You Want to Get Into Security?
You Want to Get Into Security?
Download your free copy now
A short and simple eBook about getting a job, keeping a job, and staying healthy as you progress in your career as an information security professional. Authored by Evan Francen, CEO and Founder of FRSecure.
For those of you who don’t know me, my name is Evan Francen. I’m not a big deal. I’m an information security guy who really cares about people. That’s it, right? Isn’t information security all about people? If nobody suffered from the loss of information security, would anybody really care? The fact is, people do suffer. People lose money. People lose jobs. People pay more for goods and services. People even die. Seems dramatic, but it’s truth.
Enough of that for now. Why did I write this short eBook? I wrote it because I wanted to help people navigate their way into the information security industry, navigate their way through the information security industry, and stay healthy while they do it. There’s no other motive here. I just want to help, and I hope someone finds it here.
Over the years, 25ish or so, I’ve worked with hundreds (maybe thousands) of other information security professionals. I’ve hired some and I’ve fired some. I’ve been blessed by working with some really awesome people, and I’ve been cursed by working with some real dickheads. Mostly joy, but also some regrets.
Arguably my three favorite professional things to do are:
- Growing talent. Hiring someone at one professional level and helping them grow to new levels. This is often a thankless job, meaning you rarely get a “thank you” in return for your efforts. One reason is because they sometimes leave to take other jobs that are at a much higher professional level, often without realizing any role you played in helping them get there. You need to be comfortable with that. The comfort and satisfaction comes from knowing that they left better off than when they came.
- Mentoring. A mentor shares what he/she knows, speaks from their own experiences, and bestows whatever wisdom they have. The greatest challenge in mentoring is that there’s never enough time.
- Teaching. It’s pure joy to help someone learn a new skill and enter into a new exciting career. This was the original plan for the FRSecure CISSP Mentor Program. What started with six students in 2010 has grown to more than 350 students each year.
So, what does all this mean to you? I want to help you grow. I want to offer whatever mentoring/wisdom I can through my writing to you. I want to teach you some of the things you should know. That’s it.
Most of the content in this book was originally written and posted on my blog; https://evanfrancen.com. Some of the content was also borrowed from my first published book; Unsecurity: Information security is failing. Breaches are epidemic. How can we fix this broken industry? (See: Amazon)
There are five short chapters, each dedicated to a specific topic about working in the information security industry:
- Chapter 1 – Abundance of Opportunity
- Chapter 2 – The Right Person
- Chapter 3 – Landing Your First Job
- Chapter 4 – Becoming Good
- Chapter 5 – Staying Healthy
Hope you enjoy. Keep in mind that there is no single authoritative advice about getting and keeping a job in the information security industry. The advice given in this book is my advice, because it’s the best advice I have for you.
Chapter 1 – Abundance of Opportunity
First, a little background.
1992. That was the year I started my career in information security. We didn’t really call it information security back then, but it’s (mostly) what it was. There didn’t seem to be much specialization then. Most of us just did what had to be done to keep the business running. Certifications weren’t very popular yet, and there wasn’t a call for security-certified personnel. The first Microsoft Certified Systems Engineers (MCSEs) were named in 1993, and so were the first Certified Information Systems Security Professional’s (CISSPs). The information security industry was just starting to become a mainstream thing.
Today the information security industry is still young and relatively immature. This is especially true when we compare it with other service-related industries. For instance, the American Institute of Certified Public Accountants (AICPA) traces its roots back to 1887, and the American Bar Association was founded in 1878.
The information security industry is also complex. With each passing day, the industry seems to grow in it’s complexity, which is sad because I’m a firm believer that complexity is the enemy of security. The complexity leads to confusion. In fact, confusion reigns. It reigns despite the fact that some among us are too proud to admit it. The confusion creates chaos, and out of the chaos comes opportunity. Opportunities for investors, security product peddlers, consulting companies, and many others.
One opportunity in particular, and the one that we’re most interested in here, is the abundance of well-paying jobs. Like, lots of jobs.
Information security professionals, people like me, are in very high demand. Jobs are everywhere (for certain disciplines), the money is good, and future employment prospects are sky-high. A very frequent question that I get is, “How can I get an information security job?” I could just tell you what I think, but I would be remiss if I didn’t put things into context for you.
Before you start enrolling in classes, updating your resume, and applying for jobs, you should know more about what you could be getting yourself into. One central theme throughout this book is to slow down. Don’t rush things.
Abundance of Opportunity
When some people hear the word “opportunity”, they rush head on. They’ll rush without even knowing what the opportunity is. If you’re considering a new career in information security, or a career change, you should know more about the opportunities. If I were you, I’d be asking a few questions first.
How much opportunity is there?
Do some research! Wait a second. Did you want me to do this for you?!
Fine. Here’s what I’ve found.
There’s a consensus that the information security industry is very talent poor, meaning that we’re hurting for more information security professionals. There are thousands of information security positions open right now. In fact, Cyber Seek estimates that there are 315,735 open positions in the United States alone. Here are some additional details about our talent shortage:
- The information security unemployment rate is 0% and has been since 2011. – This bodes well for job seekers, a little less well for employers.
- There’s predicted to be 3.5 million open information security positions by the year 2021. – Great job security.
- The information security profession is growing at a rate of 36.5 percent through 2022 (Source: U.S. News and World Report)
Seems like there are plenty of job openings, so that shouldn’t be a problem. Basic supply and demand would indicate that the pay must be pretty good then. It is.
- A Chief Information Security Officer (CISO)* is the second-highest paying tech-related job (Lead Software Security Engineer is first).
- The salary range for a typical CISO is between $175,000 to $275,000.
- Large organizations, in regulated industries, located in big cities generally pay the most for a CISO, as much as $380,000 to $420,000 annually.
- The average annual pay across all information security roles is $96,185
*NOTE: The CISO position is the top of the corporate ladder for information security professionals. Two things to think about. First, you may choose a path of specialization in our industry and never become a CISO. This is not necessarily a career-limiting decision. There are non-CISOs that I know personally who have a tremendous impact and make more salary than the range cited above. Second, it takes a while (or should) to become a CISO. If you’re newly employed in this industry, it may take you more than 10 years to earn such a role. Keyword is “earn”. Please don’t take a role that you haven’t earned. Doing so hurts your career, your employer, and the rest of us in this industry. Wishful thinking…
Here’s another thing that I’ve learned about jobs in our industry, job titles matter. Not only do titles matter, there are a ton of them to choose from. In 2015, Lenny Zeltser identified 822 variations of information security job titles. This is probably a function of the industry’s immaturity and complexity. The job title you target or obtain will likely matter though. According to Nate Swanner at Dice.com, “If you want a decent cyber security salary, presenting yourself as an ‘engineer’ is your best bet: It’s a title that tends to pay on the higher end of the tech pro salary spectrum.”
