Saturday Apr 29

JJ’s (ISC)2 campaign- goals, objectives, and strategery

Tuesday, 15 November 2016 11:50

JJ’s (ISC)2 campaign- goals, objectives, and strategery

I’m starting to feel “strategery” should be added to the dictionary. I mean, c’mon, have you SEEN the crap Oxford and Webster are buying in to these days? Half those things aren’t even real slang words.

Here’s a slightly more serious conversation that the past couple. And mostly that’s because I’m going to pilfer my post from the Official (ISC)2 Election Forum on LinkedIn and share it here so it’s more accessible. I’m told you have to request to join the LinkedIn group and I’m not sure why that’s the process, but I’m interested in sharing wherever/however people want to consume. And, by golly, social media seems to be the platform of choice for election rants and rhetoric — at least in the U.S.

As shared at the Election Forum

To elaborate and tie together a couple of the other topics here and answer questions that have come in through other means (Facebook, Twitter, CISSP Elections Yahoo forum). I wanted to share some of the specific items I’d like to do/see done in the next years as a board member. isc2-election-2016-jjround

1) Finalize and solidify the processes being developed, packaging succession methodologies to make the board more effective in transitions
Some important housekeeping (read why in my last post)

Now that there are term limits, and 2017 is the first year of real effect of those, succession will be critical for momentum of new/incoming board members. I’d like to finish helping build processes for capturing meaningful notes of committee projects, outstanding tasks, goals, and milestones; add methods for tracking board effectiveness. The org takes its direction from the board, so the board needs to be efficient and effective to best serve the members. There’s a lot of un-glamorous grunt-work to be done here, and I’m ready for it.

2) Lead a framework for strategy moving forward
This is what the board should be doing but failed in the past

Honestly when I ran for the board last time, I thought the underlying contributor to what I saw as the main problems was the organization’s leadership. I quickly realized it was the BOARD members (not the management) responsible for a lot of the issues (see #3 below). In addition there was no real leadership from the board in terms of strategy and direction so everyone kept doing what they had always been doing. I think the management team did a fantastic job in spite of that. It was the product of not having fresh perspectives (now resolved through term limits) and being overly paranoid about what could be shared or done with the industry and members. I think the org is at a tipping point now and 2017 will be the first year of major visible change.

Please remember the board needs strategic thinkers, not just “good security people”. Business leadership is a huge asset.

3) Continue pushing for better communication and transparency
There is some momentum but much work to be done

This is still a huge sticking point for me, and something I am embarrassed we haven’t done better with. In fact, I’m embarrassed that *I* especially couldn’t affect more change than I did so far. Unfortunately the board of past years didn’t see value in regular communication to the members, and that paranoia stopped much activity I tried to start. Also know that the chairperson has extreme power on the board. With Wim Remes as chair, transparency and communications are MUCH better and more open, but 2017 will be the first year with a very fresh board and I think it will improve drastically if we can get mechanisms everyone is comfortable with to share.

  • I’ve proposed regular live webinars with the board and/or committees so members can ask questions and the board can answer. I’d like to see that start in 2017.
  • The board started contributing blogs a couple of years ago, but certain past board members put a halt to that. I think we can resume that under the right chairperson.
  • I’d like to see members have access to more meaningful meeting notes, decision topics and talking points. In fact, others will disagree but I’d like to publish each motion and vote summary (total counts for/against/abstain). As Recording Secretary this year, I started putting more meaningful data on the official meeting minutes, which are available to members as a first step.
  • I think almost NO votes should happen by secret ballot unless there is a specific need. Secret ballot was how the board spun its wheels for YEARS trying to get things like term limits passed. Members should care, because that wastes YOUR time and money.

