Being a cog is deeply depressing to any who values his intellect and creativity. In both the king and the sage’s cases, they can see a problem, have a flash of genius, whiteboard a solution, and either implement it or recommend it be implemented with good chances that it will be.

Cogs, on the other hand, are bodies. They are there to write code, create pretty documents, or to flip switches. What they are not there to do is give meaningful input, and when they attempt to do so it’s usually greeted with a polite smile and promptly disregarded. Ideas from cogs are viewed as amusing to management–like a child pretending to be an adult.

Of course, these roles often mix together. Everyone in IT is, to some degree, a cog for the business, and some cogs are treated like sages by their management. But in general, the gravity within large companies encourages sages to become cogs. In short, if you regularly identify serious problems, know how to fix them, constantly mention this only to be summarily ignored–you’re a cog.

Life is Short

Be a king. Be a sage. Don’t be a cog. Life is too precious, and this is all the time we get. Don’t waste it in an environment that stifles creativity and weighs on the soul. ::

Nice job, man.

Well, after three years as a consultant I am re-entering the corporate world. I’ll be working with a great company (Fortune 200) that has been voted by Fortune nine years in a row as one of the best 100 companies to work for. It was an excellent opportunity that I simply couldn’t pass up.

Some things I’m looking forward to with the move:

1. Being with my fiancé
2. Not living in two places anymore
3. Enhancing my core technical knowledge
4. Going back to school
5. Re-energizing my home network

Anyway, it’s an interesting time to start a new chapter — January 2008, while the economy seems to be on the verge of tanking. Here’s to hoping for the best.

Oh, and expect a lot more technical content. :)

Cheers,

-Daniel

[ The Working Dead ]

I say yes.

Martin McKeay from Network Security Blog disagrees. He writes:

I kind of like Daniel Miessler’s writing and think he has some good posts, but he totally misses the point of the CISSP when he complains about CISSPs who can’t program a home network. The CISSP isn’t aimed at testing someone’s ability to program their Linksys router, it’s aimed at testing someone’s ability to think about the philosophy of security.

Ok, here’s the thing: part of the CISSP is technical. They cover everything from trojans to encryption algorithms to covert channels. It’s just an overview, but it’s part of the CBK for a reason.

If the fundamental networking knowledge required to configure a Linksys router isn’t within a candidate’s grasp, then they shouldn’t be discussing security philosophy with anyone. As Martin points out, this is a management certification. Don’t we already have enough managers who learn big buzzwords like risk management and don’t know even the fundamentals of that which they are trying to protect?

Why do you think they teach generals how to fight and require them to move up the ranks before letting them command large armies? It’s because that knowledge of the lower-level capabilities is what offers the foundation for making sound decisions at the higher levels.

Think about the decisions that security managers are supposed to be making — how to implement a DMZ, host IPS vs. network IPS, DLP?, NAC?, how to publish information in a secure fashion within an extranet. Can one effectively make these decisions without basic networking knowledge? One can say, “secure that”, but if you don’t have any knowledge of what it entails then you’re not adding any value to the organization.

Quite simply, managers who don’t know the basics are dangerous. They have all the power and none of the knowledge. This combination leads to frustrated employees, poor policy making and negative outcomes for their organization.:

p style=”text-align: center”> aotmp.com

I’ve had some discussions about how the GIAC GSEC credential compares to the CISSP in terms of difficulty and respectability. Here is one such discussion from a forum I frequent.:

The main reason the CISSP in more respected is because of the standards the ISC2 has established, such as proving the identification of the applicant, verifying they meet the experience requirements, and the way the exam is hosted.

That definitely earns the exam some respect, to be sure, but keep in mind that the first time pass rate is over 70%.

I would give you this analogy: The CISSP is like taking the SAT’s You walk into a room with just a pencil and take a 6hr, 250 question exam that many of the times has more than 1 right answer but you have to draw on your experience to determine which one is “more right” The GSEC is like creating and turning in an Essay and taking an open book test.

Ok, let me put it this way, which of those two scenarios do you think represents reality in the infosec world? Cramming facts and regurgitating them via #2 pencil, or dealing with harder, more technical questions with access to any book and any search engine you want?

It’s the latter.

That’s what problem-solving is — you have Google, you have the text books, you have anything you want. That doesn’t make complex problems easy, it just makes them possible. That’s how the real world works.

Put it this way, I’d be willing to bet that 50% of all CISSPs don’t know what netcat is. What does that say about their infosec skills? What percentage of GSEC holders know what it is? Probably 99%.