If salary is your thing, there’s another factor to consider. Location. Some metro areas have a higher demand for security talent and some metro areas have a higher cost of living. Two important factors to consider. The metro areas with the highest paying information security jobs are Charlotte, North Carolina, Chicago, Illinois, and San Francisco, California.
The graphic below is taken from the Cyber Seek website, and it shows the talent demand on a state-by-state basis.
To summarize, there are opportunities just about everywhere. More experience will mean more pay. Physical location and job titles should be taken into
consideration too because certain locations and certain titles might mean more opportunity and/or salary.
If you have no experience, you might not have much choice in job title, location or pay. You will probably have to take what you can get. The information that I’ve presented to you thus far should be considered as you decide what path you’ll take in your information security career journey. It’s exciting to be someone who’s just starting out because you’ll have so many options along the way!
What’s the starting salary, and can I afford it?
This will depend on some additional factors such as how much (if any) experience you have, your education level, the type of organization that you choose to work for, and the industry your potential employer operates within. In general, the entrylevel salary range is $38,000 – $68,000 for someone with no experience and without a degree. That’s a wide range because there are a wide range of different opportunities available.
The entry-level salary range for someone who has a few security skills (but not much) and a Bachelors degree is $49,214 – $92,285, with a median of $65,338. Again, this is a wide range for the same reason that I cited previously. If you have more experience and/or education, you might expect more salary.
Now that you know more about the abundance of opportunity, we’ll get honest with ourselves and see if you’re the right person for the job.
Chapter 2 – The Right Person
There is plenty of opportunity in the information security industry, especially for jobs. The job market looks good far into the future.
Great, now what? There are two types of people asking this question, maybe three:
- People working in the industry who want a change.
- People not working the industry who want to explore the possibility.
- People who don’t care one way of the other about #1 or #2.
Type 1: You might find this chapter interesting, but I’m not writing it specifically for you. You’ll find more benefit in the fourth and fifth chapters of this eBook; “Becoming Good” and “Staying Healthy”.
Type 2: This is your chapter. I’m writing this for you, giving you the best advice I can.
Type 3: You should care. You’re either missing out on a possible opportunity for you and your family, or you know someone who could use some advice. People who don’t care about things seem like miserable people to me.
There. I’ve explicitly defined the audience and set expectations. Now, let’s get on with it. Back to our question, now what?
The ‘Now What’
If you’re still reading, you must be interested in getting an information security job, or you know someone who is. The first thing you should know is what it takes to be a security person. There are common traits that good security people have. Rather than trying to build specific security skills, first focus on the traits you possess that will translate well into security roles.
Please don’t overlook these traits or take them for granted. They’re very important.
I’ll share the approach we use at FRSecure because it’s what I know best and it’s served us very well over the past 10 years.
We hire for the intangibles, the things we can’t teach. As a business, there are three things that we must establish with each one our customers before we ever do work with them, and these three things translate directly to our Security Analysts who do all our work:
- Trust – People trust us and we must never betray their trust. Are you trustworthy? Do you consistently do what you say you’re going to do? Can people count on you? Do you put other people’s best interests above your own? (very important for consulting)
- Credibility – Directly related to trust, are you believable? Credible doesn’t mean you know everything, but it does mean that you know what you know and you’re willing to stand by your words and actions.
- Likeability – Nobody wants to work with a jerk, not co-workers and certainly not clients. Are you pleasant, friendly, and easy to like?
You must do well in these three things if you want to work here. Next comes our non-negotiable core values:
- We tell the truth.
- We are collaborative.
- We are supportive and driven to serve.
- We do whatever it takes.
- We are committed to constant improvement.
- We have balance. We work hard and play hard.
- We all buy in to who we are, what we do, and where we’re going
The non-negotiable traits that make people a good fit here are; truth, collaboration, support, service, doing, commitment, consistency, improvement, balance, and being bought in. These aren’t traits that we negotiate on, we live up to these values always.
Other bonus traits that work:
- Humble – The best information security professionals are humble people who are willing to help others. Ego takes a back seat to building others up. If you’re full of pride and you like to feed your ego, please (for the sake of all of us) don’t become a security professional, you’ll just make everyone’s job more difficult.
- Learner – You will never learn everything there is to learn about information security, and things change very fast. If you don’t like to learn, you’re probably not going to make it far.
- Persistent – I swear I’ve said the same things a million times, and many of the things that I say today, I said 20 years ago. People are slowly getting some of the things we’ve been preaching for years. Persistence will serve you well in all sorts of problem-solving scenarios.
- Aware – Another word for this would be perceptive.
- Logical – There are reasons for just about everything. You’ll need to use logic often. Computers and other digital things are discrete, meaning everything is on or off, a one or a zero. Things can get confusing when there are millions of ones and zeros because what was black and white becomes gray. No matter, there’s logic in all of it. Human beings are a different case altogether, they’re analog.
- Moral – You must be able to discern right from wrong, always. Integrity is a very big deal, do wrong, and you could ruin your career.
- Comfortable with discomfort – Most information security experts are always in some degree of discomfort. If you can’t get comfortable being uncomfortable, you’ll be less happy in this business.
My favorite trait in a good security person is their love of people. The best information security professionals know that information security isn’t as much about information or security as it is about people. People from all walks, all faiths, all colors, all genders, etc., etc. Information security doesn’t discriminate, neither should its professionals.
If you don’t have these traits, we probably don’t want to hire you. If you do, then start researching job roles.
You read in chapter one that there were more than 800 variations of different job titles in our industry. Not to make this any more overwhelming, but there are 1,000s of variations of job roles and responsibilities to fit these job titles. Start researching the roles that seem interesting to you and take note of educational and skill requirements. Keep researching until you feel comfortable and convinced about where you want to take your security journey. Research entry-level positions and research expert-level positions. See if you can draw out your career path for yourself beyond landing your first security
job. Just because you draw it out doesn’t mean you can’t change it later, after you know more.
Places to review information security job roles, education, and skills:
- LinkedIn – the site (or the app) has really good search filters, so you can look by experience level, location, type, and several other criteria.
- Google – Google has a nice search function, with many filtering options, built right into the search engine. Just Google “information security jobs’ and you’ll see what I mean.
