Social Engineering for the Blue Team: My Story
This is an ongoing blog series, which touches on my upcoming speaking and workshops on Social Engineering for the Blue Team. My current schedule is as follows: BSides Indy, March 20, 2018; I am an alternate at BSides Nashville April 14, 2018; and I will be doing a workshop on the topic at Converge and BSides Detroit, May 10-12, 2018. I hope to see you there.
"You're a Rockstar."
These were the words uttered to me after turning in my two-week notice at a previous place of employment. I know infosec rockstars are looked down upon in social media circles. I took this as a compliment. These were words from our CIO. He followed that up with, "Everyone seems to like you." Which I took as another compliment. Both compliments made me feel extremely good, because compliments are few and far in between in our industry. That's a topic for another blog post. For this blog post the compliments started me down a path of self discovery.
I always seemed to have a knack for getting along with others. I never knew why, though, and I definitely didn't feel like I was doing anything special. My early years of life were filled with a lot of happiness and joy. I loved school up until about the fourth grade. I was good at it, but I also had a lot of fun with my classmates. It wasn't until I moved midway through fourth grade that I started to realize the mean side of kids. We moved to New Jersey.
My dad served in the Army for 20 years. I moved a lot. I averaged two and a half years in places. Thankfully, after fourth grade we moved again. This time to Kansas. I had a much better time in Kansas. Middle school was pretty good. I had friends. I also had some enemies that used to be friends. We moved back to New Jersey for eighth grade and half of high school. This is considered some of my darkest years. I had friends, but I was also picked on. A lot.
My pants were to tight. My glasses were too big. All I wanted to do was fit in. My mom bought me baggier pants and scheduled an eye appointment to get contacts. My grades slipped in an effort to be part of the in-crowd. I moved my junior year of high school to Minnesota. I was picked on there for my baggy pants (remember JNCO jeans). I had girl friends, but in general I found talking to the opposite sex intimidating at first. While I missed out on the academic side of school, I was learning about human interaction.
I failed a lot at human interaction. That, eventually, led to me picking up David Deangelo's Double Your Dating series. This was after a six-month period in which: my girlfriend dumped me; my roommate bailed on me and left me with paying for a two-bedroom apartment; and a captain's mast for showing up an hour late to duty. Technically, I was supposed to go to captain's mast after three write ups. Being late was my first one and something everyone did when they only had a few weeks left at a duty station. In this case I was being made an example of by the new commanding officer. Still I had failed, because I wasn't viewed as a good sailor. Something need to change.
Studying Deangelo's content I realized that I wasn't just learning interaction with women, but people in general. I was getting self-improvement tips and techniques. I picked up (on the recommendation of Deangelo) Feel The Fear And Do It Anyway by Dr. Susan Jeffers. This was the turning point. I started honing my soft skills. I did this for life quality reasons. After I was told I was a rockstar and people seemed to like me, I started to understand how. This was just a few years ago. Last year I read Social Engineering: The Art of Human Hacking by Chris Hadnagy and it opened my eyes to the how.
I've excelled at my roles party due to my technical prowess, but mostly due to my ability to build strong relationships with people. I see that as the key to my success in building security programs, processes, and improving the security culture of an organization. My current role has me sitting with developers. I am successful there because of the relationships I've built. Leadership wants to hire me away from the security team. The developers are making good security decisions without my input.
We talk about the talent shortage quite a bit in our field. A lot of solutions start with improving security programs in school and mentoring juniors in our field. I think those are good solutions. It will take time for those solutions to be fully realized in our industry. I also, don't have much influence there. Where I do have influence is in the better relationship realm. I think if we can interact better with other departments we can make strong improvements in security.
That's why I've put together this content. I'm really excited about the idea. I've had a lot of success with it and I think others will too. More to come.
This blog post first appear on Exploring Information Security.