Don’t confuse world-wide acceptance with proof of superiority. CISSP is standard, it requires experience, and it’s got a good, broad base of questions, but it’s the kind of test people cram for, pass, and then forget the material it was made up of. That’s not a good measure of a dedicated, technical infosec professional; it’s more a measure of someone who takes their career seriously and knows how to study.

I’ve met CISSPs who can’t configure a home network — no joke. Again, I studied for it and passed it in one week’s time, and that’s with zero previous study of the test materials.

More than I can a test that has a 70% first-time-pass rate that’s explicitly designed for managers and non-technical types. It’s for a wide, wide base of knowledge – not for testing whether or not you’d be qualified to actually do anything.

Don’t get me wrong, if you are going to do one first, or only one of the two, I’d say get the CISSP. It’s more recognized and more respected than any other cert out there. All I am saying is that you shouldn’t confuse this with its difficulty. Almost nobody knows anything about the GSE certification either, but the two PhDs that have it said it was harder to get than their degrees.

I think after you have both you may see it more the way I do. I’d hire a GSEC holder to do some security on a network with significantly less reservation, whereas a CISSP-holder would have to go through the same sorts of checks that someone with nothing more than a 4-year degree would. Just because they can study and take themselves seriously doesn’t mean they know or love their discipline.:

Work on the report every day; do NOT wait until the end. And don’t let anyone else come between you and your deadline ever again.

Bad, bad form.

[ This resource is still available, but is now located at its permanent home at:

>> danielmiessler.com/study/infosec_interview_questions/

You will be redirected shortly; please update any references. Thank you.]

1. Be Passionate About It You can’t get to the top if you don’t truly love what you do. You can do decently well by grinding through, of course, but you won’t ever see the upper levels. This is especially true in infosec where it takes so much continual effort to stay current. I’ve seen dozens of “security professionals” in the field because they heard “there’s money in security”. That’s simply not good enough.
2. Be An Engineer, Not A Technician If you don’t understand how things work then you will stay at the bottom of the ladder in this field. Knowing how to operate things isn’t going to cut it. Problem-solving, which is ultimately what good consultants and other infosec professionals do, requires an understanding of the problem at hand, as well as how any proposed solution functions. You can’t be a button-pusher and get to the top.
3. Don’t Be Intimidated By Anything Many people in I.T. are pretty solid with a few technologies but have areas that they’ll never get into because they view them as scary. I often hear, “Oh, that’s programming, I’m not touching that.”, or “I don’t mess with that Unix stuff.” That kind of approach will keep you limited for life, and for a security professional it’s pretty much a sign you aren’t going anywhere. The top security pros approach the unknown very similarly, i.e. by saying, “That can’t be too hard…” That’s the attitude you need to have.
4. Combine Book Knowledge with Hands-On Many screw this up in one direction or the other, and it’s not something you can get away with easily in information security. In this field you need to not only study theory but also know how to implement that knowledge in real-world situations. If you study diligently but can’t apply it, you’re dead. Alternatively, if you can implement but don’t understand underlying concepts you’re dead there too (see above). I strongly recommend that beginners invest in a serious lab environment and implement what they find interesting during their studies. Nothing is more effective as a learning tool (for me, anyway) than studying something academic/theoretical and then seeing it come to life in your lab.
5. Sharpen Your Communication Skills Few things are as important as the ability to communicate well. This includes both verbal and written communication. It’s not enough to know lots of things; you have to be able to get that knowledge to your clients/users/management in a way that is useful to them.

   Imagine you have two ratings on a scale of 1-10 — message and interface — and that the overall impact of your communication is the product of the two. So if your message is a 10, but your interface to the client (how well you communicated it) was only a 2, your overall score is just a 20. But if your message is a 9 and your interface is an 8 then your score is a 72. You need both solid content and the ability to convey it to others.

6. Keep In Mind That There Are People Out There That Make You Look Silly Staying humble is another key attribute. If you think too much of yourself you’ll relax and stop growing. It’s important to realize that there are others that completely dwarf your skills in many areas. Check out some different newsgroups, browse different IRC channels for security related content, etc. Seek out those you can learn from.

The good part about it is that I get to save a ton of money. Food is actually my biggest expense, and three months of someone else supporting that is going to net me a couple grand. That combined with a bonus arriving during that time will yield a hefty sum for the savings account.

I’m also enrolling in college again as of October, so I’ll be doing that and playing WoW at night during the whole engagement. Fun fun. Dragonmaw server, btw…email me if you want to game.