- Indeed.com – A solid job site with many options.
- CareerBuilder – Another pretty good site.
Bonus: A Mentor
Navigating the waters of the information security industry is always better with someone who’s been there, done that. If you know someone who’s been in the industry for a while, ask them if they’d be willing to be a mentor for you. If you don’t know anyone, ask around. If that still doesn’t yield any results, you can try other resources like your local Information Systems Security Association (ISSA) or International Information Systems Security Certification Consortium (ISC2) chapter. There are always good and helpful security pros at the chapter meetings. Another resource that I just ran across recently is MentorCruise. I’ve never used this service before, and I don’t personally know anyone who has. I can’t really recommend it,
but I can’t not recommend it either. Worth checking out.
A good mentor makes a big difference. I’ve always had a mentor, and they have been invaluable to my career.
Now you know what traits are important (sort of), you know what role you want (sort of), and you know what skills you need (sort of). You won’t be certain of any of these things until you get going, if ever.
You don’t have to be a technical genius to get a security job. You don’t even need have strong technical skills. Some people disagree with me on this, but it’s usually because we’re not saying the same thing. Let me explain.
People who are new to our industry, and even some who are already in our industry, are easily confused by the words and terms that we use. Don’t let the confusion lead to intimidation and don’t become too easily discouraged. Take the terms “information security” and “cybersecurity” for instance.
Information Security and Cybersecurity
You will encounter times when the term information security and the word cybersecurity are used interchangeably. They are two different things, and this is important to know. Information security deals with administrative (people and process), physical and technical controls (or safeguards), whereas cybersecurity only deals with technical controls. Further proof of this is the definition of the word “cyber” by itself:
relating to electronic communication networks and virtual reality.
So, when I say you don’t need to be a technical genius, I’m talking about for the information security field. Cybersecurity jobs are ones where more technical acumen is required. It’s important for you to understand this. The misconception that you must be a “techie” or a “geek” to get into this industry is false and shuts the door on good people. There are many jobs in our industry that don’t require an in depth, expert-level understanding of technology. Having said that, you will need to learn basic technical concepts.
The advice I received from my mentor when I first started out in technology (before information security was formally a thing) was to read anything and everything I could get my hands on about the subjects I was interested in. This is good advice.
My advice to you is to follow industry news, read books, take courses, and learn everything you can. Learn, learn, learn, but DON’T RUSH. Rushing yourself creates undue pressure and steals the enjoyment. Everyone has their own healthy pace. Find yours and commit to it.
Here are some resources that I use, or have used in the past. This is not an all-inclusive list, so don’t get bent out of shape if your favorite isn’t listed, OK?
Industry News Sources
- Ars Technica
- CIO (IDG Communications)
- Threat Post
- CSO Online (IDG Communications)
- Dark Reading
- The Guardian
- Homeland Security News Wire
- Infosecurity Magazine
- SC Magazine
- Security Watch/PC Mag
- Wired Magazine
- Cybercrime Magazine
- Security Week
- The Register
- Unsecurity: Information security is failing. Breaches are epidemic. How can we fix this broken industry? (My book, of course I’d recommend this one!)
- Beginner’s Guide to Information Security: Kickstart your security career with insight from InfoSec experts
- Cybersecurity for Beginners
- Cybersecurity for Executives: A Practical Guide
- CompTIA Security+ Get Certified Get Ahead: SY0-501 Study Guide
- FRSecure CISSP Mentor Program
- SANS Cyber Aces
- ICS-CERT Virtual Learning Portal (VLP)
The order you go in, and the specific path you take will be up to you. There is no one way. You’ll notice that I didn’t mention degree programs in this chapter. This doesn’t mean that I don’t believe in them. Most degree programs have job placement and job assistance services included; therefore, many of these students will get what they need to land a job. Although degree programs are good, you don’t have to have a cybersecurity or information security degree to get a job with us.
If you want to get a job in the information security industry, you can. I hope you have the right traits, and I hope you’ll help fix problems in our industry and won’t add to them. Many of us who work in this industry take our jobs very seriously and we welcome new recruits. Don’t take shortcuts, and do the right thing (always), then you’ll do great. If you run into a jerk along the way, ignore them. They’ve got personal problems that you won’t be able to solve anyway.
If you’re still with us, I think you’ve officially become a newbie. Newbie, newb, n00b, noob, nube… Embrace it, don’t fight it. It’s good to be a newb!
Good Luck! Next is Landing Your First Job.
Chapter 3 – Landing Your First Job
I must admit, it’s been a very long time since I landed my first information security job, and it’s been more than 10 years since I’ve hunted for any job at all. This means that my advice will come from somebody who hires more than it will as someone who’s looking for a job. I think the advice is still valid, but you can judge for yourself.
My first information security job came in the early 1990s. I had the pleasure of cleaning boot sector viruses off thousands of Windows 3.0 and 3.1 computers. Back then, information security wasn’t really a thing like it is today. Even though there are more information security jobs today then there were then, I think it’s harder to get jobs now for some reason. Probably unrealistic expectations. Anyway, it’s not easy for most people to land their first information security job.
In this chapter I’ll give you some tips that I hope will help you get your first information security job.
Getting a job is like finding a girlfriend or boyfriend on a matchmaking site. People post a profile of themselves and all the things they’re looking for in a mate. Then there’s other people who also post a profile, but they’re more active in looking for a date. These people browse profiles, sometimes for hours, looking for the right person to contact. In our analogy, the first person is the company or recruiter, and the second person is the one looking for a job.
The first objective is to get a date with someone. The ultimate objective is to go steady or enter into a committed relationship. Dates are interviews and going steady is landing the job.
A match isn’t likely to happen if either party has unrealistic expectations. Not all jobs are like an exceptionally attractive European noble with billions of dollars and a love for puppies. You might want a unicorn job, and the hiring organization might want a unicorn to work for them, but these things are extremely rare for someone who’s new to this industry. Keep your expectations in check.
The matchmaking analogy applies best to using job sites like Google, Indeed, Monster and others. As we’ll see, this is only one way you can go about finding a date, and it might not be the best.
Getting a date
When you’re trying to get a date, you don’t want a date with just anyone do you? Hopefully not. We want to find the right person, the right job. Hopefully, you’ve done some research and prepared yourself for the job market as we outlined in our previous chapter. If you did the research, you’ve probably found some good job sites.
