Based out of California, Jason Mefford is a well-known speaker on all things ethics, corporate governance, risk management, GRC, compliance and internal audit related. He has authored two books, Risk-Based Internal Auditing and Masters of Success. He was also a contributing author on the OCEG GRC Capability Model v3.0. Mr. Mefford sat down with ZenGRC to discuss his new training platform, cRisk Academy, as well as changing an organization’s approach to risk.
ZenGRC: What’s interesting about cRisk Academy is that you bring with you both auditor and trainer experience. What was the catalyst for cRisk? How does your background uniquely situate the academy?
Mefford: I spent many years as both an external and internal auditor, was a Chief Audit Executive at two large companies, was responsible for information security, risk management, ethics & compliance, and have now been a trainer for many years. I understand the information that I needed to do my job better as an auditor, what I needed for the employees who worked for me, and now the needs of students I have in my courses.
Most people have a desire to understand risk better. Since the business context now changes rapidly, as a result of new technologies, it’s more important now than ever for individuals to understand how forces, events, and changes in condition impact their organization’s ability to meet their objectives. Companies that have been at the top of their industries now no longer exist, and some companies are now worth billions of dollars didn’t exist a few years ago.
Risk-based professionals need training to improve their professional competencies, but unfortunately many organizations have cut back on training budgets and often require professionals to “take vacation” in order to go to training. I also see a large demand for risk-based professionals outside the US wanting high-quality training. I spend most of my year traveling the world speaking and teaching, but I know I can’t reach everyone in person.
Also, as a trainer I personally wanted to provide a better option for authors. Many of the training companies and platforms do not pay authors enough to make a living, which I believe is very unfortunate. I realized there needed to be an option for students to get affordable training that they need, but also to fairly compensate expert authors. Since I couldn’t find one that existed, it seemed like the right thing to create one.
ZenGRC: What is your intended audience for cRisk? CISOs? CIOs? Auditors? Developers? Do you have any future plans to expand that audience?
Mefford: Our intended audience is anyone who considers themselves a risk-based professional and/or wants to “see” risk more clearly in their organization. That could be anyone in audit, risk management, governance, compliance, GRC, IT, etc… and even management. While many of our trainings are focused on helping practitioners do their jobs better, many of our courses are applicable to everyone in the organization, even the C-Suite.
We have an agreement with AuditNet® an online digital network where auditors share resources, tools, and experiences including audit work programs and other audit documentation. AuditNet® has been doing live webinars for many years and has a significant library of previously recorded webinars on internal audit topics. Our agreement allows us to publish the previously recorded AuditNet® webinars, and make the valuable learning available to auditors all over the world in an on-demand format. One of the problems with the webinar business has been once the webinar is over, the great content presented by experts is not longer available. We are happy to be able to provide a platform so auditors can now gain access to these previously recorded webinars from AuditNet®.
Many of the courses on our platform now are from AuditNet®, so they are specifically focused on improving internal audit practitioners skills.
We do have plans to add many more courses on corporate governance, risk management, ethics, and many more topics that are relevant to any risk-based professional.
ZenGRC: Talk to me about your platform. Since we’re all computer folks around here, what’s the difference between your platform and other training sites? Is this like a Netflix for webinars? Or an Amazon rental for webinars?
Mefford: This is a great question and a great analogy to other entertainment platforms. Since my partner and co-founder has a background in the entertainment industry, we built our platform to match what people are used to doing with entertainment. We offer webinars, webinar replays, and on-demand training through our platform. Let me explain how it works using the entertainment analogy.
I personally have subscriptions to Netflix, Hulu, Amazon Prime, HBO Now, cable, and use Apple’s iTunes TV service. Most of those are subscription based, except for Apple. I pay monthly for the ability to watch movies and TV shows through those platforms whether I use the services or not. I don’t really like that option, especially my monthly cable subscription. I pay for cable so I have the ability to watch live sporting events, that are not available on one of the other platforms, but I also pay for many channels and programs that I don’t ever watch.
With cRisk Academy we wanted to provide an option that put the student in control of their schedule, and only have them pay for the content they want, without being locked into a subscription. I tend to find that even though I have several subscriptions, I am often left going back to Apple to find an on-demand option, so I have the flexibility to see what I want on my schedule.
I personally really enjoy the show “Game of Thrones,” and we can use that show to help illustrate how our platform works. “Game of Thrones” is an HBO original content program. If I want to watch the show I have a few options. I can watch it each week when a new episode is released on HBO. I can watch it through the HBO Now application. I can purchase it through Apple.
Since I travel often, it is difficult for me to watch the show at the appointed time each week. Watching at the appointed time is like attending a live webinar. It’s a lower investment, but I have to be available to consume the content at the appointed time, and I only get to watch it once.
Another thing about watching live TV is the commercials. Someone has to pay for the content. When we choose to watch live TV as a viewer we “pay” by having to watch the commercials from companies who are sponsoring the cost of the program. Most “free” webinars fall into the same category and require you to essentially watch a commercial from the organization sponsoring the webinar so you can watch for “free.”
We wanted a different approach where the student pays a small fee for the webinar, but receives hundreds of dollars in value from the presenter. Not only do the students get great content, to improve their career and help them do their job, but they also receive practical tools and special offers the presenter would normally charge their clients hundreds of dollars to receive.
If HBO offers reruns of the show, I could see when “Game of Thrones” was playing and watch a rerun. I would still have to schedule my time to be available for the rerun, but since there are usually several reruns, I would have more options.
This is like our webinar replays, only our platform allows students to select from several different time slots in the future, both during and after business hours, based on their time zone. No longer does one have to attend a webinar in the middle of the night.
Lastly, is the on-demand option. Since my schedule didn’t allow me to watch “Game of Thrones” live or as a rerun, I had the ability to purchase the entire season through Apple and watch it when and where I chose. Even though I have an HBO Now subscription, I am often blocked from using it when I am traveling internationally and can’t watch it on the airplane. For these reasons, I chose an on-demand option by purchasing the entire season through Apple. I paid more for the convenience, but then I could watch it when it was convenient for me. Another benefit, I can now watch the series as many times as I desire.
This is like our on-demand option. Once a student registers for the course, they can watch it when and where they like, as long as they have an internet connection. They can also watch and rewatch the training as many times as they want. All of the training remains in the student’s account forever.
Just like Apple, where I have the ability to purchase individual episodes or the entire season, we also offer the ability to register for individual 1-2 hour sessions, or get the entire “season” what we call bundles. You save when you purchase a bundle, just like you save when you get the whole season.
By offering training as webinars, webinar replays, and on-demand we are trying to provide students with flexible options to meet their schedule.
ZenGRC: From the perspective of a client, I love that these are individually priced. My state recently instituted a CLE requirement that makes it cost ineffective for me to retain ongoing licensing. Explain to me what the options are for individuals in my situation.
Mefford: Your experience reminds me of an experience from my own life. I had just moved to California and had just gone through the reciprocity process to get my California CPA license. I was already a licensed CPA in Idaho, but now that I had a license in two states I was hopeful my employer would support me in paying for my CPE training and licensing in both states.
When I approached my boss he said, “I know you spent a lot of time and effort getting your CPA. Most people who get it would hate to let it go.”
He was thinking exactly what I was thinking. I would hate to let any of my certificates or licenses lapse because of the time and effort I put into getting them. It’s unfortunate some companies are not supporting their employees now in their professional development. The employees really want to maintain them and shouldn’t let all that hard work go down the drain because of lacking CPE.
Luckily for me he was very supporting, and my company at that time and helped pay for my licenses and CPE training. Now that I am on my own, I pay thousands of dollars a year to maintain all of the certification, licensing, and CPE on my own. I do that because I worked so hard to obtain those certifications and licenses in the first place, that I don’t want to let them lapse.
As I mentioned before, many people who work for large organizations are asked to pay for it themselves. One reason for creating cRisk Academy is to help people have access to CPE at a much lower cost, on their time schedule.
We have also taken an approach to make our trainings available in smaller sizes (1 or 2 hours) and bundled into larger courses of multiple hours or days. This was a way to help students customize their learning experience so they only get what they need, and what they can afford, when they want it.
I remember a story from business school one of my professors told us about toothpaste. Toothpaste is something we use each day and don’t really think about. We buy large tubes and use it for weeks or months at a time. The story he told us was about how some consumer products companies that make toothpaste actually create special “one-time-use” packaging for certain parts of the world. It seemed odd to me at first until he explained they needed to do that because some people in the world can only afford to pay for a single serving of toothpaste. To them, brushing their teeth was a luxury they couldn’t afford everyday.
That story has stuck with me, and I guess one reason we do this is to help people that only need a “single” serving of training, instead of a full three-day course. It also is helpful for individuals who get to the end of their CPE year and see they are a few hours short. Now with cRisk Academy, they can purchase just the hours they need to maintain their CPE.
ZenGRC: When looking at CLE requirements, many people think that having an “accredited” program is necessary. Is this true? How do you feel cRisk Academy can change that mindset?
Mefford: I’m going to let you in on a little secret that will probably make the accrediting companies mad.
