Hiring the modern IT Security Professional

This post sponsored by the Enterprise CIO Forum and HP.

I just finished reading Rafal Los’ piece on the Enterprise CIO Forum titled Hiring information security talent a challenge.

Its a good piece that highlights the difficulty of hiring quality IT profiessionals int he security space.  In the article, Rafal highlights two key areas that he argues are causing the challenges…they are:

  • The lack of technical talent
  • The lack of business-savvy analysts

On the lack of technical talen, Rafal says:

CISOs I’ve spoken to primarily complain about the lack of skilled technical information security workers out there to hire.  The ones that are left are the low-level talent or fresh-out-of-college persons with only a command of the ‘concepts’ of security rather than the practice.

On the lack of business-savvy analysts, he writes:

When the CISO does find a technically qualified candidate the big question becomes does that candidate have the business savvy to be more than a blunt instrument?  What is critical for many security organizations is finding people who can apply security and risk principles to the business, and understand the business is the driver for security, not the other way around.

While I don’t disagree with either of these challenges, I’d also argue that another challenge facing many CISO/CIO and IT groups is much more fundamental. That challenge is the challenge of developing your people.

If you don’t train and develop your folks…and your competitors don’t train their folks…then of course there will be a shortage of good folks in the future.

Rafal goes on to offer the following solutions:

  • Find a good recruiter to help find the right talent.
  • Outsource/offload non-business critical work so your security people can focus on critical security tasks.
  • Increase incentives to keep people on your team
  • Work with HR to have them help you find talent within your organization.

While I agree these approaches are useful, there’s a few things that cause me to stop and think.

First…finding a good recruiter who can help you find the ‘right’ talent in the Security space is probably harder than finding the right security professionals. That said, its an ideal approach if you can find someone who has transitioned from IT Professional to Recruiter and can really dive into the backgrounds of candidates .

Increasing incentives will always help…but many times its not the ‘pay’ that drives people away. There are many reasons that drive people to change roles/companies. A few of these reasons (from my experience) are: lack of leadership; lack of advancement opportunities, lack of training opportunities, lack of challenges/new technologies….and there are many more.  So…saying that Increasing incentives will help solve the hiring challenge isn’t exactly true.  While it can help in some instances, it won’t help in all of them.

Rafal’s last point of working with HR to have them help find talent in the organization is a great idea. At every place I’ve ever worked, there have been people working outside of IT that had the right skills and mentality to work inside IT but they could never quite find the “in-road” to make the transition.     If the CIO and IT group can put a program in place to build up an internal (and external) identification program, the hiring challenge will be become a good deal easier.

Lastly..hiring for IT has always been a challenge.  There will always be the conundrum of hiring ‘new’ folks (those straight out of college) or hiring experienced folks. At the end of the day, its one of the many challenges that the CIO must face and find ways to work around.

Image Credit: escher_relativity by By williamcromar on flickr

This post sponsored by the Enterprise CIO Forum and HP.

The CIO Paradox by Martha Heller – a book review

Note: I received a reveiw copy of The CIO Paradox.  The review below made up of PR material provided to me as well as my reading of the book.

Martha Heller was kind enough to reach out to me to offer me an advance copy of her new book titled “The CIO Paradox: Battling the Contradictions of IT Leadership“.

Before I jump into the book, a little background on the author and the book

If you don’t know Martha’s background, you should.  She’s written for CIO.com and was the founder of CIO Magazine’s CIO Executive Council and is currently the President of Heller Search Associates, a firm specializing in recruiting CIO’s and other IT leaders.

According to the PR sheet that came with the book, the book covers:

…a set of opposing forces, such as the power of technology versus the power technology leaders hold, which besiege IT executives and their battle for success every day.  Going beyond mere business advice, Heller uses her tenured experience as an IT thought leader to articulate the problematic structure of the Chief Information Officer role into a savvy, engaging, and sage resource for all involved in running a business.

The “paradoxes” described in the book are split into four main categories. they are:

  • The CIO Role: You’re Damned If You Do, and You’re Damned If You Don’t
  • The Stakeholders: Will the Business Ever Love IT?
  • The CIO’s Staff: They Just Don’t Make Them Like That
  • The Future: What’s Next for the CIO?