Where to find dates
There are many ways and places to land a date, and there are many places you can go to try to find an interview. Depending upon your specific circumstances and your specific preferences, choose the right path or paths for you. Here are ways people find us at FRSecure and where we might find you too:
Internships aren’t for everyone because they don’t usually pay well, if at all. Internships come in all forms. Some are paid, some are not, some require experience, some do not. Paid internships can be a challenge to find, but they’re out there. Unpaid internships are a little easier to find. A simple Google search for “where to find information security internships” will produce many leads for you; however, the best way to find an internship is through someone you know. Ask around.
Most large organizations with security teams and information security companies offer internships. Contact them directly and inquire. This will give you more control and might land you an opportunity with a company you like more.
Using a job site is fast and easy. It should be included in your strategy, but I caution against using job sites as your sole source for dates/interviews. These are some of the job sites you might want to check out:
- Google – Google integrated with ZipRecruiter in 2017 and produces pretty good results. Just type a job title and the word “jobs” into Google search.
- LinkedIn Jobs – There are plenty of jobs and some good job seeking advice on LinkedIn. You will probably want to use LinkedIn for yourself anyway as you build your career, it’s a well known and heavily used networking tool.
- Indeed – A clean, quality job site.
- Monster – A job site that has been around for a long time (1994). It’s still a quality site, even though it’s not as dominant as it used to be.
- ZipRecruiter – A very popular job site, and probably one of the fastest growing.
- CareerBuilder – A popular job site, but not one of my favorites. I have no objective reason for this site not being one of my favorites though, it just isn’t.
These are the major job sites that I know of. Whatever site(s) you use, be sure to document what jobs you’ve applied to and keep track of any/all responses. It probably doesn’t reflect very well if you apply to the same job multiple times through multiple sites.
Networking is difficult for some people because they don’t feel confident or comfortable in groups or crowds. I get it. I’m one of those people. Go to
local information security events, meetups, chapter meetings, etc. to meet new people. You can network with anybody, and they don’t have to be
security people. If you get good at networking, you’ll find that most people know a security person that they can put you in touch with. Getting referrals
or door openers is a differentiator that could work in your favor.
Mentors are great for many things, helping you land a job is just one of those things. Mentors will help you prep for interviews and offer wisdom throughout your career too. Everyone should have a mentor, no matter where you’re at in your career. My mentor and I met in 1995. He was my boss when I worked for Jasc Software (known for Paint Shop Pro). We’ve both moved on in our careers, but we still have a standing coffee meeting every Friday, and his support has been instrumental in my success.
Finding a mentor isn’t easy. You’ll have to take a risk and ask someone, and they might say no. A mentor could be a teacher you had in school, a boss you admire (like my mentor), a friend you respect, a family member, someone from church, or anyone in between. I suggest that you write down the names of five to ten people you respect and admire, then go ask them if they’d be willing to be your mentor. If you strike out, do some online searches for mentorship programs. They come and go all the time.
Once you feel you’re ready, be sure to return the favor by becoming a mentor for someone else.
Local Community Events
There are groups of information security people meeting all over the place, all the time. Chances are very good that there are information security
groups meeting regularly in your area. These are great places to meet and learn from other information security professionals. Building relationships
with others will create a wonderful support group for yourself and open doors to all sorts of opportunities, including jobs.
Where I live, in Minneapolis, there are more than fifteen information security-related groups that meet regularly. This means that I could conceivably attend fifteen or more events every month and meet hundreds of other security professionals. Pure gold!
A simple search on meetup.com, will probably produce some good leads for you. The Information Systems Security Association (ISSA) has local chapters all over the world, and they welcome new visitors. Other organizations that have local chapters all over the United States (and maybe the world) include the Information Systems Audit and Control Association (ISACA), InfraGard, and the International Information Systems Security Certification Consortium (ISC2). Check them out, it’s worth it.
Prep for Dating
Alright, hopefully you’ve got some good leads now. You have a solid resume, right? If you don’t, get one.
Need help? Start with a sample resume. You can ask for one from a friend or see if you like one of these free online samples:
- Sample resume for an information security specialist
- Information Technology (IT) Sample Resume
- Information Security Analyst Job Cover Letter and Resume
- Cyber and Information Security Resume Example and Tips – ZipJob
- Cyber Security Specialist CV Template
Now you need to plug your information into the sample/template resume. If you don’t have any experience, you might not have much to put down. Don’t let that discourage you. There are companies who put a high price on intangibles. Take where I work for example, we always hire for the intangibles first. Intangibles are the things that align with our core values, which were covered previously in chapter two.
Think we’re the only company who does this? Think again. Just last week (2/21/19) I had the honor of moderating a panel of amazing female security experts for an AnitaB.org event at the University of Minnesota. AnitaB.org is a great organization supporting women in technology. One of the questions for the panel was “What skill sets would you look for in your team?” Each of the panelists gave their answer, but none of the answers had anything to do with technology skills. All the answers were about the intangibles! Good validation for what we already knew.
Fill your resume with information about you, focusing on how you will help your employer. Include your community work (if you have any) and be sure to list these groups you’ve been attending (see above). I used to customize my resume for each job that I applied for. This would ensure that my tangible and intangible skills would align perfectly with what they were looking for.
Additional tips for writing a good resume can be found online:
- How to Create an Awesome Cybersecurity Resume
- Writing a Cybersecurity Resume: The Do’s and Don’ts You Need to Know
- Information security resume do’s and don’ts
Above all, be sure that the resume is true to who you are. We want a company to like you for you.
Your Best Face
Alright, you got a date?! Oh crap. You got a date!
You want to be you, but you also want to be a good fit for the culture of the organization. If you haven’t already, now’s the time to do some research. Find out everything you can about the organization and about their culture. Find out how they dress, because you don’t want to overdress or underdress for the interview. Find out what they believe in, because you’ll want to validate and compliment their mission. Find out about their successes, because you’ll want to acknowledge them and verbalize your commitment to helping them get more similar successes.
Put the address for the interview into a mapping application days before your interview. Figure out your route and how long it will take you to get there. If you don’t feel comfortable with the drive, make the drive yourself a day or two before your interview.
Get to the interview at least 15 minutes early.
Eat something reasonable before you go to the interview. Pee before you get there.
The best advice I can give you in preparing for an interview is to be you. Don’t try to BS or be somebody you’re not. The person you’re interviewing with will probably see through your ruse, and if they don’t, you can’t feel good about starting your relationship being somebody you’re not.