One of the biggest accrediting companies in the US is the National Association of State Boards of Accountancy (NASBA). NASBA was created to help ensure Certified Public Accountants (CPAs) training is high quality and has reciprocity agreements with all of the state boards of accountancy. The idea is that if a training is NASBA accredited, it would be accepted by any state board of accountancy in the US for CPE purposes. For this reason, many people look specifically for NASBA accredited courses.
The reality is, only a handful of state boards of accountancy in the US require CPE to be NASBA accredited. I am personally a CPA in two different states and neither requires my CPE to be NASBA accredited. Each state does have their own CPE requirements, but those vary from state to state and are usually based on topic areas instead of accreditation.
Internationally NASBA accreditation is not relevant unless the student is a US CPA; and, as I already said, their state may not even require NASBA accreditation.
I have many different certifications and two CPA licenses. Only one of my certifications is particular about having accredited training, which means I am free to choose the training I need for the others, within the parameters of my certifications and licenses, to have most of my training qualify for my annual CPE requirements.
We decided not to go through the NASBA accreditation process, as it is very cumbersome and costly, especially in an online training format. We decided that since most people using our training platform wouldn’t require NASBA accreditation, there was no reason to add extra cost to our trainings when it wasn’t needed.
Our platform is perfect, for someone in your situation, who can’t afford the time away from work, or the large investment required to obtain in-person accredited training to maintain their certificates and licenses. It also allows you to customize your learning experience to get exactly what you need to do your job and meet your individual CPE needs.
One last comment on this area. It is important for people to focus on why we need to obtain CPE, not just obtaining CPE. Certifications and licenses mandate a certain number of CPE hours each year to help ensure professionals are staying relevant with changes and are competent to do their jobs. One’s focus should be obtaining the training they need to improve their career and do their job, not just getting CPE “hours.”
I think that is also one of the benefits of our training platform. Students can get the training they need to improve their career, and use the training for their CPE requirements. We offer CPE certificates for all of our courses once the course is completed, so students can track their training hours and use it in their CPE reporting each year.
ZenGRC: Your book really tries to get auditors to think differently, more holistically, about the way the audit process fits into the greater scope of business. Can you explain to me some of the ways in which you approach audit differently from others? Why do you feel this approach is better for an organization?
Mefford: The name of my book you are referring to is Risk-Based Internal Auditing. I used that title because lots of auditors realize they need to use a “risk-based” approach to auditing, but there are some misconceptions about what it really means to be risk-based in your audit approach.
What I advocate is “focusing on objectives, not internal controls.” I like to joke that an auditor never sees an internal control he/she didn’t want to audit. This causes many auditors to believe they need to test all of the controls in their organizations.
The real trick is to only audit key controls that relate to response activities their organizations are using to help meet key objectives. Auditors tend to focus first on controls instead of taking a couple of steps back and considering the organization’s objectives. As a result, they audit the details instead of looking at the bigger picture where they can provide more value to their organizations.
There are really three things that affect whether an organization achieves its objectives, which go back to the concept of Principled Performance®. Organizations are trying to reliably achieve objectives (performance) while addressing uncertainty (risk/reward) and acting with integrity (mandatory and voluntary compliance). Auditors should be focusing on the forces, events and changes in condition, that impact their organization’s ability to achieve objectives in those three areas. My book helps to explain how auditors can focus on the “significant” items.
The concept of Principled Performance®, created by OCEG, the organization that invented GRC, is really what my book is about. How auditors can help provide assurance to their board and management that the organization is on track to meet its objectives. This approach is better, since it focuses the auditor’s efforts on what matters most to the organization, not just what the auditor wants to, or thinks is important to audit.
This is a common theme I teach people in all of my trainings, including those on the cRisk Academy training platform.
ZenGRC: One of the things we talk about constantly in infosec is building a culture of compliance and awareness. From what you’re telling me about your approach to audit and cRisk, it feels as though this is very much on your mind. How would you envision cRisk adding to culture shift within organizations?
Mefford: For organizations to succeed in the future they must be more risk aware. They must practice the concept of Principled Performance®. The risk-based professionals we are trying to reach through cRisk Academy need to clearly understand forces, events, and changes in conditions. They need to learn a language they can use to help others in their organization understand these concepts.
Culture in an organization is based on values and beliefs that lead to individual behaviors. The way to change culture is changing belief. Belief changes through education and experience.
If an organization wants to build a culture of compliance and awareness, their employees need to be educated (that’s where cRisk Academy comes in) and have experiences that support that culture.
Cultural change is a long-term process that requires repetition, another way cRisk Academy helps. Our on-demand trainings are available to the student as long as they maintain their account. They can go back and watch the video lectures again and again, until they really understand the concepts and can apply them in their job.
Blog
6 InfoSec Cartoons & Webcomics to Brighten a Gloomy Week
When your week is getting you down and you need a quick pick-me-up, cartoons and memes are the way to go. The wonder of the internet may bring with its security concerns, but it also brings with it the ability chuckle at a moment’s notice. Below are five places to find IT, infosec, and technology-related humor on the internet.
Dilbert
Dilbert is never not funny. Anyone who has ever spent their day in a cube farm filled with people who would never understand them or their value understands Dilbert. We get Dilbert. We are one with Dilbert, and Dilbert is one with us. The best part, is that Scott Adams’s official website has 212 pages of comics totally dedicated to the search “Information Security.”
XKCD
Ok, every geek worth their kryptonite knows about XKCD. They might even hand out XKCD comics with the Bachelor’s of Science degrees diplomas. Unlike Dilbert, there is no search function on the XKCD website. However, using a web search led to individual cartoons about things like security, encryption, InfoSec expert Bob Schneier, password strength, authorization, and the impossible dream of a back door to tech-savvy tech support.
Little Bobby
Written by Robert Lee and Jeff Haas, Little Bobby is from an insider’s perspective. Robert Lee is one of the top infosec experts around, but he works on this comic in his free time. With a subtitle like, “a Sunday morning webcomic on technology and security,” Little Bobby is intended for the InfoSec community.
Geek & Poke
Geek & Poke publishes webcomics every few weeks. More sporadic than some of the others, its focus is very clearly programmers. Minimalistic in style, it maximizes humor.
User Friendly
Started in 1997, User Friendly publishes IT-focused webcomics daily. J.D., the author, comes from the IT world noting proudly in his FAQ that “The first (user-programmable) computer I ever used a Hewlett-Packard 2000 mini, with thermal-paper printouts.” Although not currently in IT, he still visits IT departments for continued up-to-date inspiration.
Radical Compliance’s Meme Page
Everyone loves a good meme. Run by Matt Kelly, the former editor and publisher at Compliance Weekly, Radical Compliance generally serves as an information source but has a pretty phenomenal page of infosec memes.
Wednesday’s Women: Magen Wu
While researching our 119 InfoSec Experts You Should Follow on Twitter, Reciprocity noticed that while women make up a large segment of the information security population, they are generally underrepresented in the media discussions. With that in mind, welcome to the ongoing series, Wednesday’s Women. Wednesday’s Women is a new, ongoing series that will profile one woman in information security monthly to help add awareness to those women in information security that are working to keep businesses and the internet safe. This month’s profile is Magen Wu.
Currently a senior consultant at Rapid7, Ms. Wu has worked in IT since 2008. Her experience includes working at Protiviti as well as being a test engineer at Xversity. She is PCI QSA certified, holds three degrees from St. Petersburg College and a Master’s Degree from Southern New Hampshire University.
If you had to choose one event that led you to work in information security, what would it be and why?
The day that I found out that I faint at the sight of blood (about 13 or 14). I was going to study to be a forensic psychologist, but then found out that really important piece of information. Computers had always been a hobby for me and I volunteered at the veteran’s hospital where my dad worked (IT department). A few weeks after that incident, they had a major incident that took down the entire network. I got to see how he and his coworkers worked to respond to that incident and was really curious about what had caused it. I think that was what finally did it for me.
Why do you like working in the information security environment?
I love that there is always something new to learn about information security from someone. The team that I’m on now at Rapid7 is a great example of that as I get to work closely with some really smart people who I am constantly learning from.
If a n00b to the infosec world asked you for a piece of advice, what would it be?
Talk to people. Whether you’re standing in line for reg at a con, sitting in a DEF CON village, or just sitting next to someone at the hotel bar, just try and talk with the person next to you. It’s going to be awkward and not every interaction will lead to something, but you never know what you can learn from someone else unless you try and reach out. Semi-related would be to participate in mentorship programs. Jimmy Vo and Keith Hoodlet are breathing life into the InfoSec Mentors program and several cons are starting up programs that pair new speakers with well-seasoned ones.
What is the most important issue facing professionals in the information security landscape today? Why?
I think that the most important issue for information security professionals would be how the rest of the organization views us. Time and again it is said that the human element is the hardest to secure, but we aren’t exactly making our lives easier from that aspect. Information security teams are often somewhat isolated from the other departments they’re are supposed to be working with — and viewed by colleagues as a task force that’s out to get them for one thing or another. This is something that the community is actively trying to figure out, but there’s a ways to go. For example, Katie Ledoux on the Rapid7 infosec team gave a presentation at this year’s BSides San Francisco on this exact issue and how infosec pros can better integrate within their organizations – more effective communication and increased visibility were the two big takeaways. I think that we could make huge strides in user awareness and how quickly incidents are reported if we change this big brother image we have. Additionally, the language we use when we’re talking to our about users (usually derisive) needs to change. We are supposed to be here to protect the business — our users are a part of that. They can tell when someone projects animosity toward them. If you’re projecting animosity, it will be met with animosity in turn, and nothing improves. Users just go around your back to get things done instead.