When I first picked up the PR sheet and saw these paradoxes, I was intrigued…because these ‘paradoxes’ really are some of the biggest issues facing CIO’s today….and the “Stakeholder” paradox has always seemed to be the hardest one to solve to me.

The problem of “will the business ever love IT?” is an extremely difficult one to solve.  Sure…CIO’s and IT professionals can spend time with the rest of the organization to build relationships and ‘get to know’ everyone…but that’s not enough.

There’s more to solving this particular problem.  You don’t just automatically change people’s opinions of you and your team, especially after years of being the team that says “no” to everyone.   There’s some major work to be done in the cultural area of IT departments to address the Stakeholders paradox.

I’ll get off my soapbox now…and let Martha get on hers.  In this book,  She does a very good job outlining these four major paradoxical areas and how to go about “breaking” these paradoxes.  Martha writes:

“The keys to solving the CIO Paradox, or ‘breaking the paradox, lie in the experiences, thoughts, lessons learned, philosophies, wit and wisdom of all those CIOs who are actually doing these jobs.”

The last chapter provides a nice checklist that can be used to ‘break’ the paradox. In this chapter, Martha provides a few excellent suggestions for breaking the paradox.    A few of the more interesting items found in this final chapter:

  • Develop Well-Rounded People – Its not enough to have IT Operations folks who only know IT Operations. You’ve got to build a team of well-rounded and experienced people that can work in many diverse areas.
  • Recruit Well – Simply said, difficult to do.   But..necessary.
  • Change the Context – stop thinking about “IT” and start thing about the business.
  • Reach out – you can no longer live within your IT world. You must reach out and build lasting relationships with the rest of the organization and your customers.
  • Lead – Again…simple to say, but tough to do. The CIO must be a leader first and foremost….you can’t sit in your office  hoping things get done…you’ve got to make sure they get done.
  • Simplify – Love this From Page 216 ->  The more simplicity you build into your IT organization, the more complexity you can handle.

The book has some great stories about how real-world CIO’s have addressed the paradoxical world they live in.  In addition, it is quite differnet than any other book I’ve read that has been targeting the CIO role. It delivers not only stories on how others have done things, but ideas for things you can do to make it through the paradoxes found in your world.

It is well written and an excellent read. Highly recommended.

Staying flexible in a complex world

This post sponsored by the Enterprise CIO Forum and HP.

Complex can be good. Processes can be complex and still work just fine.

Complex is often the answer.

But staying flexible in a complex world is one of the toughest things a CIO and IT Professional can do.

Enterprise Security is complex…as it should be.  Take a look at a Risk Model from the Enterprise CIO Forum in a post tilted Information Security Risk Model: Switch Lensesby Gideon T. Rasmussen.   In that post, Gideon provides a very complex model for risk.  He defines a risk model as:

…a useful tool for defining how a security function identifies and mitigates risk. This article explains how to document your current risk model, evaluate its effectiveness and plan for changes to better mitigate risk moving forward.

Go read that article and you’ll see complex…but its complex because it has to be.  Security is complex. Risk Management is complex.

The key is to take that risk model (or any risk model) and implement it so that this complex model and process has flexibility for new services/data.

The ability to remain flexible is key.  We in IT know our jobs are complex. We tend to tell everyone that will listen that our jobs are complex.  But…we usually have a hard time being flexible  We tend to say ‘no’ very quickly because we know that saying ‘yes’ will lead to more work and more complexity.

In the realm of Enterprise Security, processes and systems are complex for a reason.  They have to be…there are a ton of working parts to get right.  That said, while focusing on the complex, those responsible for Security must also be cognizant of the ability to remain flexible and ready for change. We see new platforms, new data, new products come around daily…and we need to remain flexible enough to incorporate the ‘new’ into the complex.

As IT professionals today’s, we have to stay flexible for these changes.   We can’t just say ‘no’ to new data and platforms in the era of data.

The key question…how do we provide our complex services and processes in a world where flexibility is key?  How do we secure our data platforms when we have new data and platforms created daily?

Image Credit: flexible wooden sheets by SNIJLAB on flickr

This post sponsored by the Enterprise CIO Forum and HP.

More on Education for Enterprise Security

This post sponsored by the Enterprise CIO Forum and HP.

In my last post, Education – the key for Enterprise Security, I wrote about the need to educate the organization on the need to think about IT Security.

In that post, I included a photo of a door. A door that had no walls around it.

