the security industry: how to survive becoming management bsideslv 2013 keynote

The Security IndustryHow To Survive Becoming Management

WHAT HAPPENSTO HACKERS THAT GO PRO

?

A Little Back StoryThe Personal Case Study Of Dil

An Accidental Hacker Manager

My name is Christien Rioux.

Opinions are my own, not my company’sbut they are probably right, regardless.

HI!

Understanding my recommendations requires understanding my history a bit, pardon my ego briefly.

WHO IS THIS GUY?

GROWING UP

Born in West Virginia, Raised In Maine

Nothing to do but system programming

Circa 1983, learned my first programming language: Applesoft Floating Point BASIC on the Apple ][+,

followed by 6502 assembler

Spent 4 years in high school writing a CRPGLost it in a hard drive crash

Learned valuable lesson about backing up

Father brought home display models of computers from store

SCHOOL

MIT: BS in CSPicked terrible handle, laughed out of #hack on IRC

Wrote possibly the first public stack overflow advisory for Windows

Wrote a search engine at MIT for my senior project

Graduated in 1998

Worked for a financial startupFound I loved security and left after 11 months without giving up my fingerprints to the man

GET A JOB, KID

L0pht Heavy IndustriesFirst to go full time at end of 1998

L0phtCrack, AntiSniff, Numerous advisories

Tao Of Windows Buffer Overflow, Back Orifice 2000

@stakeAlong with 20 other people, founded @stake in 2000

Acquired in 2004 by Symantec

Spun out Veracode in 2005

MAKE IT REAL

Veracode

Acquired funding and launched Veracode in 2006

Started as Chief ScientistNow also Chief Innovation Officer

Initial author of the Veracode Static Binary Analyzer

Architect for Veracode Mobile, iOS platform lead

The Effects Of TimeHow Dil Lost His Hair

T+0 YEARS

Job Title: Programmer

Publications: None

Motivation: Get a job, figure out what’s going on

Hair: Brown, Sassy, Side-Part

T+5 YEARS

Job Title: Hacker

Publications: Advisories, password auditing tools, etc.

Motivation: Get in the media as much as possible.

Hair: Unix Sysadmin

T+10 YEARS

Job Title: Security Researcher

Publications: Binary analysis software

Motivation: Do something impossible

Hair: Receding Muppet Blue

T+15 YEARS

Job Title: Chief Scientist

Publications: Mobile software analyzer, speaking, the occasional 0-day

Motivation: Improve the state of the industry

Hair: Migrating to ears/nose

YOUR FATE IS NOT SEALED

These changes are not just due to time, many are consequences of decisions we have chosen to make.

I’ve made certain choices, you will likely make completely different ones.

Only through introspection can we answer the question:

How do we build a better hacker manager?

Management was never my intention, but a consequence of valuing the implementation of my own ideas. It had to happen.

The Growth Of The Security Industry

How Time Is Shaping Us

TIMELINE

Physical Security (Since the beginning of recorded history)

Gestation Period for the Internet And Computers (1960-1980)

Computer Security Gets Real: The Morris Worm (1988)

Network Security (1990-2000)

The @stake Effect (2000-2004)

Security Architecture (2005-2010)

(Big) Data Security and Application Security (2010-Today)

OPERATIONAL MODELS

Consultancy / BoutiquePure manual servicesTech-assisted manual servicesPen Testing, Architecture review

Product SalesDeveloper/SDLCEnterprise TargetedEnd-User TargetedInfrastructure

EnterpriseSecurity DepartmentSecurity on IT TeamSecurity QA for Engineering

Software As A ServiceRecurring revenue modelFull automationOutsourced Security

How Do We Define Success?

Business v.s. Personal

BUSINESS SUCCESS FACTORS

Shareholder Value

Market Leadership

What these have in common is: accurate and frequent measurement

“You can’t improve what you can’t measure”

Stability And Predictability

HE

IGH

T O

F LI

NE

DISTANCE FROM LEFT

EXIT STRATEGY

Run Out Of MoneyAngry VCsSad foundersFire sale of everythingStart applying for dumb job

Build QuickLittle to no investmentSell earlyTime is right, get luckyTight timeframe

Long HaulLong term multiple round investmentWeathering the stormGet matureGo public or get bought

“Lifestyle Company”Long term multiple round investmentSlow drain on personal moneyRemain private, die oldGo public, die oldSurvive and transfer company through nepotism.

PERSONAL SUCCESS FACTORS

PERSONAL GOALS

What motivates you? Why are you doing this? Altruism? Money? Fame? Boredom? Ego?

Do you like your job?Where do you want to be in 5, 10, 15 years?

And once you do get some money, how are you going to not act like one of those ‘people with money’?