What is the most important issue facing consumers in the information security landscape today? Why?
I think that it would have to be information overload. Consumers are inundated with so much data—logs, alerts, emails, blog posts, etc. — that it can be hard for them to know what needs to be acted on and what is safe to ignore or put aside. People have a finite amount of resources–both from a hiring/cost standpoint, but also psychologically. We as security professionals need to find ways to help consumers pare down data to what is actually important to them so that they can make sound decisions and act in a timely manner.
What are your three “guilty pleasures” that have nothing to do with information security?
Styx – I love them and have seen them live like 4 or 5 times
Taking way too many food pics on my Instagram
I have an “Emergency Happy” Spotify playlist I listen to every morning with stuff from Chaka Khan to James Brown to Duran Duran to RuPaul to who knows what else.
Star Wars, Star Trek, or “Umm, no. Just no”?
Babylon 5
119 InfoSec Experts You Should Follow On Twitter Right Now
Staying on top of trends and news should be easy in the information age but still proves difficult. Seeking out the best resources for information and the most trusted voices can seem overwhelming when social media outlets like Twitter make it easy for anyone to comment on topics or share links. Below are 119 Twitter accounts that you should be following in order to be ahead of the IT curve.
Many currently existing lists either include very few women or create separate lists of women. According to the Women’s Society of Cyberjutsu, women make up 50% of the general workforce and 25% of the computing workforce but only 11% of the information security workforce. Our list includes 29 women as well as 1 women’s organization.
There are definitely many other influential InfoSec experts that are worthy of following on Twitter. But we wanted to make sure to highlight this group because we felt they had a lot of relevant expertise in InfoSec and they shared great content. If you have someone that you’d like to show some love to and recommend, please let us know in the comments and we will consider that person for one of our next lists.
The IT Industry Experts
Juliette Kayyem – @juliettekayyem
Ms. Kayyem’s list of accomplishments is staggering. She is the founder of Juliette Kayyem Solutions, LLC, one of a limited number of female-owned security companies. She is the Belfer Lecturer in International Security at Harvard Kennedy School. From 2009 – 2010, she was the Assistant Secretary for Intergovernmental Affairs with the US Department of Homeland Security. Moreover, she has been a trial attorney and written a book, Security Mom: An Unclassified Guide to Protecting Our Homeland and Your Home. Ms. Kayyem’s Twitter account focuses on the intersection of government and information security.
Katie Moussouris – @k8em0
Ms. Moussouris helped the US Department of Defense start the
’s first bug bounty program. She’s also a subject matter expert for the US National Body of the International Standards Organization (ISO) in vuln disclosure (29147). Ms. Moussouris’s Twitter account is a collection of personal infosec experiences and of informational shares.
Wendy Nather – @wendynather
Although Ms. Nather’s most recent position is as the principal security strategist at Duo Security, she has been working in IT since 1987. She spent 12 years in the financial services industry and 5 years in state government. She specializes in security program management, threat intelligence, risk analysis, identity and access management, security operations and incident response, application security, and security services. Ms. Nather’s Twitter account is a fun intersection of IT, infosec, and memes.
Richard Bejtlich – @taosecurity
Mr.Bejtlich is chief security strategist at FireEye, and was Mandiant’s
Chief Security Officer when FireEye acquired Mandiant in 2013. He is a
nonresident senior fellow at the Brookings Institution and an advisor to
security start-ups. He was previously director of incident response for
General Electric, where he built and led the 40-member GE Computer Incident
Response Team (GE-CIRT). Richard began his digital security career as a
military intelligence officer in 1997 at the Air Force Computer Emergency
Response Team (AFCERT), Air Force Information Warfare Center (AFIWC), and
Air Intelligence Agency (AIA). Mr.Bejtlich is a graduate of Harvard University
and the United States Air Force Academy. His fourth book is “The Practice
of Network Security Monitoring” (nostarch.com/nsm). Mr. Bejtlich’s Twitter account includes insightful comments on published articles as well as links to his own writing.
Anton A. Chuvakin – @anton_chuvakin
Currently a research vice president at Gartner, Inc., Mr. Chuvakin has 16 years experience in the information security industry. He is an expert in SIEM, log management, and PICI DSS compliance and holds a PhD in physics. Mr. Chuvakin’s Twitter account focuses on cyber crimes and security issues.
Brian Krebs – @briankrebs
A former reporter for the Washington Post, Mr. Krebs won a PROSE Award in 2015 for his book Spam Nation. In addition to that award, he has won twelve other awards for his IT security blog www.krebsonsecurity.com. Mr. Krebs’s Twitter account discusses current InfoSec issues and the ongoing impact of security weaknesses.
Robert M. Lee – @RobertMLee
Named EnergySec’s 2015 Cyber Security Professional of the Year and one of Forbes’s “30 Under 30,” Mr. Lee earns a place as the youngest of the IT Experts. He served as a Cyber Warfare Operations Officer in the U.S. Air Force and writes for Control Engineering and The Christian Science Monitor’s Passcode. While pursuing his PhD at King’s College London, he continues to create a weekly technology and security comic with Jeff Haas called Little Bobby. Mr. Lee’s Twitter account gives insight into the infosec world and shares information that can help educate both experts and non-experts.
Joshua Corman – @joshcorman
Currently leading the Cyber Statecraft Initiative, Mr. Corman examines the overlap of national security, international relations, and public safety while trying to find ways to solve the problems of cyberspace. His previous work includes chief technology officer at Sonatype, director of security intelligence at Akamai Technologies, research director at The 451 Group, and principal security strategist at IBM. Mr. Corman’s Twitter account follows his speaking engagements, comments on current InfoSec issues, and includes a little humor.
Jeremiah Grossman – @jeremiahg
Founder of WhiteHat Security and currently chief of security strategy for SentinelOne, Mr. Grossman has been in the IT world since 1998. With his intense background, he has been featured by the Wall Street Journal, Forbes, and The New York Times as well as many other publications. Mr. Grossman’s Twitter account includes everything from jiu-jitsu to hacking video games and brings a career’s worth of experience to every 140 character post.
Jason Healey – @Jason_Healey
Currently a Senior Research Scholar in Cyber Conflict Studies at Columbia University, Mr. Healey’s resume stretches back to 1997 and his time working at the Pentagon. His publication credentials include news articles in The Atlantic as well Us News and World Report. In addition, he has published two longer works A Fierce Domain: Conflict in Cyberspace, 1986 to Today (2013) and Cyber Security Policy Guidebook (2012). Mr. Healey’s Twitter account is active with musings and commentary on shared items.
Andrew Jaquith – @arj
Although currently working in finance, Mr. Jaquith’s IT employment history places him as one of the top experts in the field. With a career stretching back to the late 1980’s, Mr. Jaquith has proven himself to be one of the rare crossover experts who is equally successful wearing technological and business hats. Mr. Jaquith’s Twitter account focuses on general interest news as well as information security and is less active than some other accounts.
Dan Kaminsky – @dakami
Mr. Kaminsky may best be known for his work in finding a “skeleton key” in the Internet’s domain name system and is currently one of seven recovery key shareholders who can restore the power of the internet’s root DNS keys. Currently acting as the chief scientist at WhiteOps, Mr. Kaminsky’s Twitter account is active with current events and coder tips.
John Kindervag – @Kindervag
As the vice president and principal analyst serving security & risk professionals at Forrester, Mr. Kindervag brings his 25 years of experience to his writing and his work. Best known for creating the “Zero Trust” model of information security, he has presented extensively at security conferences and been interviewed by top news outlets such as The Wall Street Journal, The New York Times, Forbes, CNBC, PBS, and Bloomberg. Mr. Kindervag’s Twitter account shares stories about science, sports, hacking, and humor.
Troels Oerting – @TroelsOerting
Since 2012, Mr. Oerting has been the acting head of Europol’s Counter Terrorist and Financial Intelligence Centre and head of European Cybercrime Centre. He is a member of the Board of Directors for Global Cyber Alliance and an Expert Member of Interpols Global Cybercrime Expert Group. In addition, he is the group chief information security officer for Barclays. Mr. Oerting’s Twitter account aggregates industry news from a variety of mainstream and non-mainstream websites with an international focus.
Bruce Schneier – @schneierblog
A legend in the field of computer security, Mr. Schneier needs no introduction. He has written several books on cryptology and information security. Some of his books were specific to cryptographers while his four later books were easily accessible to a broader audience. His blog Schneier on Security has been published since 2004 and he’s currently the chief technology officer of Resilient. Mr. Schneier’s Twitter account is an autofeed of his blog but worthwhile for its links to the articles.
