I just got back from a training seminar led by 4th degree black belt and the "Prince of Jiu-Jitsu", Carlson Gracie Jr.. What an incredible experience and honor! The seminar brought out many students from different academies and several of Charlotte's finest law enforcement officers, most of whom train at Alliance Jiu-Jitsu of Charlotte.
Afterwords, I was invited by my professor, Luis "Sucuri" Togno to go to dinner with he and Carlson Jr. While much of the conversation was in Portuguese, I did have an opportunity to discuss a number of topics related to Jiu-Jitsu. In addition, Sucuri asked me if I would like to go to Brazil with some of the students next year to train. I suppose the hard work and dedication to the art is translating nicely for my instructor, and I truly appreciate what he has already done for me.
All I can say is that I continue to be pleased and excited about the whole experience. For those people who are seeking some solid, tangible real-world martial arts skills and live in Charlotte, I have nothing but positive things to say about Team Alliance of Charlotte, and would highly encourage you to give it a try.
So for those people that are curious how BJJ relates to the security world, let me quickly summarize why I think my experiences in BJJ is relevant to the security world:
BJJ is a gentle art of fighting, and while books like Sun Tzu's Art of War draw parallels to business, management, etc., BJJ is all about leveraging your knowledge with the least amount of perceived effort. I have witnessed first hand the seemingly impossible odds of a 150-pound fighter tear into someone with 50 to 60 pounds. Initially, with a wrestling background, I thought I could outmuscle my training opponents. In the security world, it is not the one that has the high-tech technology running on autopilot that defends the shareholder value, it is the one that has the ability to effortlessly transition from "move to move", a concept known as Defense in Depth. As an ethical hacker, I have been able to circumvent my client's perimeters protected by large, expensive systems, and I have been halted by some inexpensive, modular systems. Therefore, it is all about the leverage, not the muscle in many situations.
I hope the readers of this blog will bear with me when I seemingly go on these tangents. While my primary purpose for blogging is to educate readers regarding information security and technology, it is important to note that we draw conclusions as a result of the culmination of our life's experiences. There will be plenty of time for straight security talk, and I promise I will try to keep the tangents to a minimum, or at least draw the parallels to the spirit of this blog.
Best Regards...
Tuesday, October 21, 2008
Monday, October 20, 2008
Acronym Soup In Security Certifications
A few weeks ago, Shon Harris asked the White Hat Hacking group to comment on the state of the industry from a certification perspective, and in particular, how fractured the industry is with respects to certification bodies (including vendor-neutral versus vendor-heavy).
Here is the snip of my response at the time:
I wanted to throw it out to a wider audience to get some additional perspectives on the whole notion of requiring mentoring, teaching, or volunteer work as a condition of a security credential. It is one thing to have a bunch of acronyms after one's name, and I am not trying to diminish the accomplishments of those that are dedicated enough to obtain many certifications or advance their careers.
However, how would hiring managers feel about the merits of a technical certification(s), versus a more rounded certification which included charity work as a prerequisite?
I would love to hear opinions on this one.
Here is the snip of my response at the time:
Actually, I am skeptical that we will ever have a certification track that will effectively capture the industry. As you mention, vendor-concentrated certifications demonstrate knowledge on a particular platform or product; however, in my opinion, information security is so fluid and nebulous that it is similiar to trying to have an intelligence (adjective, not noun) certification.
From a personal perspective, I have always found it more impressive if someone can teach as well as simply speak facts. Therefore, I would hope that a measure of a practitioner's value to an organization could be viewed, not by a single or suite of certifications, but rather the lifelong pursuit of the advancement of the profession. I think there is a very good parallel to this in practice throughout history today with the various martial arts.
I think ISC(2) and others have dabbled in this approach, but in my opinion, it needs to be refined. If I was holding the "magic wand", I would suggest that everyone study, teach, and contribute to the community through volunteering or charitable contributions to maintain a credential. Ultimately, I believe this would do more for the industry than any certification can provide alone.
Thoughts?
I wanted to throw it out to a wider audience to get some additional perspectives on the whole notion of requiring mentoring, teaching, or volunteer work as a condition of a security credential. It is one thing to have a bunch of acronyms after one's name, and I am not trying to diminish the accomplishments of those that are dedicated enough to obtain many certifications or advance their careers.
However, how would hiring managers feel about the merits of a technical certification(s), versus a more rounded certification which included charity work as a prerequisite?
I would love to hear opinions on this one.
Saturday, October 18, 2008
Is the Election Over Yet?
Without publicly leaning to the left or right, I have to be honest.... I am through with the political advertisements for this election cycle. Everywhere I turn, it is smear and boast, smear and boast. Print ads, radio spots, and television commercials: media overload! There is even a 30-minute infomercial from one of the candidates! I am wondering if these candidates are taking cues from Billy Mays and Tony Little ("YEAH, BABY!")
. Unfortunately, these "in-your-face" ads are effective to a certain degree, which is why they continue en masse.
Would I feel any better if the candidates focused on the issues... I mean REALLY focused on the issues? Probably not. In my opinion, there is no substitute to solid research undertaken in the privacy and comfort of one's own home. Let me draw my own conclusions. Steer me... Yes, preach to me... not so much.
Geico's Motorcycle Commercial Earworm
Ok, so this commercial has been an earworm since I saw it, but in case you may be in the same predicament as I was....
"Hurt You" by The Sounds
Maybe it is a guilty pleasure, or a throwback to the Depeche Mode / Red Flag / Talking Heads hybrid sound. I am quite certain it is not the cavemen in the commercial though (don't want to see another spinoff TV show created!).
On a somewhat separate, yet similar thought... How do these marketing folks find these gems? I am having a hard time believing it is trial and error sampling. At one point, I believe I had a box set of songs from commercials, TV shows, and other advertisement campaigns. I suppose I am just curious as to how marketers "connect" with a specific audience -- and specifically -- whether or not Geico was intending to connect with my specific demographic for this particular advertisement. If so, I believe there is a great deal of application in how we, as security practitioners, connect with business and technology demographics in the workplace.
Without further adieu, here is the commercial:
Subscribe to:
Posts (Atom)
Posts