4) Expanding the board nominations pool

The organization was made successful by a small group of people who took an idea and fed it with blood, sweat and tears through decades. A lot of the housekeeping and processes get lost in favor of more time-sensitive or impactful decisions but now it’s time to revisit how the organization does things. Until 2015, the Board nominees were only collected from within the board, and there were no term limits. I’m not attacking anyone but we all know that type of stagnation is not conducive to growth. In 2015 for 2016 Howard and I took time to move nominations to a hosted platform so the Board could handle a larger volume, expanded nominations, and set out a plan for following years. That plan included expanding to allow (ISC)2 Chapters to nominate and work towards a way to give ever member a path for input/nomination. I couldn’t participate this year because I was eligible to run but I’d like to return in 2017 and push this forward, and quickly.


Don’t be the #fail: Why ‘strategy’ should be your strategy for (ISC)2 elections

Tuesday, 15 November 2016 07:10

Don’t be the #fail: Why ‘strategy’ should be your strategy for (ISC)2 elections

Once again, I bring you the unfiltered content of JJ’s mind through the blog-o-sphere. What I’m about to share are my opinions and do not represent those of anyone else on the board, near the board, under the board, at the organization or any any way affiliated with (ISC)2. My opinions are not always the popular ones, but they are mine.

In my last post, I talked about the fundamentals of the (ISC)2 Board and elections. Now I’m going to dive in to a specific topic and a suggestion I hope you heed, not just now but for years to come. Remember, kids — Only you can prevent forest fires (or ineffective Board members).

Why strategy should drive your vote

The fact that the Board members drive strategy is huge because it hasn’t always happened and YOU HAVE AN OPPORTUNITY TO FIX IT. (ISC)2 is an organization that started as a small grassroots effort, and was expanded and grown through extreme care and feeding, and lots of sweat and tears, to an international organization with nearly 125,000 members. I’m not here to challenge or attack what past board members have done. Their accomplishments on and off the board are nothing shy of amazing. But I’ll share some of my secret inside voice dialogue with you.

As a friend and mentor (Brian Jones) explained to me years ago, when you’re working “in” the business, you’re not working “on” the business. “In” the business is the tactical daily operation, and “on” the business is the big-picture strategy. Well, when you have a small group who has, solely, been responsible for trying to juggle both for a long time, it becomes hard to separate the two, and I think that’s exactly what happened over the course of past years when the Board was comprised of a rotation of many of the same faces. Those faces helped shape and grow a successful organization, but that circulation of talent came at a cost to the organization’s strategy and growth.

What happens when strategy failsisc2-election-2016-strategery

The organization has succeeded not because of the Board’s strategy, but despite it, or perhaps even “in the absence of it”, is a more appropriate term. At the end of the day my friends, you have no one to blame but yourselves — you the voting member — you are responsible for choosing a board that can lead strategy. The board will ensure the organization executes on it. But if you fail to select board members who can succeed at strategy, then the organization will not have the leadership and direction it needs to grow in the myriad ways you want. All those things you tweet or rant about, those things can be fixed (well most of them can; some of them can’t because y’all are just unreasonable and like to be snarky).

Not just this election, but all. Choose wisely, always.

Succession, rotation and why you care
In October 2015, after years of struggle, the Board successfully passed more stringent term limits which were designed to encourage a rigorous rotation of board members, and therefore drive an influx of new talent to the Board. This coming year, starting in 2017, is the first full year and cycle under the new term limits, which limit a member from serving more than six out of any ten consecutive years. (New bylaws can be viewed here, read section III-4.) You can also see the Special Meeting of the Members Minutes from that October meeting, and you’ll see I was there in-person as an officer along with Dr. Schou (then-current Chairman).

What that means is that succession, succession planning and succession strategies will be gravely important. Capturing decisions, documenting processes, and enforcing accountability for the Board as a whole, the Board Committees, and the individual contributors on the board will be a huge factor in the success of the organization’s growth.

What the board will look like next year

Speaking of term limits and succession. If you were like me, you’ve been squawking about getting new blood on the board and rotating out some of the old hats who have been in the mix for years, sometimes decades. Well, we got what we wished for, but you should know the extent to which there will be fresh blood in 2017.

