The Brandeis GPS blog

Insights on online learning, tips for finding balance, and news and updates from Brandeis GPS

Month: October 2018

Information Security has the perfect mindset to facilitate decision-support red teaming

By Joseph Dalessandro

October is National Cyber Awareness Month, and we’ll be spotlighting cybersecurity content on the blog all month long.

We hear the term “red team” liberally used these days, applied in the security space for both force-on-force scenario testing (subverting hardened facilities and assets) and in the information security space, primarily referring to “white hat” hacking to assess security posture for systems, devices, network perimeters and web applications.

A “red teamer” in the decision support or strategic space is formally trained and uses critical thinking tools and techniques to provoke analysis, stress test strategies, plans and perspectives. At the heart of this work is the modeling or reframing of the problem space from the adversaries perspective.  Red teamers and Security Pros are by nature contrarians, and it is this contrarian mindset we want to capitalize on.

While cybersecurity “red teaming” as penetration testing is vital to an organization’s testing of its security and data protection posture, it has a narrow scope. However, everyone these days in this space wants to refer to his or her work as red teaming. The practice of decision support red teaming is the area that I am submitting an organization can immediately benefit from and are not currently employing. This is an area where your security team can add value by adopting the tools and techniques to facilitate red teaming. Information security professionals are diverse thinkers and often “see” across the entire enterprise. Equipping them with red team tools and techniques can enhance their value in guiding the organization to make better decisions.

Red teaming and the value of a premortem

So how do we do it?  How do we immediately capitalize on our existing stance as contrarians to serve as strategic red teamers? There are a number of available tools such as the U.S.Army’s Applied Critical Thinking Handbook, and Bryce Hoffman’s Red Teaming. We start with, most importantly, is buy-in and genuine support from the top of the organization, and the admission that we will trust our decision to conduct red team analysis and we will be true to the results. There are a number of short tools to use to try this, one of the most straightforward is to have your security staff conduct a premortem on your most important security project for the upcoming year.

The basic approach of the premortem is to visualize, prospectively, about the project failing and using this to illuminate the cause(s) of the failure.  This is not a risk assessment. We are not speculating on what could harm our project, we are identifying what actually caused the failure. This is pathology; we are engaged in diagnosis, not prognosis. Supplies needed are easy to acquire, you will need paper or index cards and pens/pencils and a white board or projector.

  • The leader (security staff facilitator) level sets with the group by reading out the summary from the business case or a summarized version of the project. The leader tells everybody that they should assume that their team, the project team, has made the decision to go forward and that the project has gone forward and has concluded. We are in the future now, a year into the future, and the project has been an utter failure. It has crashed and burned with no redeeming outcome or benefit.
  • Exercise: Each player (project team member) takes the paper in front of him/her and writes a brief narrative or cause of the failure. Take 5 minutes and work in silence.
  • The facilitator collects the paper or cards and generates a list of all the points on a whiteboard or projector. The facilitator can now work with the group to solicit further failure ideas, inspired by the list.
  • Engage in a game to further determine the top five causes for the failure. [A practical note here: if you conduct a premortem and determine a set of failures that are agreed universally by the group as being actual failures, you have a fundamental problem with your project. Stop it immediately and take a step back and rethink the plan.]

Red teaming is best conducted with as diverse a group as possible, and often times those who have had the least to do with the project plan formation can provide insights into points of failure. As you look to expand your tool set in the future, a master’s degree in security leadership can help engender this contrarian mindset and improve the value of security in your organization.

Joseph (Joe) Dalessandro is the program chair of the Information Security Leadership program at Brandeis University Graduate Professional Studies, and the Head of Security & Technology Audit and Audit Data Analytics, Australian Unity.

Brandeis GPS offers a Master’s of Science in Information Security Leadership. The part-time, fully online program prepares graduates for leadership roles in information security with a cutting-edge, industry relevant curriculum that builds leadership savvy and skill in leveraging technical know-how. For more information, contact gps@brandeis.edu, call 781-736-8787 or visit www.brandeis.edu/gps

Image source: LeadX.org

Meet our newest GPS faculty members

The first week of the October session is here and we are excited to introduce the newest Brandeis GPS faculty members. These industry leaders come to Brandeis GPS with expertise and established networks within their fields. We have no doubt that the knowledge and experience they bring will provide for meaningful learning opportunities in the online classroom.

Garrett Gillin – RDMD 110: Principals of Search Engine Marketing

Garret Gillin Headshot

Garrett Gillin, MBA, is a co-founder and Principal at 215 Marketing, a Google Premier Partner agency located in Philadelphia, PA, where he oversees the development and execution of integrated digital marketing initiatives with a concentration on programmatic advertising, marketing automation, and advanced analytics.

David Bauer – RSAN 190: Project Management for Analytics

David Bauer, MBA, PMP, is an Infrastructure and Operations Project Manager for Utica National Insurance Group where he works on a team of IT professionals on projects including cloud migrations, database & server operations, and infrastructure lifecycle upgrades. He received his MBA from Syracuse University at the Whitman School of Management. David also served for 15 years on active duty in the U.S. Air Force where he held roles in project and program management from squadron level to the headquarters level. He also has experience in the defense contracting industry where he worked for a cyber security defense contractor as a program manager.

