Skip to content

Nobody is a Qualified Infosec Practitioner

I read the same tweetstorm everyone else did about what you have to have to be an infosec professional.  My $0.10 is simple: every time someone says you aren't a true // capable // professional Infosec practitioner, remember they weren't born like that either. They ignore their past and it's learned ascent, and view the world of Infosec through the bias of their position, their history, and their employer's threat model. 

And remember, many of these supposed supermen usually work at the behest of the US Federal Govt, so all their brilliant life choices mean this is the third time this year they aren't getting paid. No one gets it right all the time.

All respect to the people who help and uplift and work to make us all safer wondering how they are going to pay January and February rent. I can't begin to imagine ...

Leave Your Comfort Zone

I have recently unmuted every account I had muted on Twitter (100+). I unblocked many. I didn't unblock all, because I do have lines. I instead muted words or phrases whose use (in my searching) never amounted to a good conversation on Infosec. I chose to immerse myself in the views (via retweets) of those I disagreed with, sometimes vehemently. As seen above, we view the world from within the lens of our own experiences. We can't understand why people act a certain way // speak a certain way // vote a certain way while only looking through our lens. 

I have diversified my reading. I just finished Democrat to Deplorable by Jack Murphy. This book takes a look at how nine million people who voted for Obama twice then voted for Trump. It's been easy to scream racist // sexist // various pejoratives designed to shut down discussion at people rather than look through their lens, but Jack lets us peer into his. It is a good look at second and third order effects, and shows us what happens when people's use of words clings to definitions long past. Literally.

Next on my list is The Handmaid's Tale. I frequently heard how this would be a reality with the elevation of Kavanaugh to the Supreme Court. Reading the back cover I can't even begin to imagine the world view I currently believe to be inane where anyone can think American politics could create such a world. I choose to delve into it because there may be ideas that deserve greater discussion and thought - assuming people are willing to have real conversations about it.


I am about to buy a game for my Nintendo Switch I don't want because then my nephew will have someone to play against on his newly opened switch (which my brother wisely updated before putting under the tree). The $60 I'm spending isn't for the game, it's for the shared experience with my nephew. 

I'm fortunate this Christmas that most of my gift givers gave me things that we could use together - they gave something that was bundled with the gift of time. I have too much stuff as it is (and still need another bookshelf and a small number of other things), so the gift of time is especially welcome as I live alone.

Time is your most limited and most precious resource. Put it to good use.


I am working on an opportunity that may allow me to make a living while returning more of that most precious commodity to me - time. It is a sacrifice that puts me at odds with another potential choice in advancing in my Infosec career in a way I didn't expect. Like anyone else in this world, I have choices. Unlike many, mine are choosing between two potential betters. I acknowledge my agency in the choice, and the responsibility that goes along with it. I already have dedicated time to my projects, my education, my work, and my businesses. I have to remember to carve out time for my health, fitness, and decompression. You put on your oxygen mask before your child, because you can't help anyone else until you take care of you. True on planes spiraling to armageddon as it is in your daily life. Eat healthy, work out, read, and rest. You will feel better.


Time for the cast iron pan fried ribeye, air fried garlic potatoes, steamed green beans, sautéed spinach, hot tea, and the spate of Christmas movies:

A Christmas Story

Die Hard

The Ref

Die Hard II

and Scrooged.

I hope you aren't reading this on Christmas (unless you are in an inhospitable place, then I hope I provided a moment's relief). If times are good, embrace it because this moment will never come again. If they are bad, just wait, it is only a moment, and will small effort will be gone forever soon enough.

Remember, Reginald VelJohnson's role in Die Hard gave us Family Matters. Here's to second order effects.



The arbitrary end of the calendar year approaches. This is always a good time for review.

The purpose of a review is to take stock of what you accomplished compared to what you planned to accomplish. If you've accomplished everything you've planned, then odds are you didn't press yourself enough. If you didn't accomplish everything you planned, then you need to refine your expectations or your prep work. From a work // employment standpoint, this is a chance to burnish your CV // Resume combo, even if you have no plans to switch jobs. You may consider a switch, or have one forced on you, at some point. In this case it is easier to hit the ground running if you keep your resume and CV accomplishments current. I use the accomplishments of the year to plan for my goals for the following year, and build a long term plan, so I have a focus.

As James Spader said in Stargate, the last point needed to get to a destination is a point of origin. To consistently track your journey, you need to keep looking at that point of origin to stay on course. As you hit different waypoints, that changes the point of origin for the current leg of the journey, but keep the original one in mind to maintain awareness of where you started.

My journey started when I went to school. I got my first IT job, then I got my first InfoSec job. Then I got my associates, then a better job with a pay and responsibility increase, then my bachelors. It took me time to get some certs and work my way into a top flight institutional defender position. Once there, I worked to build out professional 500 level InfoSec certs, learned new technologies, demonstrated excellence, built out a mentoring program, started speaking at Cons, started writing a blog, and started building an e-commerce website.