That door with no walls is a nice visual of many organizations today. We spend a lot of time and money focused on the doorways that we ignore the walls.

We put a lot of money into the technology to control access, but neglect to put money into education to make sure the walls around the doorways aren’t torn down.

And… that’s exactly what is happening in most organizations today. Groups are tearing walls down. They are doing this with Shadow IT and BYOD. They are destroying walls for a great purpose…the betterment of the organization…but they are introducing security risks without understanding the dangers.

As  I pointed to in my last post, Christian Verstraete wrote on this  post titled Keeping Cloud in mind when you look at your security where he wrote:

Pro-actively define your security strategy. Decide what an acceptable risk level is. Choose and implement tools and procedures accordingly and train, train, train your employees. Believe me, this may cost you money, but it will be a factor less than if your security is breached. Just think about the damage to your brand if you are compromised.

Emphasis mine.

We (in IT) do a good job of defining security strategy, risk and plans for dealing with security issues.. We are good that that. We have defined these things so well that we’ve defined ourselves into the position of always saying ‘no’…which is one of the main drivers for Shadow IT.

Even better than defining risks and planning to deal with risk, we are good at reacting once a risk has been identified. Most IT organizations are very very happy to tell you how quickly they’ll react to a danger that they find.  While something to be proud of, I’d rather we brag about how few times we’ve had to react. Or better yet…how pro-active we are in educating our organization on the issues of security.

How do we do this?  As I wrote in my “boogeyman” post, we need to:

…find ways to highlight the dangers of the boogeyman without actually making people think about the boogeyman.  We need to talk about the dangers of Shadow IT while educating our clients to the real dangers that exist using language they can understand.

How do we educate our users to the dangers that lurk in the shadows without boring them? How do we communicate our needs for security while being open to change and new platforms?

That’s the million dollar question…and I don’t know the answer. But I do have a few ideas on how to get the process started:

  • Communicate – the first step is to communicate with the organization. I don’t mean just ‘talking’ to them…I mean sitting down talking with them about the issues at hand. Talking with them about the importance of security and how you and your team can help with their current projects.
  • Consult – Rather than be relegated to being an operations arm, IT should get out into the organization and become a Technology Consulting organization. Using this approach, you can be proactive and help the rest of the organization select / implement technology rather than waiting for them to bring you a new ‘project’.  This will let you get in front of any potential security concerns..maybe 🙂
  • Embed – One of the most interesting ways to educate (and help) the organization is to embed members of your IT staff into other groups.  Whether this is a long term assignment or a short-term one, it helps get the IT group involved in other areas and helps to make people more aware of the services of IT. In addition, it makes the IT group more ‘human’ by getting your team members away from their desks/cubes and closer to the rest of the organization.

Those are just some thoughts…it not only helps with the educational aspects, but helps with collaboration as well.

Whats your thoughts?

This post sponsored by the Enterprise CIO Forum and HP.

Education – the key for Enterprise Security

This post sponsored by the Enterprise CIO Forum and HP.

You’ve spent years and millions of dollars on your IT Security systems, processes and people.

Your systems are as impenetrable as you, your team and your partners can make them.

Your processes are amazing.  They follow all the industry standards and your audits always come back 100% ‘secure’.

You and your team sleep easy at night knowing you’ve done everything you can to keep the boogeyman out.

But…in the blink of an eye — and against all odds it seems– you find a hacker sitting smack dab in the middle of your organization’s systems.

What happened?

Your systems were perfect.  Your processes were perfect. Its inconceivable that penetration could occur on your watch. Right?

Well…anyone thats been in the IT business for more than a few months knows that no system/process is perfect and there’s always risk. Our job is to mitigate risk. We’ll never be able to eliminate risk completely, but we can do our best to minimize it.

While we in IT spend many hours/days/weeks/years thinking and dealing with security issues, we rarely go outside our ‘realm’ to talk to the rest of the organization about the importance of security. Sure, we build a document / webpage describing how important security is but do we really educate the rest of the organization on what it really means to be ‘secure’?

Do we go out of our way to talk to everyone about the importance of security? Do we train people on the dangers of Social Engineering?   Have we educated ourselves on the dangers of security in the social world?

In today’s world where being ‘social’ is the new norm, social engineering is even more of a threat today than it ever has been.   With the ability to interact in real-time with people from all over the world, enterprise security has become even more at-risk than ever.

