Art of Information Security

Probably this single most significant advantage to attending a conference, is the fact that it pulls so many people with a common interest into one place and time. If the interaction amongst participants wasn’t important, then it would be very difficult to make a compelling argument for in-person attendance.

Talk to People – Join in the Conversation

In the last year, I can think if 10 times where I was able to call (or I was called by) a colleague who I met at a past RSA. In the professional development series with Lee Kushner (link), ideas about developing, having, and being able to utilize your professional network are going to be a reoccurring theme.  If you are attending RSA (or any large event) don’t pass on the opportunity to meet and connect with new people. 

It can be Easy…

Don’t be mislead into thinking you need to “work the room” to meet people at RSA. 90% of the people who will be in Mascone Center are there because Information Security is important them, either as a practitioner or as a provider. (The other 10% are there to make sure everything runs smoothly.) 

So, you will be surrounded by people, who at least share that one item in common with you. Reaching out can be very easy. The people who you are in-line with, or waiting for a session to start with, etc. almost all do something connected to what you do. Just saying hello is all it takes. 

Leverage Events

There are a number of events that can make networking even more effective. The conference itself has roundtables session that are 100% focused on establishing peer to peer communication on targeted topics. Any vendor sponsored dinner or event also creates easy opportunities.

New to Networking? 

The RSA conference understands the value of the networking opportunity it is creating. As a result, there is a “Networking 101″ session on Monday evening at 5:15, immediately following the First-Time Delegate Orientation. Each year the conference brings in someone who has professional training experiencing in helping people network – helping people connect. This is always a great session to attend if you have the time, and are around the conference center on Monday evening.

Cheers, Erik

Given the current economic situation, professional development and job searching are on many people’s minds. As a result, I saw no better time to get perspective on these topics from a true industry insider.

Lee Kushner is the President of LJ Kushner and Associates, LLC, an executive search firm dedicated exclusively to the Information Security industry and its professionals.  For the past thirteen years, Lee has successfully represented Fortune 2000 companies, information security software companies, information security services organizations, and large technology firms in enabling them to locate, attract, hire, and retain top level information security talent.  Throughout his career, he has provided career management and career coaching to information security professionals at various stages of their professional development.  He is a regular speaker and industry contributor on topics that include career planning, interview preparation, and employee recruitment and retention.

Erik: With 13 years of recruiting Information Security professionals, how has your position as a recruiter changed and evolved?

Lee: When I began recruiting 13 years ago, not many people had ever heard of a recruiter who specialized in Information Security – so there was a great burden of proof on my part to demonstrate that I understood both the technology and the industry to candidates.  Information Security professionals are a skeptical bunch.  It was very important to establish credibility and earn trust, by only promising what I was able to deliver.

I believe that after 13 years, both my firm and I have established a solid reputation and credibility within the industry and among the professionals.   Most of the people that we have worked with, we have done so for quite a while, throughout their career development.    Many of those professionals have passed on their positive experiences to their peers – and our reach has expanded.

It is my hope that through the years of working in the industry we have been able to help elevate the recruitment profession and inspire a different response when people hear the terms “recruiter” or “head-hunter”.

Erik: I understand that Mike Murray and you are working on a podcasting series called “Career Incident Response”? What is that about?

Lee: Mike and I have been speaking on the topic of Career Management for quite some time at RSA Conferences, DefCon, and The Source Conference.  We came up with the idea for a “Career Incident Response” podcast series due to the fact that so many people were coming to us either because they were a victim of a layoff, felt that a layoff was imminent, or had witnessed bad things happening to their industry peers.

The Career Incident Response podcast series will be outlined like a training course.  It will provide a guideline to what people can expect – from items that include evaluating your work situation,  the personal and emotional impact of job loss, how to effectively search for a position,  how to prepare your resume, and some basic ways to address difficult interview questions.

Note: The Podcast Series is scheduled for release on or about May 15th, 2009 on  www.infosecleaders.com.  Art of Information Security will post an announcement when the release happens.

Erik: If someone is working with a recruiter, what should they be doing to get the most value out of that relationship?

Lee: I believe that the most important item is honesty, which is driven by trust.  People generally like to keep things close to the vest when they are engaged in a job search and become cryptic about things such as timetable, other opportunities, their current work situation, and compensation.  The more accurate information that a recruiter has, the better that they can help assist you.