Making a Commitment
You had an interview or two, or twenty. Now you get an actual job offer! Somebody wants to go steady. Yay you! Now you need to make a choice, do you take it or not? This is gut check time. My suggestion is to not take any job that you can’t commit to for at least two years, and ideally five years. Ask yourself if you could see yourself with this organization for two years or more. If the answer is no, I would say no to the offer. This takes a certain amount of discipline, and your circumstances may not permit any choosiness. Most people would take the offer anyway.
The reason why I suggest staying with an organization for two years or more is because it validates your intangibles. It shows that you take commitment seriously, you are loyal, and you understand that you can’t rush experience.
You may decide to negotiate your offer, but if you’re new to the industry, you probably don’t have much to negotiate with. I’d advise against much, if any negotiation.
CONGRATS on the offer and the new job (hopefully)!
Getting your first job in this industry isn’t as easy as some people think. You need to work at it and you need to be creative. Make friends, make connections, and earn a good reputation. Take a pragmatic and formal approach to the process, after all, you are working for you!
Now that you landed your first information security job, how are you going to become a good (and ever-improving) information security expert?
BONUS: What is an “expert” anyway? This was a question that Brad Nigh (co-host of the UNSECURITY Podcast) asked me during our recording of episode 16 (available 2/25/19).
Chapter 4 – Becoming Good
Let’s assume that you’re progressing through things in order, and maybe you’ve landed your first job! Your first gig! Good for you!
If you’re like most* of us, you’re going to progress in your career. Some will progress because it’s just the natural thing as a function of time and opportunity. Some will progress because they deserve it, maybe they’re damn good at what they do!
It’s one thing to be an information security professional, it’s an entirely different thing to be a good information security professional. I say “professional” because we get paid, and I also use it as a generic term to apply to all the various types of jobs we do in this industry. Here’s a small sampling:
- Chief Information Security Officer
- Chief Risk Officer
- Penetration Tester
- Security Researcher
- IT Security Engineer
- Information Assurance Analyst
- Security Systems Administrator
- Senior IT Security Consultant
Every position in our industry, plays a specific role in an organization and comes with specific responsibilities. The specific responsibilities may not be documented (different issue), but that doesn’t mean they don’t exist. They exist, and they’re not the same from position to position. Each role in information security requires the mastery of certain skills.
Are skills all it takes to be “good” though? The answer is NO. There’s more to it than that. Read on.
*NOTE – I use the word “most” because it’s generic. This means there are exceptions. Some (the leftovers from most) people have no desire to take on additional responsibilities in their career, they’re content right where they are. Perhaps they’ve reached the top, maybe they’re just OK with their place in the middle, or at the bottom somewhere. If you haven’t reached your potential, it’s sad to leave so much more untapped potential.
Not Good? – You’re A Problem
When you’re not good at your job, there’s a good chance someone else, or many someone else’s, pay the price to compensate for your lack of goodness. Sure, information security is about managing risk, not eliminating it, but your lack of “good” leads to poor risk management, and that costs someone something.
You see, information security isn’t as much about information or security as it is about people. It’s always been about people and it will always be about people. The more you and I suck at our jobs, the more people suffer for it. Sure, we can’t eliminate suffering, but we can do our best we can to make it less likely and less impactful*. If nobody suffered, there wouldn’t ever be a need for what we do.
The less good you are, the more people will suffer (in general).
*Does “less likely” and “less impactful” ring a bell? That’s risk. The likelihood of something bad happening and the impact if it did. That’s the layman’s definition of risk. If you’ve been around long enough, you can think of dozens, even hundreds of examples where bad advice was given, and
an organization suffered for it, and through that, customers also suffered (eventually). If you haven’t been around long enough, here’s a quick example off the top of my head:
You advise an organization to buy an SIEM solution because monitoring and alerting is a good thing to do. They spend $100K+ on the SIEM and struggle over the next 6-12 months to get it working right (operationally). Great. They don’t patch and they have no asset inventory. Two questions then, 1) was SIEM the best place to spend the $100K+, meaning was it the most significant risk, and 2) how effective do you think the SIEM is going to be when the company doesn’t even know what assets they need to protect?
Was there more harm done than good? The devil’s in the details, but yes. There was more harm than good. Money is a limited resource and constraint; therefore, it must be spent wisely. The money spent on SIEM should have been better spent on the organization’s most significant risk(s), not on a technology because it’s “a good thing to do”. The most significant risk still exists, and customers are still more likely to suffer for it.
Simplified example, but you get the gist. Good intentioned security professionals aren’t aware of the harm they cause sometimes, and this might be most obvious in the rapid growth in consulting.
We see them all the time, and they come in all shapes. Some are good people with great intentions to make a difference. Some consultants are people a little less virtuous, wanting to make as much money as possible, regardless of who they help or harm. Both types of consultants can be dangerous if they’re not good. That’s the truth.
Read some books, passed some tests, bought a laptop, and setup a Web site. You are now an information security consultant! You’re smart. You have the best intentions. You’re likeable, and you’re inexpensive. You’re ready to advise organizations on what they should do to secure their livelihoods, right?
Mmmm. Maybe, but God I hope not.
There’s more to being good, than that. It takes more than skills and more than good intentions. More than reading books,
and more than passing tests. Smart helps, but there’s still something missing.
If you’re going to be a consultant, get good first. Please.
It’s easy to convince someone who’s more ignorant than yourself that you’re an expert. Use buzzwords, look confident, talk
fast, and you’re well on your way. But you’re not good (yet).
- Good consultants don’t need buzzwords, they can explain things in plain English so that others can learn and apply concepts.
- Good consultants are confident when they’re doing what they’re good at. A good consultant will admit when they’re not good at something, but they usually know someone who is.
- Good consultants talk at the pace of their audience. They’re not only good information security professionals, they’re also good communicators.
I could write all day about good versus bad consultants, but I’ve probably gone too far already.
What about you? Are you already good? We’ll see. Let’s explore how to get good!
How to Get Good
One more thing before we dig in. Are you a sports person? If you are, you’ll get this a little better than those who aren’t. In sports (depending on the sport), there are players, coaches, and player/coaches. Players perform on the field, or behind the keyboard, or wherever the game is being played. Coaches mentor, teach, lead, and prepare their players for the game. Player/coaches do both; they’re typically really good coaches, but they don’t play as much as they used to.
I say these things because I’m a player/coach. I don’t play nearly as much or as well as I used to. It’s important for you to
know that as you consider my advice.
I assume you’re here because you want to get good. So, what does it take to be a good information security professional, or
good at anything really? Like most things in information security, the concept is simple, but the application is hard. There are three simple ingredients; intangibles, education, and experience. Anything else is icing on the cake.