There are 13 board members, and there’s a 3-year term and a 1/3 rotation each year. So it goes 4-4-5 — meaning in one year, 4 board members roll off, and 4 slots are filled, then again the second year, and then the third year there are 5 board members who roll off, and 5 slots to be filled. The 2017-2019 term is a 5-slotter folks. There are only two of us on the slate who have served a term before. The brilliant and hilarious Greg Thompson and I are the only two with board experience in this group. And the other 8 board members who are not in rotation this year? Well, they’re all in their first term except Wim, who is serving his second term. So if Greg and I are re-elected, there will be 3 people serving their second (and final) term, and everyone else will still be in their first years of service. That’s a significant change from the past years, where some board members had served the organization for 10+ years.

But as refreshing and wonderful as all that freshness may be, there will be a cost to the organization along with the opportunity. If we’re not careful, the organization could suffer in its first year losing so many key contributors.

As I’ll share in my next post, this is one of the drivers that led me to accepting the nomination to run again. I was pretty well set on exiting the board, but I know I can help put processes and structure in place for succession, and that succession within the board is what will help grease the gears for all the subsequent boards, committees, and board members, and ultimately I think it will have a major impact on the growth of the organization, and the value to the members.

# # #

It’s (ISC)2 Election Time: Let’s make CISSP great again, or #notmycissp

Monday, 14 November 2016 10:08

It’s (ISC)2 Election Time: Let’s make CISSP great again, or #notmycissp

Friends, the memes have started. “Let’s make CISSP great again” is peppering my thread along with snarky hashtags such as #notmycissp. I admit, I love the humour and fun and the little bit of tongue-in-cheek poking and harassing that comes along with the annual (ISC)2 elections. In fact, I fully expect to hear reports that Harambe had a successful petition. I want to share a few important fundamental thoughts on the Board, and the elections.

Each year for the past several years I’ve climbed the mountain tops and rooftops and, in my best and most boisterous cheerleader voice, I’ve made the call to vote and urged everyone to do a little research and a lot of voting.

Well, this year I’m back on the ballot. More on that in a moment. First I want to tell you why voting is important, what your participation affects, and then in a separate post I’ll talk about me and my goals as a candidate.

Serving these last few years, I’ve had some personal goals in my head — goals related to number of members voting and other engagement. This year is no different, and even if you’re not voting for me, I urge you to vote and help move this needle!

Let’s take a stroll down the important fundamental elements. What you’re about to read are my words and my opinions only and do not in any way represent the opinions of other Board member or anyone affiliated with (ISC)2.

isc2-election-2016What board members do
Corporate Governance- Board members determine policies, develop procedures, and provide strategic direction for the organization. This is taken right off the (ISC)2 website. Note that said “provide strategic direction”, that’s important for a later discussion.

What board members *don’t* do

Board members do not participate in the daily operations or even daily oversight of management. The Board does not tell the organization’s management team how to do their job, nor does it advise on tactical items. The Board has one employee, and one employee only, and that’s the CEO of (ISC)2. The CEO then executes the strategy as directed by the Board. The Board does not have any oversight of the Advisory Committees, Chapters, or any partnerships by the organization.

You and the organization want Board members who have:

  • Leadership experience
  • Proven record directing strategic program in an enterprise
  • Experience in managing companies, departments, business units, finances, and/or teams
  • Earned respect and trust of peers
  • Advanced the field of information security
  • The ability to listen, analyze, think clearly and creatively
  • A sense of honesty, sensitivity, and tolerance of differing views
  • A even stronger sense of humour

Commitments from Board members

In the past few years, we’ve seen a lot of people talk a good game, and then fail to produce. Hell, honestly some of them have been my friends, and for brief flickers of time I have fallen victim to the hurricane of life and the inevitable failure that accompanies juggling 60+ hours of work along with 20+ hours of volunteer for weeks on end. As you vote, look for people who have the willingness to roll up their sleeves and get dirty in order to get things done. Look for people who will ask questions, take responsibility and follow through on tasks. And for the love of S’mores (it’s the only way I’ll eat marshmallows), please make sure who you vote for has competency in at least some business/department/people management and can participate in those conversations and read a financial statement.
TL:DR? My thoughts in 3 bullets.