The other thing is that people should work with recruiters that understand their profession and can provide them with something more than a job description.  It should be imperative that the recruiter has industry experience, no matter which industry you are in.

For example,  if I was a real estate attorney, I would want to work with recruiters that either placed attorneys, or ones that worked with real estate clients.

Erik: What are some signs that people are working with the wrong recruiter for them?

Lee: The biggest sign is when they do not add any value to your search process that goes beyond the current opportunity that they are working on.  Many recruiters comb job boards and social networking sites, looking for key words, without understanding how they fit in.

Information Security is not a “key word” business.  There are many different segments of our industry and it is comprised of many different skill sets.   If a recruiter cannot differentiate between these skills and how you fit, then you are probably working with the wrong one.

Erik: If you could communicate one thing to someone who is trying to manage their career, what would that be?

Lee: The one thing that I would stress would be to strive to differentiate from your peers.  The industry is going to become more and more competitive, and competition for the best positions is going to increase, being able to tell that story is going to be critical to achieving your long term career goals.

Erik: In your practice, what are some of the key differentiators that you are encouraging people to pursue?

Lee: I hate to be vague, but the best thing that I can tell anyone is to make consistent investments in their career and career development.  This can include certifications, training, personal development, career coaching, etc – but investing in yourself and your career is going to be critical to differentiating from your peers and competition.

Erik: You in fact have been working on a Career Investment and Differentiation presentation. What are some of the key points you are trying to communicate?

Lee: The key point of this concept is that it is up to you – the individual – to manage your career.  You are the one that has to seek out guidance, and plan for your future.   Do not expect your company to do it for you – you will reap the ultimate reward – so you should plan on making consistent sacrifices to attain these goals.

Erik: So, how much overlap should someone expect between their employer-driven professional development and their personal professional development?

Lee: Whatever you can gain from your employer’s personal development plan – by all means get.  However, you should understand why the employer is providing you with that stipend – it is so that it benefits them – not you.   If there is overlap – consider yourself fortunate.

There is a TON of stuff to do at RSA if you are going, and managing all of that can be quite difficult. One of the things that I find difficult to do every year is select the sessions that I am going to. There are a few tools that the conference provides to make this easier.

Let’s take a look at the Session Catalog.

See Who’s Speaking

I have my own personal list of folks who always have great presentations and really pack a lot of punch for me. But, the attendance at the conference is so diverse that my list would certainly not work for everyone. The conference itself measures and metrics speaker performance. You know those forms they hand you as you walk into the session? Turns out that they use that data, and they even share it with you. When using the Session Catalog and the printed materials, you may notice a star next to some of the names. These are the folks who have had the strongest feedback during past conferences.

If this is your first RSA, it may be worth your while to ask folks who have attended in the past and who have similar interests, which speakers stood out to them. If you are a member of the RSA Conference group on Linked In (link), you could even post a question about “Best Session for X”. (Which I have done…)

Preview The Slides

RSA has always made the slides available in advance. Usually this was on media (CD/USB) handed out at the conference. (So, “in advance” was day-before…) But now they are available for most sessions right in the Session Catalog. (Note, you need to be logged in to the site before you visit the page to see these.)

Post Session…

There is a lot of time and energy that goes into being a speaker. Please, help your speaker and the conference, and complete the evaluation forms. And, if a session clicks for you – don’t be shy – meet the speaker. Most of the speakers are presenting because they are committed to the mission and the profession. Participation and feedback are the biggest rewards any speaker can ask for from the audience – don’t hold back.

Hope this is helpful – see you in SFO.

Cheers, Erik

It is one week until RSA, and now is the time to start planning to make the most of your trip. RSA has one of largest (if not the single largest) vendor Expositions for Information Security. Every year I use this as a one-week refresher course on the products and services that are available. Frequently the class sessions are very valuable to me, in terms of my long term professional development, but  (for my employer) the information I collect on the Expo floor is valuable almost immediately.

Screen Now and Benefit All Year

I am very selective about the vendors with whom, I have  meetings.  Sure, I am missing out on free lunches, but the fact is that I don’t have endless time to meet with people.  As a result I screen, and whenever possible pre-qualify vendors. Most of the time I spend on the RSA Expo floor is spent identifying who I don’t need to meet with, and establishing whom I definitely do want to meet with in the following year.