Richard Stiennon – @stiennon
Mr. Stiennon has been a fixture in the IT community since the mid-1990’s. He founded RustNet in 1994, one of the first ISPs in the midwest. As the chief research analyst at IT-Harvest, he researched and reported on 1,451 IT security vendors. He has written three books, Surviving Cyberwar, UP and to the RIGHT, and There will Be Cyberwar. Mr. Stiennon’s Twitter account is an excellent cross section of well-curated material affecting information security.
The IT Executives & Software Engineers
Ann Barron-DiCamillo – @annie_bdc
Prior to earning her Masters of Science in Computer and Information Sciences, Ms. Barron-DiCamillo was a legislative aide as well as an application developer at The Motley Fool. Since then, she has distinguished herself through work in public and private sectors. Most recently she served as Director of US-CERT at the Department of Homeland Security where she led efforts to respond to incidents and analyze threats. She is currently advisor to the cyber security medical advisory board at St. Jude Medical and vice president of cyber threat intelligence and incident response at American Express. Ms. Barron-DiCamillo’s Twitter account is a good mixture of information security issues that affect or are affected by public and private issues.
Lesley Carhart – @hacks4pancakes
During her 5 years as a non-commissioned officer in charge of cyber transport for the US Air Force Reserve, Ms. Carhart also worked as security incident response team lead for Motorola. She specializes in digital forensics, with a background in tactical communications, radio, and Cisco networking. Ms. Carhart’s Twitter account shares observations as well as information from both mainstream and non-mainstream media.
Emili Evripidou – @Emil_i
Currently working for the Cooperative Central Bank in Cyprus, Ms. Evripidou previously worked as an information security manager at Deloitte. She has also worked at Ernst & Young as well as Accenture. While at Ernst & Young and Accenture, her specialties included banking and securities, insurance, and oil and gas. Ms. Evripidou’s Twitter account focuses on the economic and business side of information security.
Cecily Joseph – @CecilyJosephCR
Serving as Symantec’s vice president of corporate responsibility, Ms. Joseph has a law degree and 20 years of building programs in ethics and compliance. She served as an expert in residence and executive faculty at Presidio Graduate School from 2012-2013 and worked at Veritas Software Corporation from 1992 through 2005. Ms. Joseph’s Twitter account focuses on diversity and environmental issues impacting the technology world.
Kelly Lum – @aloria
Possibly one of the geekiest women on the list, Ms. Lum is currently a Security Engineer at Tumblr the land of memes and fandoms. Her employment history includes work in fintech as well as military information security. She is also currently an adjunct professor at NYU Polytechnic School of Engineering teaching graduate programs. Ms. Lum’s Twitter account mixes personal, political, and professional tweets while keeping her posts light and fun.
Window Snyder – @window
Having spent 5 years at Apple working on iOS and OS X security, Ms. Snyder worked at Mozilla as a “Chief Security Something-or-Other.” Her current role is as chief security officer at Fastly. She also co-authored Threat Modeling, a manual for security architecture analysis software. Ms. Snyder’s Twitter account is selective in sharing and always interesting.
Parisa Tabriz – @laparisa
Calling herself the “Princess of Security,” Ms. Tabriz is currently the director of engineering at Google. She started as a security intern with Google in 2006 and has worked there for most of her career. She spent 2 years working at the United States Digital Service where she advised the Executive Office of the President on enhancing network security and helped assess the OCS project. Ms. Tabriz’s Twitter account shares articles that are relevant to the infosec community as well as Tweets she finds interesting.
Sandra Toms – @sandra001
Since 1998, Ms. Toms has been the VP and curator of the RSA Conference. After earning her juris doctorate and passing the bar exam, she went on to work with at a law firm, then moving on to Novell, Madge Networks, and Nortel Networks. Ms. Toms’s Twitter account focuses on information relevant to the RSA Conference.
Tony Arcieri – @bascule
In November 2016, Mr. Arcieri moved from Square to become a Software Engineer at Chain, an infrastructure tech company with a focus on financial asset transactions on permissioned blockchain networks. He previously worked as a software engineer for LivingSocial, Strobe, Inc., and Nagravision. Mr. Arcieri’s Twitter account shares insightful articles not just from mainstream infosec websites but also from bloggers that might not be found through traditional reading.
Caleb Barlow – @calebbarlow
As the vice president at IBM Security, Mr. Barlow is a leading voice in IBM’s new security headquarters and in completing the overhaul of the operations watch floor. He is an advisory board member for the United Nations Population Fund, a global social media campaign to spread awareness of population growth. Mr. Barlow’s Twitter account is an example of his appreciation for and use of social media.
Michael Coates – @_mwc
As the chief information security officer at Twitter, Mr. Coates is definitely a Twitter account to follow. In addition, he is the former chairman and current member of the global board of directors for OWASP. He is also one of the brains behind making Mozilla Firefox one of the most secured web browsers having led the security assurance program from 2010-2013. Mr. Coates’ Twitter account is a destination for reading responses on Twitter from other InfoSec professionals who share experiences and ideas.
Cesar Cerrudo – @cesarcer
When IOActive Labs acquired Argeniss Consulting, Mr. Cerrudo followed the company he had founded. As CTO for IOActive Labs, he acts as the main liaison between IOActive and CERT. He leads cutting edge research on Industrial Control Systems/SCADA, Smart Cities, the Internet of Things and software and mobile device security. Mr. Cerrudo’s Twitter account focuses on his insights on the InfoSec issues facing the IT community as well as sharing content.
E.J. Hilbert – @ejhilbert
Currently the director of cyber security and privacy at PwC, Mr. Hilbert’s experience includes working with the FBI as well as being the director of security enforcement for MySpace.com. He led one of the FBI’s largest cyber-crime investigations and serves as an online undercover agent using social media sites and chatrooms. Mr. Hilbert’s Twitter account discusses his opinions on the societal impacts of hacking and includes general news items.
Alex Ionescu – @aionescu
With over 15 years of experience in Windows Internals and kernal programming, Mr. Ionescu also has 5 years experience in ARM Embedded Hardware and Kernel Development as part of the iOS team. Being able to cross over between platforms makes him an expert on the overall technology landscape. As the vice president of EDR strategy at CrowdStrike, Mr. Ionescu’s current work focuses on new security-related technologies, and he continues to offer OS internals support. Mr. Ionescu’s Twitter account focuses heavily on technical security discussions and his own ideas.
Adam Langley – @agl__
Mr. Langley is a Google employee who also hosts his own active blog about computer programming. His blog focuses on various issues surrounding cryptography. Mr. Langley’s Twitter account shares technical content about cryptology.
Avram Marius Gabriel – @securityshell
Mr. Gabriel earned numerous honors over the course of his career. These includes the PayPal Wall of Fame, Google Security Hall of Fame, Facebook White Hat, and Microsoft Security Researcher Acknowledgements. Mr. Gabriel’s Twitter account aggregates articles that expose security risks.
John Oberheide – @jonoberheide
As the founder and CTO of Duo Security, Mr. Oberheide is an expert executive in information safety. Duo Security is used by over 5,000 organizations including 3 of 5 top social networks to integrate dual authentication. Additionally, he holds a PhD from the University of Michigan. Mr. Oberheide’s Twitter account shares some Duo information but focuses on various information security insights.
Martin Roesch – @mroesch
After Mr. Roesch’s company Sourcefire was acquired by Cisco Systems in 2013, he was made vice president and chief architect of Cisco’s Security Business Group. He has developed products for GTE Internetworking, Stanford Telecommunications, Inc., and the US Department of Defense. New sources such as MSNBC, the Wall Street Journal, CNET, ZDNet, and Scientific American have interviewed him. Mr. Roesch’s Twitter account is active with discussions, retweets, and information shares.
Chris Valasek – @nudehaberdasher
Since September 2015, Mr. Valasek has been the security lead at Uber’s Advanced Technologies Center. Prior to this, he worked as the director of vehicle security research at IOActive, Inc, and as senior security research scientist for Coverity and Accuvant. In addition, Mr. Valasek published “Windows 8 Heap Internals” for Black Hat USA 2012. Mr. Valasek’s Twitter account is a combination of Pittsburgh sports and IT posts.
Lenny Zeltser – @lennyzeltser
With an undergraduate degree in Computer Science from University of Pennsylvania and an MBA from MIT, Mr. Zeltser runs the gamut of technology and business education and experience. Currently the director of security solution management at NCR Corporation, he oversees product managers and engineers to provide customer satisfaction. He is also a SANS Institute Senior Faculty member as well as a member of the board of directors at SANS Institute. Mr. Zeltser’s Twitter account curates content unique to his perspective.
The Security Thought Leaders
John Bristowe – @JohnBristowe
Although currently a manager at Progress, Mr. Bristowe is well known within the InfoSec community having presented at developer conferences and events. He has a variety of Microsoft certifications and his specialties include software development, ecosystem strategy, technical product marketing, enterprise engagement, cloud strategy, enterprise architecture, and solution architecture. Mr. Bristowe’s Twitter account is an energetic account that cross shares humor as well as useful articles.
Nicolas Brulez – @nicolasbrulez
At 15, Mr. Brulez began reverse engineering, and since then, he has become an expert in the field of malware. Working with Kaspersky Labs, he focuses on complex malware research and targeted attacks. His publications include “The ‘Madi’ Infostealers – a Detailed Analysis” and “Energetic Bear – Crouching Yeti.” Mr. Brulez’s Twitter account is a good cross section of retweets, marketing, and his own thoughts.
