Monday Feb 19

Infosec Pros: 3 Ways to Try Mindfulness Today

Friday, 19 January 2018 07:47

Infosec Pros: 3 Ways to Try Mindfulness Today

Everyone asks, “what are some ways people can try mindfulness?” The answer is that there are volumes of books on just this topic, but if you’re new to cultivating and applying mindfulness, and you’ve never had formal meditation instruction, then here are three uber-easy ways to get

Businessman in artificial intelligence concept

3 Ways to Try Mindfulness Today

started right now. I’m presenting these in the context of our lives in tech and information security but (obviously) they can be used by all.

Learning to apply mindfulness is about building a toolset, trying out different tools, and evaluating their impact and your own personal results. Not every tool works equally for each person. These 3 are basic building blocks and tools that can be applied by anyone.

Read more: Infosec Pros: 3 Ways to Try Mindfulness Today

JJ on Business Security Weekly with Paul & Michael

Friday, 19 January 2018 05:39

JJ on Business Security Weekly with Paul & Michael

Today I joined Michael Santarcangelo and Paul Asadoorian on Business Security Weekly to talk about life, love, and the pursuit of happiness. Or, maybe mindfulness, leadership, Buddhism, Cyber Patriot, and applying mindfulness to powerlifting. It was definitely a mixed bag, but a thoroughly entertaining time. Hope you enjoy the show!

You can see more new mindfulness-based leadership content at my session at InfoSec World CISO Leadership Summit this March.








Read more: JJ on Business Security Weekly with Paul & Michael

It’s Been a Year (or Three) Straddling the Fence of Hard and Soft Skills

Friday, 19 January 2018 05:10

It’s Been a Year (or Three) Straddling the Fence of Hard and Soft Skills

It’s been more than a year since I’ve given you a meaningful blog post, and I made a commitment today to change that. Actually, I made the commitment three years ago to do that, and I’m finally acting on it. I’m made some other commitments, including presenting leadership and mindfulness content and conferences at the request of several professional friends, colleagues, and event managers.

Read more: It’s Been a Year (or Three) Straddling the Fence of Hard and Soft Skills

JJ’s (ISC)2 campaign- goals, objectives, and strategery

Tuesday, 15 November 2016 11:50

JJ’s (ISC)2 campaign- goals, objectives, and strategery

I’m starting to feel “strategery” should be added to the dictionary. I mean, c’mon, have you SEEN the crap Oxford and Webster are buying in to these days? Half those things aren’t even real slang words.

Here’s a slightly more serious conversation that the past couple. And mostly that’s because I’m going to pilfer my post from the Official (ISC)2 Election Forum on LinkedIn and share it here so it’s more accessible. I’m told you have to request to join the LinkedIn group and I’m not sure why that’s the process, but I’m interested in sharing wherever/however people want to consume. And, by golly, social media seems to be the platform of choice for election rants and rhetoric — at least in the U.S.

As shared at the Election Forum

To elaborate and tie together a couple of the other topics here and answer questions that have come in through other means (Facebook, Twitter, CISSP Elections Yahoo forum). I wanted to share some of the specific items I’d like to do/see done in the next years as a board member. isc2-election-2016-jjround

1) Finalize and solidify the processes being developed, packaging succession methodologies to make the board more effective in transitions
Some important housekeeping (read why in my last post)

Now that there are term limits, and 2017 is the first year of real effect of those, succession will be critical for momentum of new/incoming board members. I’d like to finish helping build processes for capturing meaningful notes of committee projects, outstanding tasks, goals, and milestones; add methods for tracking board effectiveness. The org takes its direction from the board, so the board needs to be efficient and effective to best serve the members. There’s a lot of un-glamorous grunt-work to be done here, and I’m ready for it.

2) Lead a framework for strategy moving forward
This is what the board should be doing but failed in the past

Honestly when I ran for the board last time, I thought the underlying contributor to what I saw as the main problems was the organization’s leadership. I quickly realized it was the BOARD members (not the management) responsible for a lot of the issues (see #3 below). In addition there was no real leadership from the board in terms of strategy and direction so everyone kept doing what they had always been doing. I think the management team did a fantastic job in spite of that. It was the product of not having fresh perspectives (now resolved through term limits) and being overly paranoid about what could be shared or done with the industry and members. I think the org is at a tipping point now and 2017 will be the first year of major visible change.

Please remember the board needs strategic thinkers, not just “good security people”. Business leadership is a huge asset.