These things (or ingredients) are in the Unsecurity book, they were in a recent tweet (above), and they’re also here.
Consistent message from me because it’s truth.
Words of caution…
It’s important that you don’t rush things. There’s enough stress in most information security jobs, and I highly recommend that you refrain from adding the stress of trying to outperform yourself. Take your time, keep moving forward, don’t take shortcuts, and you’ll be fine. I know there’s lots of opportunity out there, and I know there’s a ton of money to be made, but my best advice is DON’T RUSH. The opportunity and money will come, and you’ll be healthier for it, if you do things the right way.
You might recall that I also covered intangibles in a previous chapter (The Right Person). Intangibles are things that can’t be taught. You either have them or you don’t. There are moral intangibles, like the ones covered in the previous chapter, and there are gifts (sometimes called natural talent).
Some people are just gifted for certain things while others are not. Do what you can to find your gifts or strengths early and
often. The sooner you understand what you’re gifted for, the sooner you’ll find what you’ve been built for. The information
security field is broad enough to accommodate a wide variety of gifts, so don’t fret about that.
Get honest with yourself and discover what you’ve been built for, but how?
I don’t think that there is any one way that works best for everyone. Meditation works great for some, but not others. Faith
works well for some, but not others. Therapy and/or counseling works well for some, but not others. I’ll share what works
for me but let me remind you that you may not get the same results. I find my honesty and gifts through faith, and I found
good value in a book called StrengthsFinder. My faith provided a foundation, while StengthsFinder led me to what I’m
naturally good at.
Find what your gifts are and keep seeking. No matter how good you get at knowing yourself and your gifts, you’ll still need to engage in some old-fashioned trial and error. You will learn what your gifted for over time (if you focus on it), but you’ll need to find the courage to act.
I include skills with, or under, education. There are millions of opportunities to educate yourself. Some people prefer a formal college degree, some don’t. Some people prefer certifications, some don’t. Some like books, some like instructor-led courses, some prefer video. Whatever method of education works best for you, do it. Then keep doing it. You will never learn everything there is to know. Learning is awesome. DON’T EVER STOP LEARNING.
If you stop learning, you die. At least your career does.
Find the learning resources that work best for you. If you recall, I shared some learning resources in a previous chapter too.
One learning opportunity that I invite you to personally is the FRSecure CISSP Mentor Program. It’s free, and it’s a great opportunity to learn (and share).
This is the one ingredient that I see new information security professionals struggle with the most. It’s because this is the one ingredient that takes the most patience. People who de-emphasize the value of experience are some of the most dangerous information security people in our industry. Without experience, we lack the street smarts to know how things will really (or actually) work. Education and skills will teach us how to do stuff, but we won’t learn all the circumstances, context, and oops’ unless we’ve done it before (or been with/witnessed someone else who did).
The experience catch-22. You need experience to do something (or progress in your career), but the only way you’ll get experience is by doing the something. The experience catch-22 sucks, doesn’t it? Here are some suggestions to overcome:
- You might need a mentor to take you under his/her wings a little.
- Sometimes we have to take calculated risks, like doing something that we’ve never done before, but doing it in a way that will be calculated and not reckless.
- Hate to admit it, but sometimes we (hopefully slightly) fake it until we make it too. I never advocate lying, so be honest. Just don’t be afraid to try something you haven’t tried before, and try doing it with a little confidence.
Combatting the experience catch-22 isn’t easy, but you can find your way over it (or around it) if your focused and determined.
Wrapping This Up
That’s it. Want to get good? Focus on you. Work on what you’re gifted at, get educated, get out there and take your lumps in the real-world. If you lack experience in something that you need experience in, go get the experience, even if it means a different job. At the end of the day, you work for you (ahead of your company).
Whatever you do, don’t ever try to be someone you’re not. You will fail, and you will fail those who believed in you.
We’ll wrap up the book in our next chapter, Staying Healthy.
Chapter 5 – Staying Healthy
Caveat: This is where I’m a hypocrite. I will give advice that I don’t follow myself. The (sad) fact is I’ve established habits (some good and some bad) over the years that have become very ingrained into the way I do things. Throughout this chapter I will share more about my experiences because it’s what I know best. From these experiences, I will offer advice that you can take or leave. If you can follow the advice in this chapter, you’ll be healthier.
So many of us are passionate about what we do. We love information security, we love helping people, and we can easily take things too seriously if we’re not careful.
I’ll speak for myself here for a second. I love my job, I love the people I work with everyday, and I love the people I get to serve. All this love makes my job not a job. Sounds great, doesn’t it? Sure. It would be, if I didn’t need sleep, or friends, or family, or exercise, or everything else that makes for a health lifestyle. If I were left to my own devices, you would find me dead behind a keyboard, doing what I’m always doing… work.
Thank God I’m not left to my own devices. I’ve got loving support and accountability, both of which are important to health and longevity. These things have served me well so far as I’ve survived more than 25 years in this industry. It’s not that I’m completely unhealthy, I’m just not as healthy as I should be.
Obviously, I don’t know everyone in our industry, but I can’t help thinking that I’m not all that unique. I think many of us work more hours than we should. I think many of us don’t exercise enough. I think many of us don’t eat as well as we should. I think most of us could use a little more sleep. Fine, but is this a problem?
Our jobs come with stress. I don’t think we know if it’s stress than other jobs, but I’m not all that concerned about other jobs. I’m concerned about information security jobs. Here’s some recent news and studies about our stress and health:
CISOs appear to be stressed.
CISO Burnout is Real, Survey Finds – Based on interviews with 408 CISOs around the world. 1 in 4 CISOs suffer from physical or mental health issues due to stress. A little less than 1 in 5 turn to alcohol or medication. More than half have trouble turning off work, meaning they’re not able to completely disconnect from work to focus on other things, healthy things.
It’s not just CISOs either. I think all security professionals struggle with stress.
- Advanced persistent stress: Why security pros need rituals – “advanced persistent stress, refers to the human beings who must manage the internal stress of being under constant cyber attack, including advanced persistent threats”
- Stress, bad workplace cultures are still driving security folk to drink
- Talks at BlackHat last year (2018) included titles like “Mental Health Hacks: Fighting Burnout, Depression and Suicide in the Hacker Community” and “Holding on for Tonight: Addiction in Infosec”.
The stress isn’t even isolated to information security professionals. Even the non-professionals are feeling it.
- Cybersecurity’s insidious new threat: workforce stress
- Employees suffering higher levels of ‘cyber stress’ in workplace
- According to a report authored by Kaspersky (The State of Cyber-Stress), “the majority of adults – 81 percent of Americans and 72 percent of Canadians – admit that the news of data breaches has caused them stress.”