Hopefully I’ll be able to bring my girlfriend up to see me as one of my paid breaks. She’s never been to NYC so we’re going to go do the necessary stuff: WTC, Empire State Building, Central Park Ice Skating, 5th Avenue, etc. Should be cool.

Question 1: Using the space provided, write an improved implementation of a UDP checksum calculation in binary. (Note: the use of the 1 and 0 keys are not allowed) Question 2: Stand up and run as fast as you can into the nearest wall. Get up and come back to resume your exam.

…and those were just the warmup questions… Nah, but seriously. Very hard test. This one I’m proud to have…

I have over 90 hours (from a “regular” school) and all I lack is some core, but despite my now excellent CV I still feel the pang of inadequacy due to not having finished my degree. So I’m considering once again doing something about it — sooner rather than later. I’ve always known I am going to finish before moving into management at around 40, but maybe I can do it earlier — online.

I’m considering University of Phoenix Online, which seems to be the premier option, but I still have some negative thoughts about the whole online thing. I wonder if others will feel the same way, e.g. hiring managers, peers, etc., or if it ultimately won’t matter. At this point I almost think the BS degree is a “check the box” issue more than anything else. You either have one or you don’t.

The program I’m looking at actually seems pretty cool; it’s a bachelor of science in information security:

Bachelor of Science in Information Technology/Information System Security

So what are your thoughts on the matter. Do I ruin my reputation by having one of these degrees? Or is it a “just get one” scenario where all that matters is that it’s an accredited school?

Any input would be appreciated…

The next one is noticeably harder, though. It’s more on snort and IDS than general TCP/IP knowledge. In my opinion, it’s the “real” test of the two. I’m confident, however, as I just did a practice test for it and passed (not by much) without using any resources…

Yeah, feelin’ good…

I’ve had to put forth relatively little effort to get the certifications I have thus far, but I’m thinking this one’s going to be different. This one is the first that’s supposed to represent actual expertise, as opposed to just familiarity.

Anyway, If you see me posting about being the latest GCIA-certified mofo in town, you’ll know I passed. If you hear nothing at all…that means it didn’t go so well. Here’s to hoping it’ll be the former…

LINK: A Guide To Information Security Certifications

I have to say that I’ve also found this to be true, but not for the reasons I thought. I thought it was an issue with technical ability, but it’s not. It’s not that the consultants I’ve seen are weak technically; their problem is that they seem to have very little regard for what clients want and need, which, if I were to nitpick, is of at least moderate interest.

I’ve seen on a number of occasions where the consultant comes in and essentially starts preaching to his flock. This is how it’s going to be, we know what’s best for you, etc. They simply fail to listen, and what makes it worse is that they seem to favor pre-packaged solutions over those that are customized. Of course, in order to customize a solution they’d have to listen to the client, which could be part of the problem.

At any rate, while it’s bad for most clients (since they’re dealing, by definition, with most consultants), it’s actually quite positive for me. I’m coming to realize that I can be at a major disadvantage technically, i.e. not even in my area, and still offer far more to the client than a so-called expert. The reason for this is simply the willingness to truly listen to the problems that a client is facing, and then follow-up with efficient, customized solutions.

Perhaps it’s bad business to do this; perhaps I’m being naiive about how consulting works. I’m willing to accept that as a possibility. I do know, however, that it’s not possible to make money doing using my approach then I will simply move on to something else. I refuse to become what I see in these others. For the time being, though, I’m going to continue with my theory that you can make money consulting in this ideal, enjoyable way.

We shall see.

I have the answer (lucky you).

In the past the answer was a resounding, “college”. This is because anyone who had gone through four years of arduous study in various disciplines was simply exposed to more and able to adapt easier to assorted challenges.

This isn’t the case anymore. These days, many college graduates can scarcely read and write — let alone do mathematics or logically approach problems.

The rise of the importance of certifications is simply a response to this fact. Managers need something to go by, and they have been shown time and time again that a four-year degree isn’t a guarantee of anything. So, in the absense of that benchmark they’re being forced to choose another — certifications.

It’s really that simple — as the quality of university graduates fall, employers’ dependency on and requirement for certifications will rise.

“The test of whether people love what they do is whether they’d do it even if they weren’t paid for it– even if they had to work at another job to make a living. How many corporate lawyers would do their current work if they had to do it for free, in their spare time, and take day jobs as waiters to support themselves?”

Link: How To Do What You Love

http://www.iwillteachyoutoberich.com/archives/2005/11/your_college_is.html