3) Continue pushing for better communication and transparency
There is some momentum but much work to be done

This is still a huge sticking point for me, and something I am embarrassed we haven’t done better with. In fact, I’m embarrassed that *I* especially couldn’t affect more change than I did so far. Unfortunately the board of past years didn’t see value in regular communication to the members, and that paranoia stopped much activity I tried to start. Also know that the chairperson has extreme power on the board. With Wim Remes as chair, transparency and communications are MUCH better and more open, but 2017 will be the first year with a very fresh board and I think it will improve drastically if we can get mechanisms everyone is comfortable with to share.

  • I’ve proposed regular live webinars with the board and/or committees so members can ask questions and the board can answer. I’d like to see that start in 2017.
  • The board started contributing blogs a couple of years ago, but certain past board members put a halt to that. I think we can resume that under the right chairperson.
  • I’d like to see members have access to more meaningful meeting notes, decision topics and talking points. In fact, others will disagree but I’d like to publish each motion and vote summary (total counts for/against/abstain). As Recording Secretary this year, I started putting more meaningful data on the official meeting minutes, which are available to members as a first step.
  • I think almost NO votes should happen by secret ballot unless there is a specific need. Secret ballot was how the board spun its wheels for YEARS trying to get things like term limits passed. Members should care, because that wastes YOUR time and money.

4) Expanding the board nominations pool

The organization was made successful by a small group of people who took an idea and fed it with blood, sweat and tears through decades. A lot of the housekeeping and processes get lost in favor of more time-sensitive or impactful decisions but now it’s time to revisit how the organization does things. Until 2015, the Board nominees were only collected from within the board, and there were no term limits. I’m not attacking anyone but we all know that type of stagnation is not conducive to growth. In 2015 for 2016 Howard and I took time to move nominations to a hosted platform so the Board could handle a larger volume, expanded nominations, and set out a plan for following years. That plan included expanding to allow (ISC)2 Chapters to nominate and work towards a way to give ever member a path for input/nomination. I couldn’t participate this year because I was eligible to run but I’d like to return in 2017 and push this forward, and quickly.


Don’t be the #fail: Why ‘strategy’ should be your strategy for (ISC)2 elections

Tuesday, 15 November 2016 07:10

Don’t be the #fail: Why ‘strategy’ should be your strategy for (ISC)2 elections

Once again, I bring you the unfiltered content of JJ’s mind through the blog-o-sphere. What I’m about to share are my opinions and do not represent those of anyone else on the board, near the board, under the board, at the organization or any any way affiliated with (ISC)2. My opinions are not always the popular ones, but they are mine.

In my last post, I talked about the fundamentals of the (ISC)2 Board and elections. Now I’m going to dive in to a specific topic and a suggestion I hope you heed, not just now but for years to come. Remember, kids — Only you can prevent forest fires (or ineffective Board members).

Why strategy should drive your vote

The fact that the Board members drive strategy is huge because it hasn’t always happened and YOU HAVE AN OPPORTUNITY TO FIX IT. (ISC)2 is an organization that started as a small grassroots effort, and was expanded and grown through extreme care and feeding, and lots of sweat and tears, to an international organization with nearly 125,000 members. I’m not here to challenge or attack what past board members have done. Their accomplishments on and off the board are nothing shy of amazing. But I’ll share some of my secret inside voice dialogue with you.

As a friend and mentor (Brian Jones) explained to me years ago, when you’re working “in” the business, you’re not working “on” the business. “In” the business is the tactical daily operation, and “on” the business is the big-picture strategy. Well, when you have a small group who has, solely, been responsible for trying to juggle both for a long time, it becomes hard to separate the two, and I think that’s exactly what happened over the course of past years when the Board was comprised of a rotation of many of the same faces. Those faces helped shape and grow a successful organization, but that circulation of talent came at a cost to the organization’s strategy and growth.

What happens when strategy failsisc2-election-2016-strategery

The organization has succeeded not because of the Board’s strategy, but despite it, or perhaps even “in the absence of it”, is a more appropriate term. At the end of the day my friends, you have no one to blame but yourselves — you the voting member — you are responsible for choosing a board that can lead strategy. The board will ensure the organization executes on it. But if you fail to select board members who can succeed at strategy, then the organization will not have the leadership and direction it needs to grow in the myriad ways you want. All those things you tweet or rant about, those things can be fixed (well most of them can; some of them can’t because y’all are just unreasonable and like to be snarky).

Not just this election, but all. Choose wisely, always.