Luis Corrons – @Luis_Corrons
With 15 years of security experience, Mr. Corrons specialized in the malware field. His recent work as the technical director at PandaLasbs focuses on malware research. He is also a member of the board of directors for Malicious URLS Tracking and Exchange (MUTE) and at the Anti-Malware Testing Standards Organization (AMTSO). His writing can be found at WildList.org. Mr. Corrrons’s Twitter provides insight into the malware software industry.
Matthew Green – @matthew_d_green
After working in computer engineering for five years, Mr. Green returned to school and earned a PhD in Computer Science from Johns Hopkins University, where he is currently an assistant professor. He worked at CTO as an independent security evaluator for 6 years before joining academia to focus on teaching cryptology. Mr. Green’s Twitter account incorporates an academic’s viewpoint as well as humor and news articles.
Mikko Hypponen – @mikko
Another malware specialist, Mr. Hypponen is considered one of the top thinkers in the industry. He is on the advisory boards for T2 and The Lifeboat Foundation. His TED Talk from 2011 remains the most watched computer security talk on the Internet. Although not the most active account on the list, Mr. Hypponen’s Twitter account tends to incorporate Microsoft security jokes as well as useful articles and videos.
Eugene Kaspersky – @e_kaspersky
Chairman and CEO of Kaspersky Lab, Mr. Kaspersky has been in the information security industry for 27 years, first as an anti-virus researcher and then as a business person creating anti-virus software. He spent 6 years in Russia working with the KAMI Information Technology Center. Mr. Kaspersky’s Twitter account shares reviews and information relating to malware and cyber-safety from across the web.
Ryan Naraine – @ryanaraine
Another Kaspersky Lab team member, Mr. Naraine’s focus since 2013 had been on malware and IT security articles. He was a senior editor at eWEEK Magazine and continues to be a lead blogger at ZDNet. Currently, he heads the global research & analysis team at Kaspersky Lab. Mr. Naraine’s Twitter account shares and responds to news that impacts the IT security industry.
Peter Vreugdenhil – @WTFuzz
As co-founder of Exodus Intel, Mr. Vreugdenhil is a leader in both security analysis and security research. His publications include “Adobe Sandbox: When the Broker is Broken” and “Advanced browser exploitation.” Mr. Vreugdenhil’s Twitter account is professionally focused, sharing Exodus Intel blog articles as well as his own thoughts on IT.
The InfoSec Writers
Eleanor Dallaway – @InfosecEditor
Ms. Dallaway, who has worked at InfoSecurity Magazine since 2006, is currently the editor and publisher of the well known InfoSec resource. She also writes for The Guardian on topics including creative data, the Internet of Things, and the public sector. Ms. Dallaway’s Twitter account shares information not just from her publication but from several others across the web.
Jen Ellis – @Infosecjen
Having worked her way up at Rapid7, Ms. Ellis has an impressive PR career there over the last six years. Her focus is on explaining risk exposure for consumers and organizations to help people protect themselves. To achieve this, she works with researchers to collaborate with legislators and industry to reduce risk. Ms. Ellis’s Twitter account is a mixture of current events and information security news.
Jennifer Leggio – @mediaphyter
Not only is Ms. Leggio a writer for Forbes.com and CBSInteractive/ZDNet, she also co-manages the Security Bloggers Network and has been running the Security Bloggers Meet-Up at RSA Conference since 2007. She currently works as the chief marketing officer for Flashpoint, a company that has expertise in both the deep web and the dark web. Ms. Leggio’s Twitter account discusses current events as well as InfoSec information relevant to the industry.
Neira Jones – @neirajones
From across the pond, Ms. Jones brings more than 20 years of experience to her writing and speaking engagements. Her focus is on financial technology. Tripwire and CEOWorld magazine both nominated her as a top influencer to follow on Twitter. Ms. Jones’s Twitter account focuses on financial services technologies.
Nicole Perloth – @nicoleperlroth
Currently working on a cybersecurity book, This Is How They Tell Me The World Ends for Penguin/Portfolio books, Ms. Perloth is also a writer at The New York Times. Her 2014 Times profile of Brian Krebs, well known InfoSec blogger, has been optioned by Sony Pictures. Ms. Perloth’s Twitter account focuses on accessible explanations of information security.
Bev Robb – @teksquisite
Having worked in IT since the mid-1990’s, Ms. Robb currently spends her time focusing on writing about InfoSec. Not only was she media manager for Fortscale, but she was also the publication manager for Norse Corporation. She has experience in research the Darknet cybercriminal ecosystem. Ms. Robb’s Twitter shares information from sources she deems reputable that may not be found in mainstream media.
Runa Sandvik – @runasand
Director of information security at The New York Times, Ms. Sandvik teaches digital security to journalists and helps media organizations with their security posture. She is also a member of the Black Hat Europe Review Board. Ms. Sandvik’s Twitter account focuses primarily on New York Times news as well as other current events related to information security.
Michelle Schafer – @mschafer
Like a few others, Ms. Schafer’s specialty is public relations. Her deep knowledge and technical understanding of the security landscape gives her insight into how to approach storylines and PR campaign for IT and InfoSec companies. Ms. Schafer’s Twitter account shares news focusing on the business side of infosec.
Paul Asadoorian – @securityweekly
As founder and editor of Security Weekly, Mr. Asadoorian brings a hefty publishing resume with him. He’s published for SANS, Brown University, and GIAC. His career started in 2001 giving him 16 years of experience in IT and InfoSec. Consisting of written, audio, and video blog posts, Security Weekly provides multimedia opportunities to keep fans up to date even on the go. Mr. Asadoorian’s Twitter account is active and incorporates humor as well as informative posts.
Graham Cluley – @gcluley
Mr. Cluley’s experience in the IT community started in the early 1990’s giving him almost 20 years experience with security. Between 1999 and 2013, he wrote for the well known website Naked Security. He has spoken at events and conferences around the world. Mr. Cluley’s Twitter is a great way to follow new blog postings as well as articles that he thinks would help his readers.
Jack Daniel – @jack_daniel
Currently on staff at Security BSides, Tenable Network Security, and Security Weekly, Mr. Daniel has earned the Microsoft MVP for Enterprise Security, CCSK, Increasingly Reluctant CISSP. His specialties include network security, analysis and design, and cloud computing. Mr. Daniel’s Twitter account is an enjoyably irreverent list of musings about life, the universe, and infosec.
Dark Reading – @DarkReading
With a wide array of information available on its website, Dark Reading has long been considered one of the top InfoSec blogs that also provides community for those in the industry. This community includes not just thought leaders, but also CISOs, technology specialists, and security professionals. The Dark Reading Twitter account is a great way to follow the blog to get overviews of the articles posted.
Dan Goodin @dangoodin001
As a writer for Ars Technica and Krebs on Security, Mr. Goodin has been writing about white-hat, grey-hat, and black-hat hacking since 2005. He has a journalism background and has worked for the Associated Press and The Register. Mr. Goodwin’s Twitter account shares his thoughts, views, politics, and articles not written by him.
Troy Hunt – @troyhunt
As an author at Pluralsight, Mr. Hunt focuses on helping people obtain the education and information needed to be successful in the IT industry. As director at Superlative Enterprises, he maintains a careers as a software consultant. In 2011 he was named Microsoft MVP of the Year, and he has also distinguished himself working for Pfizer. Mr. Hunt’s Twitter account is interactive and incorporates his ongoing activities as well as news bits.
Rob Lemos – @roblemos
Mr. Lemos’s writing resume starts in 2007 writing for ZDNet. In addition, he has worked with CNET, PC Magazine Conde Nast, Symantec, MIT Technology Review, CXO Media, InfoWorld, Dark Reading, eWeek, and PCWorld.com. He has won 5 awards for his writing. His current specializations are network and computer security, cybercrime, cyberconflict, enterprise technology, and space science. Mr. Lemos’s Twitter account may not be very active but what he curates is always unique and interesting.
Jim Marous – @JimMarous
As the owner and publisher at Digital Banking Report and co-publisher at The Financial Brand, Mr. Marous is considered one of the Top 5 Fintech Influencers to Follow. He has advised the White House on banking policy. CNBC, CNN, The Wall Street Journal, The New York Times, The Financial Times, and many other news outlets have featured him. Mr. Marous’s Twitter account focuses on Fintech but is also a great place to watch for shifts in the approach to technology and information.
Morgan Marquis-Boire – @headhntr
Mr. Marquis-Boire’s diverse background includes 6 years as senior security engineer at Google, serving as an advisor to Amnesty International, and being considered a Young Global Leader of the World Economic Forum. Currently, he serves as director of security for First Look Media. Mr. Marquis-Boire’s Twitter account incorporates politics, music, and infosec.
Thor Olavsrud – @ThorOlavsrud
Having worked in technology journalism since 2000, Mr. Olavsrud brings with him the experience to report on new technologies. He writes for an audience of CIOs and IT leaders focusing on the business applications of technology. Mr. Olavsrud’s Twitter account shares his articles as well as other articles that match his business-focused lens.