That is a lot of accomplishments. And it seems daunting to people new to the industry (or even veterans). Take a look at that list, and realize that began in July 2006. I see a list of accomplishments over 12 years, and I feel I have not done enough. It takes time to build momentum. Success builds on success. And the more wind beneath your wings, the better you are at charting a course going forward.

I have three SANS certs: GCIH (504 Incident Handler), GCFE (500 Windows Forensics), and GCTI (578 Threat Intel). Planning ahead, I am taking the class and exam for the 572 Threat Hunter course in Q1 2019. Beyond that I know I need the 401 GSEC and two gold papers to press for the GSE. That will press into 2020. The past has helped inform my direction as an institutional defender, and I need to shore up my certifications to be able to demonstrate that. This is good from a job standpoint, and to have a skillset that lets me press for more training and leadership // directional decision for my institution.

I need to get the website fully secured and both Android and iOS apps built for the site by end of summer 2019. Site is almost done, and infrastructure yet needs to be built. I've done most of the legwork, and Humble Bundle and No Starch have helped provide resources. The ultimate goal is to build as near passive income as possible, as a resource to eliminate debt, build more of a nest egg, provide a safety net, and build independence.

I need to get the CISSP, for reasons both obvious and personal. I need to slot time in to do that, and the study should start in 2019, even if the exam is in 2020. Whatever direction I go, it both shows an excellence HR departments understand, and it provides flexibility to be on either the policy or technical side of the house.

I need to press for my Masters. To do that I need to take the GMAT in summer 2019, expecting school won't start until January 2020 at the earliest. And I need to decide between a MBA, a Masters in IT, or a combination program. Once again, the credential matters, as there may be opportunities for leadership at my institution, and I need to further separate myself from my cohorts, though I expect taking on the role would come with their support.

I need to start outlining both of my books. I plan to write a fiction book and a non-fiction book on Infosec. Sometimes all you have to do is sit down and write. But it will collapse without structure. My desire is to put something out there that will help future institutional defenders start and build a career.

I think of where I started, and how the successes built on each other to maintain a progression closer to exponential than linear. All things take time. What's important is to compound the successes over time. This won't make accomplishments easier, it will make the burden of success easier to carry.

"Progress not Perfection." Denzel Washington in The Equalizer.


The concept of trust is a foundational one in InfoSec. You give a user access, you expect that access to be used in the designated way. You give an accountant trust to dispense money in accordance with, and only for, the business need. You give your kids the car keys or let them stay home alone, trusting to get the car back in one piece and the house clean of party remnants. If a user misuses the system, the accountant embezzles money, or the kids damage the car or house, privileges (or jobs) can be revoked.

Thus the concept of forced trust. You want a job with the Federal government? You are filling out very detailed forms, and you have no choice but to turn over that data. Your employer has to have your W-2 information for payroll. You want to stay connected with your family? That may mean you need a Facebook account. Even with all the privacy settings, the data gets slurped, in ways you may realize, but most don't.

To be a part of the world, in so many ways you are forced to trust entities that have already, maybe even repeatedly, proved they aren't worthy of that trust.




Every major hotel chain (Marriott 2018, Hilton 2017, Hyatt 2015, Starwood 2015).

Online retailers.

Brick and mortar retailers.


Sure there's a fix. Never submit identifying information. Only use cash. Drive older cars. Only use prepaid cellular, and only turn it on and call from the same place.

How practical is any of that? Even monks in monasteries are online. So what can you or anyone do?

Humble Bundle prompted this. The good news is only those with a humble subscription, not regular users, are affected. And the reports show the adversaries got e-mail addresses and that those e-mails were tied to subscriptions. These can be leveraged for phishing attacks, or spam from other game services.

I purchase the monthly bundle on occasion. My protections for this and other online retail is somewhat simple. Anything that isn't primary to my life is tied to a secondary e-mail account, and a secondary account for my money. I move money in to pay, and I'll happily take the monthly account fee to not have a minimum balance. A low balance credit card fits this bill nicely. Any compromise will send spam and phishing to the secondary e-mail account. If something goes horribly wrong, it's easy to burn that account and spin up a new one. Password managers prevent reuse attacks. And if something slips through the e-mail provider's BS detector, I know not to click the link and just login at the site directly. Any reputable service will have alert notices clearly visible right after login. I know people who use more unusual browsers (e.g. Opera) for transactions on banking and healthcare sites, knowing they are less likely to be targeted for exploitation on those sites. Obscurity is not security, but obscurity can augment security.

We live in a world where forced trust is constantly betrayed. Even if Facebook is broken in half, other services will fill the void. They too will betray you (whether or not members of their board Lean In). The best anyone can do is understand their personal threat model: what do they have that would hurt when lost, and how can they reduce the risk of that loss, or in the modern world prepare to continue on when that loss happens. We are in the Matrix, there's no more getting out. There is simply dealing with the world as it is.

"You lost today, kid. That doesn't mean you have to like it."

-Man who gave Indiana Jones his hat.