Imagine your company has a Facebook page.

Someone sends a message to your marketing intern that says “hey…this is Bill from the London office…I’ve lost access to the Facebook page…can you add me again as an administrator?”

Your intern, trying to be helpful…and knowing full-well who “Bill” is and that he is supposed to have access to the Facebook page, immediately responds with and adds “Bill” to the Facebook page.

Ten minutes later, the intern tries to access the Facebook page but no longer has access.   He contacts “Bill” via company email and finds out that he is on vacation for the next month.

Looks like your Facebook page just got taken over.

This is a pretty simple example but one that can easily happen. A hacker targets an organization and finds a way in….it doesn’t take much to do this.  Sure, in this example, the hacker isn’t “inside” but they do have access to a very important piece of your organization’s marketing platform.

Social engineer

Christian Verstraete recently wrote a post titled Keeping Cloud in mind when you look at your security where he wrote:

As our world is getting increasingly integrated, and as social media is used by enterprises to reach their customers and prospects, we need to train our people to ensure they are watchful for social engineering. According to Wikipedia Social engineering, in the context of security, is understood to mean the “art of manipulating people into performing actions or divulging confidential information.” While it is similar to a confidence trick or simple fraud, it is typically trickery or deception for the purpose of information gathering, fraud, or computer system access. In most cases the attacker never comes face-to-face with the victim

Emphasis mine.

Social Engineering comes in all forms. Email, Instant Message, Social Networking, Phone and in-person.  Have you ever found someone walking around the hallways of your organization without proper ID or notification of their arrival? I have….and its unsettling to know that they could have found an open computer and starting plugging away at your systems.

Security policies will always help with all approaches hackers take…if those hackers take on the IT group head-on, but rarely do hackers hit the IT systems head-on.

Jim Harris points to a a book titled Social Engineering: The Art of Human Hacking (amazon affiliate link) by Christoper Hadnagy as an example of what people are doing in the Social Engineering space.  Jim quotes Hadnagy as saying:

“While software companies are learning how to strengthen their programs,” Hadnagy explained, “hackers and malicious social engineers are turning to the weakest part of the infrastructure — the people.  The motivation is all about return on investment.  No self-respecting hacker is going to spend 100 hours to get the same results from a simple attack that takes one hour, or less.

Emphasis mine.

No amount of money or technology will stop social engineering. It can slow things down for sure. But…education will go just as far (or further) to help put the brakes on social engineering attacks.

Christian Verstraete finishes up his post by writing:

Pro-actively define your security strategy. Decide what an acceptable risk level is. Choose and implement tools and procedures accordingly and train, train, train your employees. Believe me, this may cost you money, but it will be a factor less than if your security is breached. Just think about the damage to your brand if you are compromised.

Emphasis mine.

Train your employees. Not just the IT employees…but everyone. Teach them what Social Engineering means. Teach them that just because someone asks for something, it doesn’t mean they should get it.  Finally…one of the best methods to combat Social Engineering attacks is to teach your people these three words: Trust but Verify.

That intern in the above story…he could have trusted ‘Bill” but a quick email to “Bill’s” work email address would have easily stopped the Facebook attack.

Educate everyone in the organization to Trust but Verify.  Education is expensive but should be looked at as another line-item toward securing the organization.  You’ve spent millions on the technology…spend a little bit more to educate your people.

Image Credit: the no-wall door By ghirson on Flickr

This post sponsored by the Enterprise CIO Forum and HP.

Can Twitter Sentiment be used to generate buy / sell signals?

This is a cross-post from TradeTheSentiment.com

Before we get started…its VERY easy to look back and say “yes…that would have been a buy signal”.  If the market worked with hindsight, we’d all be millionaires.

For this approach, I’m going to use the thought that the masses are ‘wrong’.  That is…when Sentiment gets extremely bearish or bullish, I’m going to go the opposite direction.  If Extremely Bearish, I’m going Long. If Extremely Bullish, I’m going to short.

Finding the “extreme” is going to be a very subjective approach. For the purposes of this study, I will use the Daily Bear / Bull Sentiment chart. When the sentiment spikes over a  2.0 (a level of 2.0 on the Bear / Bull chart means the sentiment is twice as bearish as bullish), I will go long.