Graham Penrose – @GrahamPenrose2
Mr. Penrose’s international career in InfoSec has taken him from South Africa to London to Algeria to Oman. Currently, he’s a community member a Peerlyst, owner of TMG Corporate Services, and a blogger for AirGap Anonymity Collective. AirGap Anonymity Collective discusses international InfoSec issues keeping up with regulatory and legal trends. Mr. Penrose’s Twitter account is active with discussions and responses as well as shared articles.
Jérôme Segura – @jeromesegura
In 2016, Mr. Segura published “Operation Fingerprint: A Look Into Several Angler Exploit Kit Malvertising Campaigns.” on the Malwarebytes blog. In addition, his research focuses on web-based malware research and fraud/cyber-crime research. Mr. Segura’s Twitter account is technical and professional, sharing articles from Malwarebytes as well as other cryptology and cyber-crime focused articles.
Ashkan Soltani – @ashk4n
On the 2014 Pulitzer Prize winning team for his contributions to the Washington Post’s coverage of national security issues, Mr. Soltani is well known for his journalistic integrity. He has advised the FTC and the White House on security issues and currently acts as a litigation expert. Mr. Soltani’s Twitter account focuses on the importance of information security and civil liberties with a dash of popular culture thrown in for good measure.
Dave Whitelegg – @SecurityExpert
Founder and author at the IT Security Expert Blog, Mr. Whitelegg’s work has led to him being on UK national television and radio. In 2016, he took position as Cyber Threat & INtelligence Manager at Capita, PLC where he devises and operates their Cyber Threat Assessment, Cyber Risk Management and Threat Intelligence strategy. Mr. Whitelegg’s Twitter account shares stories from UK news outlets and gives international insight.
The Security Consultants
Christina Ayiotis – @christinayiotis
Currently a cybersecurity and information governance consultant, Ms. Ayiotis has a law degree and has used it to serve in various positions including director of knowledge management, global financial services industries at Deloitte Touche Tohmatsu. From 2008 to 2011, she served as deputy general counsel at CSC. In addition, she spent 7 years as adjunct faculty in George Washington University’s Department of Computer Science. Ms. Ayiotis’s Twitter account shares articles from a variety of sources, predominantly in the business sector.
Debra J. Farber – @privacyguru
After completing her law degree in 2005, Ms. Farber went on to begin her career as a privacy analyst where she contributed to Privacy & American Business, a privacy industry newsletter. Currently, she is the vice president of business development at NotSoSecure, co-founder/board member/chair of social media and PR committee/training development lead for Women in Security and Privacy, advisor at BigID, editorial board member of Cyber Security: A Peer-Reviewed Journal, founder and CEO at Stealth Mode Privacy Startup, Executive Faculty at IANS, and CIPT Exam Development Advisory Board Member. Ms. Farber’s Twitter account actively promotes information privacy as well as women in infosec.
Erin Jacobs – @SecBarbie
Founding partner at Urbane Security, Ms. Jacobs currently helps customers identify business goals and IT challenges to provide tailored solutions. She has 15 years of experience in the field and has presented has won various awards within the InfoSec community. Ms. Jacobs’s Twitter account shares information about the infosec world as well as her experiences in that realm.
Shannon Leitz – @devsecops
WIth a background in development, security and operations, Ms. Leitz wanted to try to evoke change in the security industry. To do this, she founded the DevSecOps Foundation. Currently, she works at Intuit as the leader and director of DevSecOps focusing on cloud security. Ms. Leitz’s Twitter account focuses on news from DevSecOps as well as other professional publications.
Allison Miller – @selenakyle
Ms. Miller works on product strategy for security at Google. An expert in online security, fintech, and security analytics, she is program chair of the O’Reilly Security Conference, holds Board roles with ISC(2) and SIRA, and is a Trustee for the Center for Cyber Safety and Education. Ms. Miller’s Twitter account shares not just information security information but also bad puns, terrible math jokes, and fun tweets she finds interesting.
Jennifer Minella – @jjx
Ms. Minella’s long resume includes the (ISC)2 Board of Directors, contributing analyst for Securosis, faculty member at IANS, and VP of engineering at Carolina Advanced Digital, Inc. She has also authored Low Tech Hacking and ISC2 Official CISSP v9 Courseware. Ms. Minella’s Twitter account is a mixture of personal interests, personal insights, and information security issue.
Soraya Viloria Montes de Oca – @GeekChickUK
A self professed geekgrl, Ms. Montes de Oca is also the founder of Women in Security. She is a co-founder of Security B-Side London and has worked in IT since 1991. Ms. Montes de Oca’s Twitter account incorporates personal tweets as well as informational and insightful infosec shares.
Masha Sedova – @modMasha
Ms. Sedova’s work focuses on social engineering and the gamification of security awareness to drive employees to want to be secure. Although she has worked on vulnerability assessments, she focuses her efforts on employee awareness. Her specialties include digital forensics, security training, information assurance, systems and network security, and incident analysis and recovery. Ms. Sedova’s Twitter account focuses on the human element of the information technology space.
Georgia Weidman – @georgiaweidman
Ms. Weidman authored “Penetration Testing: A Hands-On Introduction to Hacking,” but she is also the founder and CEO of both Shevirah, Inc and Bulb Security, LLC. While Bulb Security, LLC is a traditional penetration testing company, Shevirah focuses on mobile devices. Ms. Weidman’s Twitter account focuses on information relevant to penetration testing and trends more toward technical information.
Magen Wu – @tottenkoph
Currently a senior consultant at Rapid7, Ms. Wu has worked in IT since 2008. Her experience includes working at Protiviti as well as being a test engineer at Xversity. She is PCI QSA certified, holds three degrees from St. Petersburg College and a Master’s Degree from Southern New Hampshire University. Ms. Wu’s Twitter account is a fun blend of infosec and personal insights that includes psychology articles as well.
Duane Baker – @DBaker007
Starting with his first job at Northwest Ohio Computer Association in 1981, Mr. Baker’s careers is one of the longest ones on the list. Today, he is a self-employed IT consultant providing services to various organizations and companies in Ohio. Mr. Baker’s Twitter account actively shares insights and articles from across the web.
Dino Dai Zovi – @dinodaizovi
Co-founder and CTO of the new venture Capsule8 which provides Linux threat protection, Mr. Dai Zovi was previously the mobile security lead at Square and chief scientist at Endgame. He co-authored The iOS Hacker’s Handbook, The Mac Hacker’s Handbook, and The Art of Software Security Testing. Mr. Dai Zovi’s Twitter account talks about his experiences as well as news.
Dan Guido – @dguido
In 2012, Mr. Guido co-founded Trail of Bits, an information security firm that has clients ranging from Facebook to DARPA. Previously, he spent nearly 7 years teaching at the NYU Tandon School of Engineering during which time he also was a senior security consultant for iSEC Partners. Mr. Guido’s Twitter account is a good mix of memes, social issues, and information security concerns.
Brian Honan – @BrianHonan
Mr. Honan’s specialties include ISO 27001, InfoSec, security risk management and compliance, service level agreements and service level management, operational management, business continuity and disaster recovery, and information security incident response. He is a member of the advisory boards at DataGravity, CipherCloud, GiveADay, and Europool Cybercrime Centre. His consulting firm BH Consulting has been providing services since 2004. Mr. Honan’s Twitter account has useful information about ID theft and legal issues around security.
Jesper Jurcenoks – @jesperjurcenoks
As senior product manager at Alert Logic, Mr. Jurcenoks leads vulnerability research for a cloud service company. In 2016 he won the Cybersecurity Excellent Awards in Vulnerability Management. He is president of the Diablo Valley School, California’s oldest Sudbury School, and has also been chairperson of the board for NeighborhoodGuard.org. Mr. Jurcenoks’s Twitter account shares information security insights from across the web with his own input added.
Bill McCabe – @IoTRecruiting
With an extensive IT career history dating back to the mid-1990’s, Mr. McCabe’s views bring with them the benefit of having been integral to InfoSec’s evolution. For the last 17 years, he has run his SoftNet Search Partners consulting firm that matches InfoSec employees with companies that need them. Mr. McCabe’s Twitter account focuses on IoT and recruiting, bringing in a lot of useful information regarding InfoSec and IT trends.
Tarjei Mandt – @kernelpool
As the senior security researcher at Azimuth Security,Mr. Mandt works with another one of the follows suggested in this piece, John McDonald. His specialties are vulnerability research, exploit development, Windows and operating system internal, reverse engineering, malware & rootkits, low-level programming, and device driver development. Mr. Mandt’s Twitter account focuses on sharing articles of interest and retweeting other industry members.
Mark Dowd – @mdowd
During his tenure information security, Mr. Dowd has helped remediate vulnerabilities in Sendmail, Microsoft Exchange, OpenSSH, Internet Explorer, Mozilla Firefox, Adobe Flash, Checkpoint VPN, and Microsoft’s SSL implementation. He is currently the director and founder of Azimuth Security, a firm that performs network security assessment, host security assessment, web application assessment, and software security assessments. Mr. Dowd’s Twitter account is a fun source of information and musings as well as updates to his speaking engagements.