Understand your Organizations or Clients Needs !

In general you should have a good understanding of your employer or clients… Some key things to understand before heading out to the exposition:

Q: What are the emerging needs of your organization?

What are the areas of concern for your CISO, Risk Mgmt., LOB partners, or other important constituents? In the week or two leading up to RSA, I ping my CISO, key LOB partners, etc. to find out what concerns they have, what vendors have been hounding them for meetings, what alternatives they may need, etc.

Q: What products or services are subject to change?

I feel that, even for our deployed products, it is incumbent on me as a good corporate citizen to make sure those products are still competitive in the market. Information about the competition is especially important during contract renewals. No one negotiates a win-win deal without being fully informed.

Q: Who are you key partners, and what new offerings do they have?

Who are the top vendors whose products you have, and love? Make sure to take the opportunity to visit them, understand emerging features, and make sure that you are getting the most out of your existing investment.

Q: Who will your organization generally buy or not buy from?

Many organizations have firm rules about the types of organizations they will purchase from; know what these are. My experience is that if a product is truly compelling, there is always a way for purchasing to see that and make a deal happen. But, if you sense a weak offering from a company, that is going to be a hard sell to your organization, save time for both you and the vendor – tell them, and move on.

Be There Monday Night

Monday evening at RSA, the Expo opens to Delegates only. The fact that there are fewer people on the expo floor, the booth people are not burned out, and the free food makes this the ideal Expo floor time.

Arrange Key Visits In Advance

As I already mentioned, I try to pre-qualify vendor meetings. There are folks whom I know that I need to be meeting with (established relationships, emerging solutions, emerging risk needs, etc.) and there are a number of folks I know I don’t want to wast time on (lack of compelling product story, people who wasted my time in the past,etc.), but there are also a number of folks in the gray area in-between.

From November on, I start asking folks in the gray area if they are going to have an Expo presence at RSA. If they are, I ask for them to follow-up with me before the show with a booth # and contact name. After I arrive on-site and have the conference book in hand, I add to the list. I avoid setting up specific times, because with everything that happens at the show my schedule is too dynamic.

For each of these “quick meet and greets”, I prep one of my business cards in advance. I have the booth #, contact name, and subject clue on the back of the card. If my contact isn’t at the booth, I leave the card. When you in fact follow-up, you build credibility and relationship, even if there is no service to need synergy at this time.

Be Quick and Targeted

If the printed information, name, etc. on the booth catches my eye, I stop for a quick visit. I try to get the facts quickly, in 3-6 min. The secret is to not be afraid to ask tough questions quickly (but politely), such as:

• What’s compelling about your offering?
• Who is your primary competition?
• Do you have hard data, or a case study you can forward to me?
• Do you have reference accounts for the use cases that are most important to my organization?
• What industry analysis (Gartner, Burton, etc.) has been published on this space? Was your product included?

Be Specific About Follow-up

If I have an immediate need, I ask for contact info and I initiate the follow-up before I leave the show. If I am interested in follow-up for a long-term, or next budget cycle, etc. then I usually ask for follow-up later in the year (e.g. Q3/4). Q2 is always a very busy time for me and the people around me, so I try to defer long-term information and knowledge capture until later in the year.

Hope this is helpful – see you in SFO.

Cheers, Erik

If you are attending the Pre-Conference 1-day Tutorial, Building an Enterprise-Strength Identity & Access Management Architecture, that Dan Houser and I are co-teaching at RSA 2009 please take a moment to drop me a note (using the “Contact Erik” link from the site). This years class is going to be much smaller than last year and should allow for more interaction. As a result, I would like to take the opportunity to maximize the value of that increased interaction, and knowing what topics are top-of-mind for participants in advice will help. 

If you are attending RSA 2009, and plan to be in San Francisco all day on Monday, take a look at the available Pre-Conference 1-day Tutorials (RSA has added a number, and there are many to choose from). There is an additional fee for these Tutorials but based on the feedback from last years class, it was worth it.

Neither Dan nor I work for a vendor or supplier in the space.  We both work for Fortune 500 corporations that have real-world Identity and Access Management challenges (with real-world obstacles). If you are a Linked In member, profile (link) has some endorsements related to this class, as well as other presentations.

Cheers, Erik