For this study, I apply this strategy to the S&P 500 ETF – SPY.

The entry criteria:

  • An “extreme” is found in the Bear / Bull Daily Sentiment Chart. This is defined as any reading over 2.0.
  • Long only. When an an extreme is found, I’m going to go Long the underlying stock at Market Open the next day. All orders will be entered as “market at open” orders.
  • # of Shares = 500.
  • Commissions = Not included.
  • Slippage=10 cents (included on entry and exit)
  • Stop = $2 (trailing) (e.g., if entry is at $140.00, the stop is at $138.00 and it moves up as price moves up).
  • If I am still in the trade upon a new extreme, no action is taken.
  • Timeframe: Nov 1 2011 to Sept 18 2012

SPY

Peaks are found on the following days (review  signals above the red horizontal line in the bottom pane of the chart)

  • Jan 9 2012
  • March 19 2012
  • April 16 2012
  • June 4 2012
  • August 12 2012
  • August 24 2012
  • August 26 2012
  • August 27 2012
  • Sept 4 2012

With the above dates of extremes in mind, let’s take a look at how an investment strategy using these peaks would do.

Trade #1

Extreme on Jan 9. On Jan 10, go long 500 shares at Market Open.  SPY opened at 129.39. With slippage,  Order is filled at 129.49.  Stop set at 127.49.

Trade lasts 13 days and closes on Jan 27 when Trailing stop is hit for a Gain of +$1.56 per share or 1.20% return on investment.

Trade #2

Extreme on March 19. On March 20 2012, go long 500 shares at Market Open. SPY opened at $140.05. With slippage, Order is filled at $140.15. Stop set at 138.15.

Trade lasts 7 days and closes on March 28 when Trailing stop is hit for a Loss of $0.51 per share or a total return of -0.39% return on investment.

Trade #3

Extreme on April 16. On April 17 2012, go long 500 shares at Market Open. SPY opened at $137.94. With slippage, Order is filled at $137.94. Stop set at 135.94.

Trade lasts 5 days and closes on April 23 when Trailing stop is hit for a Loss of $1.41 per share or a total return of-1.09% return on investment.

Trade #4

Extreme on June 4. On June 5 2012, go long 500 shares at Market Open. SPY opened at $127.85. With slippage, Order is filled at $127.95. Stop set at 125.95.

Trade lasts 4 days and closes on June 8 when Trailing stop is hit for a Gain of $3.42 per share or a total return of 2.64% return on investment.

Trade #5

Extreme on August 12. On August 13 2012, go long 500  shares at Market Open. SPY opened at $140.70. With slippage, Order is filled at $140.80. Stop set at 138.80.

Trade hasn’t closed yet as stop hasn’t been hit.  As of Sept 18, SPY closing price is $146.49. Stop is at $144.94. Current Gain of $4.14 per share or 3.2% return on investment.

No additional Trades taken since Trade #5 is still active.

Outcome of Strategy

5 trades, 5.56% return over 8 months.

In the same timeframe, the SPY ETF, if you were to buy 500 shares of SPY on Jan 10 (the date of the first trade) at the same price of my purchase @ 129.49 and hold them without a stop you’d have a gain of $17.13 per share for a 13.23% return.  That said…you would have also seen a pullback to below your entry point (low of 126.48 on June 4 2012). Would you have stayed in that trade if it had gone against you $3?

Now…I’m not a “buy-and-hold” person. Too much stress. If I can make 5 trades with an average hold time of 11 days and pull out 5.56%, I’d be pretty happy.

That said…if I changed my trailing stop from $2 to $5…the outcome would have been different.   With a trailing stop of $5, this approach would have made 3 trades for a total gain of $25.15 or 19.42% return and an average of 39 days per trade.  Not bad, eh?

Now…this is by no means “proof” that sentiment can be used as a buy signal.  During this uptrending market, I could probably have picked any day at random and run this same analysis and got similar results. But…you can say that about any strategy, no?

Note: For those who point out that commissions aren’t included in this calculation, please note that a $50 charge for commissions ($10 per trade round-trip) will not significantly alter the outcome of this strategy.

In the next few days/weeks I plan to share more of these ‘applications’…stay tuned.

If you want to keep up with more of my market related topics, jump over to my Market focused blog at TradeTheSentiment.com.

This is a cross-post from TradeTheSentiment.com