Sean Metcalf – @PyroTek3
A Microsoft MVP and one of about 100 Microsoft Certified Masters in the world, Mr Metcalf is founder and Principal Consultant for Trimarc Security, LLC. Mr. Metcalf performs Active Directory security research, the results of which he shares on ADSecurity.org as well as presenting at security conferences across the U.S., including Black Hat, BSides, DEF CON, DerbyCon, and Shakacon. Mr. Metcalf’s Twitter account shares interesting and useful Microsoft platform security resources.
Shawn Moyer – @shawnmoyer
With a great sense of humor to accompany his experience as a founding partner for Atredis Partners consulting firm, Mr. Moyer is an example of entrepreneurship in the InfoSec realm. He is a ten-time speaker at the Black Hat briefings, and his research has been featured in the Washington Post, BusinessWeek, NPR, and The New York Times. Mr. Moyer’s Twitter account is a mix of InfoSec and popular culture musings.
Thomas H. Ptáček – @tqbf
With a strong sense of humor and several startup companies in his past, Mr. Ptacek recently announced his newest venture Lacatora, an IT security firm for small start ups. Previously, he worked on a code-to-play game called Starfighter. Mr. Ptacek’s Twitter account is far less formal than many of the other consultants listed but brings with it a sense of insider knowledge.
Will Schroeder – @harmj0y
While at Veris, Mr. Schroeder has acted as a technical expert for the Department of Homeland Security’s National Cybersecurity Assessment and Technical Services (NCATS) program. HIs focus is offensive security in which he holds both the OSCP and OSCE certifications. He has presented at SchmooCon, DEF CON, Derbycon, Troopers, and several Security BSides conferences. Mr. Schroeder’s Twitter account links to his blog as well as to other lesser known resources that give deeper insight into information security.
Dave Shackleford – @daveshackleford
Founder and principal consultant at Voodoo Security, Mr. Shackleford is also a senior instructor at the SANS Institute. He was lead faculty at IANS for 6 years prior to that and has worked with the Blue Heron Group as well as being a VMware vExpert at Virtualization Security. Mr. Shackleford’s Twitter account keeps followers updated with his webinars and with news about the infosec community.
Matt Suiche – @msuiche
In 2009, Mr. Suiche was recognized as a Microsoft Most Valuable Professional for discovering security flaws in Microsoft Windows. In January 2016, he founded Comae Technologies that provides responsive capabilities to law enforcement & enterprises for investing and solving cyber-attacks. Mr. Suiche’s Twitter account shares not only mainstream news but also industry blogs that may fall below the radar.
James Tarala – @isaudit
Unlike others on this list, Mr. Tarala focuses on audit. As principal consultant at Enclave Security, he specializes in using governance assessments and audit as tools to improve IT and overall business revenue. He is also a senior instructor at SANS Institute. Mr. Tarala’s Twitter account distinguishes itself by sharing audit information as well as general InfoSec articles.
Chris Wysopal – @WeldPond
With experience working with hacker think tank The L0pht, Mr. Wysopal co-founded Veracoee which pioneered using automated static binary analysis to discover vulnerabilities in software. He was director of development at Symantec and is currently on the Black Hat Review Board. Mr. Wysopal’s Twitter account reaches nontraditional noncorporate areas of the InfoSec community.
The Information Security Conferences
Women in Security & Privacy – @wisporg
While not strictly a conference, the Women in Security & Privacy (also known as WISP for short) organization is financially sponsored by Community Initiatives and works to help support and promote women in the InfoSec community. Moreover, the events page of the WISP’s website has events at conferences where women in infosec can meet to network or discuss diversity issues. The WISP Twitter account focuses on the work women in security and privacy do as well as places and meetings for them to network.
AppSec – @appsecusa
The software security conference is for developers, auditors, risk managers, technologists, and entrepreneurs. The money from AppSec goes to fund free, open source OWASP projects. The Official AppSecUSA Twitter account and the Official AppSecEU Twitter account provide updates about the conferences and links to panel videos afterward.
Black Hat – @BlackHatEvents
Black Hat is one of the most technical conferences. Throughout the weekend, it provides briefings, trainings, and has a review board that advises on strategic direction. Black Hat appeals to security practitioners, security executives, business developers, venture capitalists, vendor companies, career seekers and recruiters, and academics over the age of 18. The Black Hat Twitter account provides insider resources regarding the most updated malware and hijacks.
BSides Series – @SecurityBSides
Security BSides is less a single conference than an overall community approach to meeting with other professionals in the industry. Unlike traditional conferences, BSides events can be either structured like a formal conference or unstructured. Unstructured events involve showing up, bringing ideas, and talking about them. The BSides Twitter account shares calls for papers, upcoming conference locations, and other important event information.
DEF CON – @defcon
DEF CON is the hacker conference to attend. Focused around hacking, this is the most technical of all the conferences. The conference is best for those who engage in penetration testing. Workshops from 2016 included Practical Android Application Exploitation and Pragmatic Cloud Security. The DEF CON Twitter account keeps followers updated about the annual event but also shares important information security articles.
HITB Security Conference – @hitbsecconf
Hack in the Box (HITB) Security Conference is an annual conference for security researchers. The events include two days of training and a two-day multi-track conference with technical talks. The conference also offers a Capture the Flag ‘Live Hacking” competition and Developer Hackathon and a CommSec VIllage and Technology Showcase area. The HITB Security Conference Twitter focuses specifically on updates to the conference schedule, particularly speakers.
InfoSecurity Europe – @Infosecurity
InfoSecurity Europe has over 200 conference sessions, 360+ exhibitors, and various opportunities to earn CPE/CPD credits. 2016’s workshops ranged from CrowdStrike’s Adam Meyer presenting “Hand to Hand Combat with an Advanced Attacker- Identifying and Stopping the Breach” to LinkedIn’s CISO Cory Scott presenting “Next-Gen CISO: How to be a Successful Security Leader of the Future.” The InfoSecurity Europe Twitter account is an excellent source of updates and European infosec coverage.
InfoSec World Expo – @InfoSec_World
InfoSec World Expo is presented by MIS Training Institute. This conference presents lecture style and hands-on pre-conference workshops. With titles like “How to Prepare For, Respond to, and Recover From a Security Incident” lecture-style workshop and “Mainframe Security: Hands-On Audit and Compliance” hands-on workshop, InfoSec World Expo has registrants covered for all their security needs. In addition, it includes breakout groups for CISO leadership, cloud security, and risk management so that individuals working in these areas can network and share ideas. The InfoSec World Expo Twitter account keeps readers abreast of updates to the conference as well as important breaking news.
RSA Conference USA – @RSAConference
RSA Conference USA is the place to see and be seen in the InfoSec world. The key note speakers range from industry stars such as Ed Skoudis who teaches cyber-incident response classes and Johannes Ullrich, founder of the Internet Storm Center, to celebrities like Seth Meyers and Neil deGrasse Tyson. Sessions are broken down into a series of topics: analytics, intelligence, and response; application security and devops; c-suite view; cloud security and virtualization; cryptography; governance, risk, and compliance; hackers and threats; the human element; identity; law; mobile and IoT security; policy and government; privacy’ professional development; protecting data and applied crypt; security strategy; technology infrastructure and operations. The RSA Conference USA Twitter account is an excellent source for industry professionals giving updates on the conference as well as sharing important news items.
SANS Series – @SANSInstitute
SANS, the industry leader in information security education, provides training sessions across the country throughout the year. While some focus on a particular area of interest such as cyber threat intelligence or ICS security, others are more regionalized. The SANS Institute Twitter account covers not only the ongoing conferences but also links to the organization’s white papers and other information.
SchmooCon – @shmoocon
SchmooCon is the SDCC of the InfoSec conference world. WIth 1460 tickets sold in three rounds, the conference sold out in 9.8 seconds. Unlike other conferences, SchmooCon incorporates papers such as “Can A Drunk Person Authenticate Using Brainwaves? #NotAlcoholicsJustResearchers.” Despite the irreverent nature, SchmooCon’s sponsors include CrowdStrike, Endgame, and SANS. The SchmooCon Twitter account shares about the conference but since tickets sell out quickly, it’s a good way to get a reminder for when they go on sale.
The H4x0rs
iOn1c – @i0n1c
iOn1c, aka Stefan Esser, is a German security researcher who developed antid0te in 2010 which was considered a more secure iOS jailbreak. In 2016, he released an app called System and Security Info which detected if a phone had been secretly jailbroken. The app was subsequently withdrawn. Mr. Esser’s Twitter account is less resharing and more original content.
The Grugq – @thegrugq
As a self-proclaimed security researcher who is known to penetrate systems, The Grugq has a business in hacking software, arranging deals with exploit brokers, and selling the information to a government agency. His posts on Medium are insightful and well written. The Gugq’s Twitter account provides exactly the perspective and musings that one would expect from a hacker extraordinaire.
David Litchfield – @dlitchfield
In 2003, Mr. Litchfield was voted “Best Bug Hunter.” He has also written Oracle Forensics, The Oracle Hacker’s Handbook, The Database Hacker’s Handbook, and The Shell Coder’s Handbook. In January of 2017, he started working at Apple. Mr. Litchfield’s Twitter account is a mix of personal, information security, and humor.