Todd Chapin – RUCD 185: Design for Non-screen User Experiences

Todd Chapin HeadshotTodd Chapin is a co-founder and Chief Product Officer at ShopClerk.ai. He has experience in product management and UX, as well as expertise in personal mobility, speech recognition, and e-commerce. He has worked at Zipcar, Audible, and Nuance Communications. He has graduate and undergraduate degrees in Human Factors Engineering from Tufts University.

Ernest Green – RSAN 160: Predictive Analytics

Ernest Green Headshot

Ernest Green MS, MBA, PMP, is Vice President of Data Mining at a large financial institution in Dallas, TX. Prior to this role, he worked as a Data Scientist with General Motors and has 10+ years of diverse analytics experience. He holds multiple college degrees and most recently completed a Master’s in Predictive Analytics from Northwestern University. His research and expertise are in analytics, machine learning, natural language processing and artificial intelligence.

We are so pleased to welcome these new faculty members to Brandeis GPS and look forward to seeing how they bring their expertise to their online classrooms.

Faces of GPS is an occasional series that profiles Brandeis University Graduate Professional Studies students, faculty and staff. Find more Faces of GPS stories here.

How to recruit and manage the best cybersecurity candidates

By Joseph Dalessandro

October is National Cyber Awareness Month, and we’ll be spotlighting cybersecurity content on the blog all month long.

People management is one of the hardest and most rewarding experiences of one’s working life. With the advent of the “gig” economy, I am curious how we are faring in hiring in the cybersecurity space.

Cybersecurity hiring has been universally difficult for some time. It’s not that there is a lack of quality candidates. The issue is that we are missing each other. This is due in large part to the “traditional” hiring approach that many mangers adopt when they have open roles. They head to HR, or pick up the phone and call HR, and ask HR to find them candidates.

This happened to an acquaintance of mine not too long ago. He was looking for a junior information security analyst: a basic role that requires entry-level experience. He received more than 600 resumes, and realized that solid candidates were getting lost in a sea of unqualified applicants who know security is hot and want in.

If you are a manager in security, it’s time to change your hiring paradigm. To find a better applicant pool, cast your net more efficiently and do the following immediately:

  1. Use your network. Get into your network and spend some time talking to your peers.  Learn how to recruit and get out and start recruiting. If you have people in your network that would be perfect, call them. If they do not want to move, find out if they have contacts looking for work.  Ask your peers where they are finding hires. Share information on candidates, someone who is not a good team fit for you may be a good team fit for a peer of yours.
  2. Set the expectation up front in postings that you are different and you are serious. Include information in job postings that candidates will be tested on role skills during the first interview. Those without skills and basic security knowledge immediately fall out. This works well for junior roles. For more senior roles, make it known up front that for technicians they will need to demonstrate skills and for managers, they will need to discuss culture, training and retention.
  3. Make candidates provide a cover letter or cover email that explains how their experience aligns to the role, or provide them a platform to do this in a structured way. This will, once again, weed out those who do not align with the expectations of the role. If I need to describe in a table how my experience and skills relate directly to the role skills, I know that the manager is serious and is looking for the right candidate, and not just “looking” for candidates. Demand that candidates communicate, and get them together to be interviewed by other managers, from other non-IT departments, to interview them more objectively.
  4. Look for skills and education that shows the candidate is more than a CISSP. CISSP’s are everywhere, but show me a CISSP with a master’s degree who can write a business case or executive memo and I’ll scoop them up.

Once you build a team, you need to cultivate it. You want to develop your employees, and yes, eventually you want them to move on, to be successful in another department or another company. However, at the outset, for all your hires, you want to retain them, develop them and let them thrive.  This will also pay when you need to hire. Some of those employees will develop into their next role with you, and if you know those employees and what they want and where they want their career to go, you can help. Do a better job of knowing your current employees and how you can develop them for that next role. Look at your team for diversity, and for diversity of thought, and make sure you employ some contrarians. Diversity in thought is especially important in cybersecurity. A diverse team will be a high performing team. For roles where you have great staff but they are taking leave or need a different structure to their job, consider altering your approach and preconceptions about the traditional working day or the traditional working role rather than replacing those employees.

There are candidates for roles, but they need to be discovered. If you’re looking for a position, differentiate yourself from the masses. Why do I want to hire you? Stop memorizing port numbers and show me you know what P&L is and that you understand budgeting, or, develop your presentation skills, or, develop data analysis or data visualization skills. Or, better yet, get a master’s in security leadership and I’ll know you can handle the role.

Joseph (Joe) Dalessandro is the program chair of the Information Security Leadership program at Brandeis University Graduate Professional Studies, and the Head of Security & Technology Audit and Audit Data Analytics, Australian Unity.

Brandeis GPS offers a Master’s of Science in Information Security Leadership. The part-time, fully online program prepares graduates for leadership roles in information security with a cutting-edge, industry relevant curriculum that builds leadership savvy and skill in leveraging technical know-how. For more information, contact gps@brandeis.edu, call 781-736-8787 or visit www.brandeis.edu/gps

Image sources:

https://www.cyberdb.co/wp-content/uploads/2017/11/LinkedIn-cybersecurity.jpg

https://image-store.slidesharecdn.com/be4eaf1a-eea6-4b97-b36e-b62dfc8dcbae-original.jpeg

Protected by Akismet
Blog with WordPress

Welcome Guest | Login (Brandeis Members Only)