  1. Please vote, and make it count
  2. Know what the Board does (and doesn’t do)
  3. Research and vote for candidates that will help drive strategy

Those are my thoughts for today. Below are some additional ‘official’ resources.

  • Official Election Forum on LinkedIn
  • Board Election Slate 2016
  • Board FAQs
  • Board Election Process


The Official RSA Conference Guide by Industry’s Top Snarkers

Friday, 27 March 2015 07:03

The Official RSA Conference Guide by Industry’s Top Snarkers

Sure, sure — you can check out the voluminous agenda and event catalogs detailing what you’ll find at RSA this year. But to get the real scoop on “where the world talks security”, you need an insider’s view, and the most accurate, full-featured, and entertaining take on the world’s largest security conference comes from us. Head over to the RSA Conference Blog site and soak in all the blogs you can find from the Securosis Team.

I’m delighted and honored to join my colleagues in contributing to this year’s conference Official (Unofficial) RSA Conference Guide. Like Rich said, I still can’t believe RSA gave us a mile-long leash; I’m looking around in disbelief, waiting for posts to disappear from the site.

Read more: The Official RSA Conference Guide by Industry’s Top Snarkers

InfoSec World- Best, Worst and Common Practices for Securing Enterprise WiFi

Monday, 23 March 2015 12:00

InfoSec World- Best, Worst and Common Practices for Securing Enterprise WiFi

The afternoon of Monday, March 23rd at InfoSec World in Orlando, I’ll be giving a talk in the mobile track titled “Best, Worst and Common Practices for Securing Enterprise WiFi“. Since the event site doesn’t post the full abstract, I figured I’d share it here for you, and I’ll tweet the crap out of it so you can find it.

Read more: InfoSec World- Best, Worst and Common Practices for Securing Enterprise WiFi


Wireless for Beginners Part 3: Getting the Signal
This article by Jennifer Minella originally appeared in Network Computing. Part 1 of this introduction to wireless outlines the basics of radio frequencies and waves. Part 2 explores the challenges of the half duplex properties of wireless networking and mechanisms for avoiding collisions that would disrupt traffic. The final installment addresses encoding algorithms and interference.
Understanding collisions and duplex in wireless
Understanding collisions and duplex in wireless
For whatever reason, we all seem to live with the delusion that wireless networking works like a wired connection, but over the air. And, in that world, we also have leprechauns. The truth is the layer 1 (physical) properties of wireless and RF are completely different;
Why more APs aren’t always better
Why more APs aren’t always better
Lately, I’ve been forced to dispel a volume of wireless myths, both in way of technology and vendors. I’m not sure if it’s a full moon, or some other astrological occurrence, but it’s gotten a little crazy recently. So, I thought I’d take a few blog posts to address some wireless myths, in brief, to keep in the back of your head as you explore wireless solutions and upgrades in your environment. Here’s a thought on why more APs aren’t always better.
New Book “Low Tech Hacking” is Shipping (JJ)
New Book “Low Tech Hacking” is Shipping (JJ)
Well, it’s finally “real”. Until now, this book has existed only as a flurry of emails, phone calls and Word documents immersed in a sea of highlighting. Today, Low Tech Hacking materializes in ink and paper.

Other Stuff

NAC, Endpoint Security and Revelations from the RSA P2P
I’m not going to recount what was said during the session; RSA’s Peer 2 Peer sessions are gracefully excused from the promiscuous ears of the media. I do, however, want to share a few thoughts, revelations and take aways I have from the session. More
Your Favorite Speakers at Infosec World 2015
Okay, in full disclosure this probably isn’t going to be a list of YOUR favorite speakers, but it’s a list of some friend, colleagues, and mentors you don’t want to miss at this year’s Infosec World. A key to the session ID codes is below, and my favorite schedule format is their at-a-glance you can get here Infosec World 2015 is March 23-25 at Disney’s Contemporary Resort in Orlando, FL. In no particular order… Oh, actually these are mostly alphabetical by last name. Deviant’s at the top because I wanted that handsome devil above the crease. That, and he’s doing an opening keynote. More


Get Social




Enter your email address:

Delivered by FeedBurner