Jared Pfost here. I'm fired up to present at BlueHat. I really appreciate Noelle reaching out so it was a no brainer when asked to spin up a blog post. One thing that keeps popping up is my status as a former blue badge. Actually I'm a former twice over. One tour pre bubble and one post, or I like to think of it as pre/post the TWC memo. My tenure started in 97, two years out of UW and very much a newb on how security really worked in IT and dev teams. Much of what I do today is rooted in my Microsoft experience. Of course I didn't realize it until much later. Between dogfooding and attempting to keep up with the smart folks, I didn't notice the belief structure that formed. Here are a few I hope you'll enjoy.
Belief: We weren't as bad as we thought.
I always got a kick out of the perception from folks outside Redmond who assumed we were all rock stars. This cracked me up. I remember thinking, "if you only knew how screwed up we are..." As I left and worked with startups and other enterprises, there really were some special folks back then. Sometimes it's hard to notice when you're going 100 MPH. I hope it's still that way.
Belief: Heroes don't scale.
Burning key people out has been well documented. I'm talking about ordinary folks being asked to do heroic efforts like working 20 hours before a release. In my program manager or IT roles, I learned the hard way that quality suffers. It's usually better to take it on the chin and slip than fight another regression or outage fire. The root cause and fix is the same but a lot less painful.
Belief: Money doesn't buy happiness.
I didn’t realize it at the time but we had some big budgets in IT or dev compared to other companies. The reason I didn’t notice is because resources rarely correlated to success. We were successful when we had a solid process. For folks who don’t have money to burn, this is often the first excuse. Fact is I’ll take a solid process and two people over a team of ten any day.
Belief 4: Security isn't a technical problem, it's a management one.
After Washington Mutual collapsed, I started a software company to help security leaders manage their team and processes. It took me six months to realize I founded the company out of a belief structure. When you can define what you do, measure it, improve it, and enable your leadership to decide how much they need, life is good. Morale improves, customers are happier, and incidents are reduced. I wish I could quantify those claims for you but I can’t, yet. In my experience, great managers lead to great results. I believe it and I’m passionate about proving it so you can believe it too.
Fired up for Blue Hat!
Jared Pfost brings 16 years of information security experience to Third Defense which he co-founded on the belief that effective management is the key to manage risk. Jared's unique career combines working in IT Security teams such as Washington Mutual and Microsoft, consulting, and designing software across startups, banking, and technology. Jared is a self-proclaimed process nut and has demonstrated you don't need unlimited resources to run a measurable, accountable, and effective security shop.
Excellent post, Jared. Keep the faith.