OK, so it looks like there’s plenty of stress to go around, and I don’t think it’s going to get better anytime soon. Two things would be sad to see, two things that I’m hoping you and I will avoid:
- Burning out or leaving our industry because of it’s unhealthy affects.
- Sticking it out, not living a life of joy, then retiring in mental or physical pain.
If there’s anything I can do to help you to avoid these things, I’m committed to that!
Sometimes, working as an information security professional is a lonely job. We get so focused in the tasks and challenges we face some days. The tasks and challenges can start to become a part of who we are.
I don’t know about you, but sometimes it’s difficult to pull myself out of the work that I’m doing and get back into other parts of my life. When I get home some days (or nights) and I need to unwind, I don’t know where to share my thoughts or feelings for/from the day. If I do share, I feel like the person I’m sharing with doesn’t understand what it’s really like.
I wonder if other information security professionals feel the same way.
The best support structure we have in our lives is our family. I’m convinced of this. Invest your time, energy, and soul into your family relationships, starting with your spouse/partner, and then your children, if you have them. No matter what you may think, family must come first. In return, you will likely get support beyond anything you deserve.
Note to those who don’t have a family or those with unhealthy family relationships. I have an extra amount of respect for you because I think your road is a little (or a lot) more difficult, and I admire your strength.
I’m not a family or marriage counselor. I only write from my own experiences on this matter. Without the support of my wife and my family, I wouldn’t be close to where I am today. My wife is my greatest cheerleader, and she make’s the stresses of my job melt away (on most days).
I can’t overemphasize the importance of family support.
Here’s mention of a mentor again. I’ve mentioned mentorship in at least three of the chapters in this book. Mentors are helpful in so many ways, and getting one is well worth your investment of time and energy. I suggest you find one.
Associations and Trade Groups
Advice from someone who has been there before comes with credibility like no other advice can. There’s something that feels good about being with your own kind too. People in good information security associations (or chapters of associations) are a valuable asset and support structure for you as you rise through the ranks. Initially, you may consume more than you give, but in time the tides will shift and it will be your time to give.
Here’s a list of information security associations from Cybersecurity Ventures. Try a couple groups out, if you don’t feel like you’re getting the support you need, try a different one.
Co-workers and Friends
My experiences have varied with confiding in co-workers and friends, and in seeking advice from them about my career. Mileage varies, and the advice falls somewhere between healthy and destructive. Sharing things with co-workers can sometimes lead to gossip and political crap that makes things worse (at least for someone). Friends sometimes just want to have fun, and will have trouble relating to my work life. Use discernment here.
No matter how tough, or how cool you think you are. You need support. Everyone does. The earlier you setup your support structure, the better.
Supporting us doesn’t mean cheering us on and making us feel better all the time. The right type of support comes from someone who loves us. It comes from someone who wants what’s best for us. If someone really supports you, or loves you, they’ll always tell you the truth. Sometimes the truth doesn’t feel good, and neither does accountability.
Find support that will tell you the truth and hold you accountable. For me, this starts with my wife. I also have amazing management teams at FRSecure and SecurityStudio who won’t let me stray too far off the path.
Personally, this is my hardest fight. I am not a person who understands balance very well, if at all. You see, I have an addictive personality. People with addictive personalities struggle with finding balance more than other people do. This was part of what I alluding to when I mentioned earlier that I would work myself into the grave if I was left to my own devices. I am a work addict, and that’s not good. I have my other additions too which just complicates matters. This is another reason why a health support structure (or system) is critical.
Why is balance so important, if it’s not obvious?
There are (at least) two truths here:
- Everything in our lives requires some semblance of balance, otherwise everything falls apart.
- Everyone has a different balance, so be careful thinking what works for someone else will work for you.
Balance in your life between family, friends, work, play, etc. is healthy. The sooner you find your balance, the better off you will be. Make adjustments here and there, change your schedule until you get it right. Use your support structure to help you along the way.
The fact that your balance isn’t the same as someone else’s balance should come as no surprise to you. Some people are in balance working 40 hours a week, some are in balance working 60. Some people are in balance when they spend entire weekends with their family, while others work some on weekends. Be careful judging others, and be careful not to think that their balance should be yours. Your balance is your balance.
Find balance and stick to it. Don’t let someone else, even your job, disrupt your balance.
Healthy habits do wonders for how you feel and perform. Your mood, your relationships, and your work all benefit greatly. Maintaining your health is important for life, let alone to your job performance and career longevity. For me this is also hard, it’s hard to find time for church, exercise, and rest. Between work, family, friends, and everything else in life, I don’t have any hours left in my week.
There are people who can live a balanced life, accomplish much, and still create the necessary margin to focus on their health. These people are to be admired and emulated to some extent, just not copied. You and I should create margin and make healthy living part of our lives too.
I rely on my faith every day. The name Jesus offends some people, and I’m certainly not out to offend anyone. I’m here to tell you the truth though. Jesus is the CEO of our business, and He has been since the beginning. Without faith, I think I’d be lost. There’s a long story here, but for now, just know that my faith is critical to my sanity and any of the success I enjoy (it’s a gift). When the day has gone to crap and I don’t know where to turn, I can turn to Jesus.
Now you know my faith, but there are many faiths in this world. People who have faith in something or someone larger than themselves, have something special. Genuine faith has a tendency to bring strength beyond your own, peace beyond your understanding, and courage to face battles you never thought possible. Faith also brings you into a family of other believers of the same faith, whatever faith it is you believe in. So, an added benefit to faith often includes a new support group.
Don’t neglect your spiritual health. If you have, make margin and find it (maybe again).
There are two parts to physical health, diet and exercise. Diet trumps exercise. If you don’t eat well, exercise won’t really matter as much. Slow down, eat healthy. If you need help eating healthy, get help.
Many, or most of us work in an office environment where we sit at a desk all day. This, without the countering effects of physical exercise, comes with some very negative consequences. According to the Mayo Clinic, the consequences “include obesity and a cluster of conditions — increased blood pressure, high blood sugar, excess body fat around the waist and abnormal cholesterol levels — that make up metabolic syndrome. Too much sitting overall and prolonged periods of sitting also seem to increase the risk of death from cardiovascular disease and cancer.”
Sounds pretty serious. There’s good news though. One study of more than one million people found that an hour to an hour and a half of moderately intense physical activity per day can counter the effects of too much sitting. That’s great, but this is another 60+ minutes that we have to find. More balance, and more margin.