Succession, rotation and why you care
In October 2015, after years of struggle, the Board successfully passed more stringent term limits which were designed to encourage a rigorous rotation of board members, and therefore drive an influx of new talent to the Board. This coming year, starting in 2017, is the first full year and cycle under the new term limits, which limit a member from serving more than six out of any ten consecutive years. (New bylaws can be viewed here, read section III-4.) You can also see the Special Meeting of the Members Minutes from that October meeting, and you’ll see I was there in-person as an officer along with Dr. Schou (then-current Chairman).

What that means is that succession, succession planning and succession strategies will be gravely important. Capturing decisions, documenting processes, and enforcing accountability for the Board as a whole, the Board Committees, and the individual contributors on the board will be a huge factor in the success of the organization’s growth.

What the board will look like next year

Speaking of term limits and succession. If you were like me, you’ve been squawking about getting new blood on the board and rotating out some of the old hats who have been in the mix for years, sometimes decades. Well, we got what we wished for, but you should know the extent to which there will be fresh blood in 2017.

There are 13 board members, and there’s a 3-year term and a 1/3 rotation each year. So it goes 4-4-5 — meaning in one year, 4 board members roll off, and 4 slots are filled, then again the second year, and then the third year there are 5 board members who roll off, and 5 slots to be filled. The 2017-2019 term is a 5-slotter folks. There are only two of us on the slate who have served a term before. The brilliant and hilarious Greg Thompson and I are the only two with board experience in this group. And the other 8 board members who are not in rotation this year? Well, they’re all in their first term except Wim, who is serving his second term. So if Greg and I are re-elected, there will be 3 people serving their second (and final) term, and everyone else will still be in their first years of service. That’s a significant change from the past years, where some board members had served the organization for 10+ years.

But as refreshing and wonderful as all that freshness may be, there will be a cost to the organization along with the opportunity. If we’re not careful, the organization could suffer in its first year losing so many key contributors.

As I’ll share in my next post, this is one of the drivers that led me to accepting the nomination to run again. I was pretty well set on exiting the board, but I know I can help put processes and structure in place for succession, and that succession within the board is what will help grease the gears for all the subsequent boards, committees, and board members, and ultimately I think it will have a major impact on the growth of the organization, and the value to the members.

# # #


Wireless for Beginners Part 1: RF and Waves
This article by Jennifer Minella originally appeared in Network Computing. Wireless networking presents a unique set of challenges that have to be overcome to get information from point A to point B. Most of the quirkiness of wireless technologies has to do with the controls put in place to allow it to operate over the physical medium of the air. From collision avoidance to time slicing and even data rates, the functions and characteristics of wireless success (and failure) can most often be traced to the challenges of communicating over the air. This series starts with an overview of wireless’s most often-overlooked but fundamental elements: the properties of RF and waves. 
Listen to our PCI Wireless Podcast
Listen to our PCI Wireless Podcast
Immediately after landing in Las Vegas for Black Hat and Defcon, I (literally) gathered my luggage and ran to the hotel to check in and hop on the StillSecureAfterAllTheseYears (SSAATY) Podcast with some of my favorite trouble-making colleagues for throw my two cents in on the PCI Wireless Podcast.
Good, Bad and Ugly: On SecTor’s Wall of Shame
Good, Bad and Ugly: On SecTor’s Wall of Shame
In the past 48 hours or so, rumours about the SecTor Wall of Shame have been circulating through the intertubes, blogs, twitter and exhibitor floor conversations.
Secret Wireless March 17th… shhhh
Secret Wireless March 17th… shhhh
I’ve been punchy these past few days; I’ll apologize for this week and in advance for the next one. After a week of hopping around the Southeast, I’m heading down to Charlotte with Jack for a talk at the US Secret Service Electronic Crimes Task Force meeting.

Other Stuff

Securing Multiple Device Auth on 802.1X
Part II of the Clearing Up 802.1X Series Securing Multiple Device Authentication on 802.1X VLANs and Multiple Device Authentication I always say the road to insecurity is paved with good intentions, and implementations of 802.1X are some of the best examples. I find folks tend to be so excited if-and-when they get 802.1X working, that they don’t bother to put it through the ringer and see what’s actually happening on the switch once it’s working. More
Analysis after the demo: Hole 196 and the WPA2 vulnerability
You guys asked me to break out this information instead of posting as comments on the original post. Here is more updated information on the WPA2 Hole 196 vulnerability now that AirTight has given the demo at BlackHat/Defcon. More


Get Social




Enter your email address:

Delivered by FeedBurner