Getting famous sounds like a good idea but once you’re famous, it’s quite hard to turn that into money.

WHAT IS GOOD ENOUGH?

Success is different for everyone, but we tend to agree that money != happiness. As money can be an enabler for

future success, it is a reasonable goal.

I tend to think that happiness is a requirement to build wealth, as the fortitude required to grow your career

requires that you LOVE what you are doing.

What is good enough?Is there a perfect job/role/project?

SCHOOL?

Gotta get a job eventually. If you don’t want to do security for a living, feel free to skip this

section. My guess is if you’re here, you care.

If you hack all the time you will get bad grades.This is not all bad, but may have unintended consequences.

Graduate. Chances are you are not Steve Jobs or Bill Gates.

Nothing looks worse than someone who can’t finish what they started.

The Effect Of HackerCulture On Companies

Side-Effects, Intentional And Not

SKEPTICISM

Healthy“Prove to me that you’ve done some work securing that machine

before we put it out on the Internet.”

Unhealthy“Everyone has faults. It is only a matter of time before I discover

yours, and exploit it, leaving you a powerless pariah to your occupation.”

PARANOIA

Healthy“We should conduct full security reviews of the software with each

quarterly release, and automated reviews with every minor release.”

Unhealthy“I think the Sales and Marketing team have it out for the

Engineering team.”

MAKER ETHICS

IndependenceOne good engineer or security expert or consultant can make all

the difference working on his/her own.

Idea generation / IP FactoryNew product ideas come from good brainstorming and careful

attention to detail.

ENCOURAGING HACKER CULTUREGoogle Time

20% of employees time is spent on non-work projects, many of which end up benefiting Google.

Hackathons~3 day ‘hacking runs’ where all work projects are stopped and people work on non-work ideas, some work related, some not

work related and share them with the company.

Security Awareness TrainingPeople with the awareness shouldn’t be afraid to speak up. We

tend to be condescending toward the teeming clueless masses. We should at least show them how to evolve.

ROLE PROGRESSION

Individual Contributor

Project Lead

Middle Management

Executive Management

Founders, CEOs, and Board Members “oh my”

Beware The Peter Principle

The Ten Commandments Of Hacker Management

Management Survival Tips

RULE #1

Thou shalt appear presentable, approachable, and kind.

Appearance, it matters. Your first impression matters. A good manager avoids the troll-under-the-bridge

image that we tend to embrace as hacker ‘outsiders’.

RULE #2

Thou shalt be a good team leader and a good individual contributor.

Make the team better than the sum of their parts, else why are you there at all?

RULE #3

Thou shalt prioritize the team you are on, rather than the team you lead.

When forced to prioritize, you should focus on supporting the team(s) you are on. Being a leader comes second to

being a good contributor, since you should not be afraid to delegate to the best of your direct reports.

RULE #4

Thou shalt in be inclusive of many skillsets and expertise in your organization.

It takes all kinds of people. Surrounding yourself with really smart people

all the time guarantees that the ‘boring work’ will never get done.

RULE #5

Thou shalt embrace time and project management techniques.

We love to take on impossible projects that take an infinite amount of time, don’t we? Do not bite off more than you can chew. You are not invincible. Keeping your team all together with tools will keep your schedules realistic.

RULE #6

Thou shalt not depend on ‘rock stars’ and ‘hero coders’.

We love to take on impossible projects that take an infinite amount of time, don’t we? Do not bite off more than you can chew. You are not invincible. Keeping your team all together with tools will keep your schedules realistic.

RULE #7

Thou shalt embrace process.

Learn Agile, Scrum and all that other shit. Get with Kanban, learn some tools to help you with it.

Get religion around process. The best departments have a ‘single point of entry’ for communications with people outside the department.

Think ‘abstraction barrier’ not ‘silo’.

RULE #8

Thou shalt not require perfection, for it is the mortal enemy

of ‘good enough’.

Raising the bar is what our industry is all about. If you think you’re going to ‘win’ or ‘catch the bad guy’ you’re not

thinking this through. Same goes for your projects, and your interactions with your team.

Recognize ‘good enough’ when you see it.

RULE #9

Thou Shalt Trust But Verify

Give people a chance to do the right thing. Security people tend to turn into micro-managers. That doesn’t mean that work should be accepted

without review, but let people do their job, dammit!

RULE #10

Thou shalt give feedback well, and take feedback even better.

Management isn’t easy, because personalities and interpersonal relationships are hard.

It’s about giving and receiving feedback. Hackers don’t necessarily like criticism from people that don’t know their stuff.

So, know your stuff, know how to give feedback and be a good hacker manager.

THANK YOUFOR YOUR TIME, ENJOY BSIDES!