If you have the option of working at a standing desk, this will help with the sitting problem. The point is that you and I need exercise to live a healthy life.
Mental health often comes with a stigma, and that’s very sad. This one hit close to home for me last year, when we lost someone dear to us. His suicide cast a dark cloud on all of us, and we still struggle with it sometimes. He was a good guy with so many good traits and gobs of untapped potential. On the outside, nobody could have guessed there was anything wrong. On the inside, he must have been living a hell that few of us will ever know. We will miss him, and we’ll always live with this feeling that we could have helped if only we would have known.
Here’s the deal. Mental health issues can be complex, and there is no stigma. Even if there were a stigma, who gives a crap?
If you struggle with any mental health issue, there’s a whole army of people who will run to your side and fight alongside you, for you.
If you’re not suffering with any mental health issues yourself, recognize that there are people in your circle who are. Invest in your relationships and get to know the people in your circle. When you see an opportunity to help someone, help someone. Give them love.
Don’t neglect mental health issues. They don’t just go away, and you don’t just buck up. Mental health issues can be treated, but only with treatment. If you’re struggling with your own mental health issues, please get help!
Work can be healthy or it can be unhealthy. The decision is up to you.
People falsely believe that they work for someone else, when the truth is that you work for you. You make the decision on what your profession will be, where you will work, and who you will work for. Your employer doesn’t do that. If you feel trapped, get yourself out.
I’ve witnessed two ways that work has negatively affected health in employees. One is stress and the other is a toxic work environment. You can do everything right to live a healthy life, but if your work is killing you, it’s killing you. It doesn’t matter what else you do, if you drink poison, you’re going to die.
The number one unhealthy factor at work for security professionals is stress. Our jobs already come with inherent stress. It’s just the nature of our work. Like I stated earlier, regardless of whether it feels like we live with more stress than other people, this is hard to say. It’s hard to say if our jobs come with any more stress than other peoples’ jobs, say like an accountant or janitor. It depends on the person. I know that I would absolutely stress out if I had to do accounting or clean some of the things janitors do.
I can’t help but wonder how much stress is caused by the person who’s stressed or by a person’s ability to cope with it.
Stressful situations affect different people in different ways. What makes one person stressed out can have little or no effect on others. It doesn’t mean that there’s something wrong with one person, it just means that they’re different people. If you’re stressed at work, don’t let it continue. Look for the source and talk to someone about it. If you find the source, and it’s addressable, address it. If you can’t find the source, or can’t find relief, give serious consideration to getting out of the environment you’re in and finding a new job or a new profession.
Maybe the environment you work in doesn’t jibe with you. Maybe the culture is counter to what you believe it, even if it’s not overtly expressed, you can feel it. Maybe you’re not made for the job you do. Maybe this career isn’t the right career for you. Nobody will know the answers like you can. Tap into your support structure for help. Living through a long career, laden with stress, will take it’s toll on you and your family, and I don’t think it’s worth it.
Pro tip: Slow down.
Toxic Work Environment
Studies have shown that working in a toxic environment will negatively affect your mental health. I had a job like this once. Thank God I was able to leave after ten months, even though it felt like an eternity. These were ten of the hardest months of my life, and I wasn’t the only one who noticed. My wife could tell that I was depressed and she knew the source. I’m grateful that I had good support and other options. You can have these things too with a good support, a little creativity and some work.
If you can’t change toxic work environment you’re in, which is unlikely, then leave. Staying, even for a boatload of money, isn’t worth it. Especially when you consider that many of us possess skills that are in high demand elsewhere.
The information security industry is like no other, but it’s a great industry. Sure it’s a broken industry, but it will become more functional over time. Despite our brokenness, this is a wonderful industry filled with AMAZING people. The good people in our industry are my brothers and sisters. We fight every day to make the world a little better that it was the day before. I’m grateful for the men and women in this industry.
If you want to get into this industry, do it. If you’ve got the intangibles, we welcome you with open arms. I hope you found use in this book, and I’d love to hear your thoughts. Comment below or use the contact page to get in touch.
My best wishes for you on your journey! I hope our paths cross and we get to work on something together in the future.
About the Author
Evan Francen is the current CEO and Founder of FRSecure, a leading information security consulting company based in Minnesota. In 2017, he also founded SecurityStudio, a software-as-a-service (SaaS) company dedicated to building a community of information security practitioners who speak the same security language. He co-invented S2SCORE, S2ME, S2VENDOR, and the FACT System. FRSecure often serves as the incubator for new services and creation of new tools; SecurityStudio makes the services an tools available to customers, partners, and even competitors.
Evan is also the published author of UNSECURITY: Information security is failing. Breaches are epidemic. How can we fix this broken industry? He takes his more than 25 years of “practical” information security experience and focuses on a very ambitious mission; fix the broken industry.
Other highlights of Evan’s career (thus far) include:
- Founded FRSecure in 2008, an expert-level information security consulting company with more than 1,000 clients across the United States.
- Founded SecurityStudio in 2017, a software as a service (SaaS) company dedicated to building a community of information security practitioners who speak the same “security language”.
- Developed and leads the FRSecure CISSP® Mentor Program. The Mentor Program was established in 2010 with six (6) student and has grown to more than 350 students in 2018.
- Prior to establishing FRSecure, Evan spent more than 15 years as a leading information security professional and corporate leader in both private and public companies.
- Advised legal counsel in high-profile breaches including Target and Blue Cross/Blue Shield.
- 2014/2015 – Consultant to the Special Litigation Committee of the Board of Directors of Target Corporation; derivative action related to the “Target Breach”.
- 2015/2016 – Consultant to legal counsel and Blue Cross/Blue Shield related to remediation efforts (post-breach).
- Served as an expert witness is multiple federal criminal cases, mostly involving alleged stolen trade secrets by foreign nationals.
- Served 100s of companies; big (Wells Fargo, Target, US Bank, UnitedHealth, etc.) and small.
- Dozens of television and radio appearances; topics included the Target Breach, vendor risk management, artificial intelligence, and others.
- Delivered dozens of information security talks at dozens of conferences; audiences ranging from less than 10 to more than a 1,000.
- Written more than 750 published articles about a variety of information security topics.
Evan is an “information security evangelist”, thought leader and specialist in advising Boards of Directors, legal counsel, and executive management. His keen ability to explain technical information to non-technical personnel in all levels throughout an organization, his unique sense of humor, and his “tell it like it is” demeanor, gets the point across and produces results for all audiences.