Kevin Mitnick – @/kevinmitnick
At one point in time one of the FBI’s most wanted hackers for hacking 40 major corporations, Mr. Mitnick has turned white hat and now gets paid to penetrate security systems. Major news outlets including CNN, CNBC, Al Jazeera, FOX News, CBC, BBC, and Radio Moscow are among those who seek his advice and insight on current technology events. His private security firm services AT&T, CBS, Dell, the FBI, FedEx, and Harvard among others. Mr. Mitnick’s Twitter account mixes thoughtful insights on the current state of security with irreverence.
0xcharlie – @0xcharlie
Chris Miller, the live person behind 0xcharlie, has a history of iOS device hacking. Currently working as a security engineer at Uber, he was recently in the news for discussing the ability to remotely attack driverless cars. Mr. Miller’s Twitter account discusses hacking news with a focus on his own thoughts and insights.
pod2g – @pod2g
Pod2g, aka Cyril Cattiaux, currently lives in France and discovered several bootrom exploits. He has been both part of the Chronic Dev Team and the Dream Team. He is a legend for his hacking of iOS. pod2g’s Twitter account is quieter than some others but gives updates on Jail Break Con and other news in the hacker community
iH8sn0w – @ih8sn0w
A younger hacker with a more active Twitter account, iH8tsn0w is another iOS jailbreak hacker. iH8tsn0w’s Twitter account provides insight into the underground Canadian infosec community with articles and retweets.
InfoSec Tidbits
Info Security Jerk – @infosecjerk
With a sarcastic tone, InfoSecJerk is irreverent and without a filter. This is not a professional sense of humor but the kind of humor that comes out after having beers after a long day of coding. Info Security Jerk’s Twitter account reads like Bart Simpson if he tweeted about InfoSec.
LiquidMatrix – @liquidmatrix
Considered one of the “blogs to follow,” LiquidMatrix also has an excellent sense of humor about itself. Mixing practical with entertaining, this is not just a great source for information but also a fun way to read about infosec issues on a lunchbreak. The LiquidMatrix Twitter not only links to its own articles but also provides an array of interesting items from other online sources.
Pwn All The Things @pwnallthethings
Retweeted by some of the top InfoSec industry influencers, Pwn All The Things is an anonymous Twitter account that follows current events as well as information security. Although not humorous, The PwnAllTheThings Twitter account is timely, insightful, and active.
SwiftonSecurity – @/SwiftOnSecurity
For InfoSec humor, SecuriTay, aka SwiftonSecurity, has it all. Biting insight mixed with Taylor Swift lyrics and other popular culture references make this account fun as well as thought provoking. SwiftonSecurity’s Twitter account may be anonymous, but it is proof that not all things anonymous are bad.
The Regulatory Agencies and Standards Organizations
ISO – @isosecgen
The International Organization for Standardization has multiple Twitter accounts to follow. For the self-proclaimed geek friendly and informatively fun information, the official ISO Twitter is intended for the masses. For industry updates and news about information security issues, the Secretary General of ISO tweets from conferences and meetings.
PCAOB – @PCAOB_News
The Public Company Accounting Oversight Board arose out of the Sarbanes-Oxley Act of 2002 to establish auditing standards for registered public accounting firms. The PCAOB Twitter keeps followers updated by sharing information about enforcement actions, updates, and conferences that discuss SOX.
PCI – @PCISSC
Another peer organization, the PCI Security Standards Council was founded by American Express, Discover Financial Services, JCB international, MasterCard, ad Visa, Inc. to create the PCI Data Security Standard (PCI DSS) to ensure that information is appropriately handled by all merchants, banks, processors, hardware and software developers, and point-of-sale vendors. Focused on payment data, the PCI SSC Twitter shares tips, news items, and current payment data news.
AICPA – @AICPA
The American Institute for Certified Public Accountants, the AICPA, is the place to find information about audit reporting standards. For many IT companies, this means it’s a great source for SOC 1, 2, and 3 reporting information. The AICPA Twitter offers articles and updates for professionals. Meanwhile, the AICPA MediaRelations Twitter provides news articles to help keep the public informed.
Department of Health and Human Services Office for Civil Rights – @HHSOCR
With a lot of IT companies needing to be HIPAA compliant, the Department of Health and Human Services is the regulator to follow. More specifically, the HCC’s Office for Civil Rights enforces the privacy regulations. The HHS OCR Twitter provides suggestions and updates that can help regulated organizations stay up-to-date on changes and innovations.
What did you think of our list? Anyone that we should consider including in one of our future lists?
Tips For Compliance Related Planning Project Management
“All things are created twice: first mentally, then physically. The key to creativity is to begin with the end in mind, with a vision and a blueprint of the desired result.” – Stephen Covey
In my last post, we covered the essentials of planning a compliance project. Simply put, a compliance project without a solid plan is not unlike a house without a solid foundation. No matter how much frill and filibuster you put into your project, sooner or later, the lack of a solid base will catch up with you, and you’ll end up with a lot of rubble and probably even more explaining to do.
Crossing the Line: Leaving the Relative Safety of the Planning Phase
When you cross that line from planning into the execution stage of your compliance project, you’re making a statement. You’re stating that you’re ready to embark on the journey, that you’ve got your resources lined up, and a solid plan to get to the finish line. Move to execution too early, and you risk failure. Move too late and you risk budget overages, milestone delays, and resource loss. Crossing into the green light of “all systems go” is a career move, and the success of your compliance project hinges on this decision.
When you move your project from planning to execution, there’s not always a clear demarcation point. I suppose, in the ‘eating the elephant’ scenario we visited in my last post, this might be when you stop scratching your plans into the dirt, and take off running after the elephant. In the review of an anti-money laundering (AML) compliance program, for example, this would be when you shift your focus from confirming resources and determining the review’s scope and objectives to deploying your resources. At this point, you would be progressing into activities like assessing the adequacy and effectiveness of ongoing AML training programs and the existence and maintenance of AML compliance policies and procedures.
At this point though, whether you’re chasing an elephant, building a house, or crossing the line into your compliance project’s execution stage, you’ll want to have confidence in your project plan and a set of steps designed and ready for when contingencies, at least the most likely ones, emerge. For example, how will you adjust your project if you lose a key resource to another company initiative or, worse, to turnover? What will you do if you find that the data you’ve received through the company’s reporting tools is inadequate for the testing you have designed?
Communicate – After All, You’re All in This Together
Communication is key here. What I’ve found most effective, on my projects, is to have a project kickoff meeting with your project team, review the results of your planning process, and devise the best way to announce these details to your project audience. This project team meeting, in a worst-case scenario, might result in identifying a dropped ball, or some risk that has not yet been mitigated. In a best-case scenario, though, you’ll be streamlining the entirety of your planning process into an executive-level announcement that communicates the project’s scope, timeline, and team in a way that captures all the expertise, diligence, and thought you have invested into the project.
This announcement officially introduces your compliance project to your organization and extends beyond the people who you contacted in planning your project. It’s also another small win, indicating that your project is progressing. Whether it comes in the form of a letter sent by email, or a slide deck shown in an opening meeting, this announcement should include:
- PROJECT NAME: The name of your compliance project acts as a sort of brand. When you use the name of your project in your communications, people will associate the project with its goal with you, and the project team. Its success becomes your success.
- TEAM DETAILS: Identify the team assigned to your project. For smaller projects, this can mean identifying one person who oversees the entire project. Announcements for larger projects may also include the entire team, or just second-level team members assigned to the project’s key parts.
- PROJECT TIMELINE: Every project needs an end date. When will you be out of their hair? Include a quick sentence or two telling your audience when they can expect the project to be complete, and when they will see the results. Include other important dates, as they pertain to your project.
When the Rubber Meets the Road – Doing the Project
Throughout the execution phase, you’ll be doing the project. Maybe that means analyzing transactions for potential noncompliance events, testing red flags identified through that analysis, interviewing compliance process stakeholders, all three, or something else entirely. In the review of an AML compliance program, for example, you would be assessing the adequacy of the company’s compliance policies and procedures, the existence and effectiveness of the risk-based customer identification program, and procedures around SAR filings, among other control activities and elements. Whatever the requirements for your project, there are common components that any well-managed compliance project will have:
- Project Tracking (External) – If you’re going to spend time on the aesthetics of your compliance project reporting, this is a good place to start. This tracking will report progress to your stakeholders, on the status of project deliverables, and budget-to-actual comparisons related to time and money invested in your project. When you are deciding which KPIs to include in your project management reporting, there are standard KPIs, applying to almost all kinds of projects that you should consider. These include variance reporting around costs, resources, and scheduling, reporting around deliverables achieved and overdue, and the percentage of budgeted time/cost invested to date.
- Project Reporting (Internal) – Internal project reporting should be easy to follow, and should flow naturally into the deliverables identified in your external reporting. Internal reporting tends to be more detailed than external reporting, and often is built of sub-deliverables that link directly to the deliverables included in your external reporting. For example, if you are reporting a list of overdue deliverables to your external reporting recipients, the internal reporting team may want to see that list broken out into an aging of those tasks or a listing of the teams responsible for each.
- Project Issues Tracker – What’s not going so well? Is there functionality that can’t be implemented? Did the testing for a potential noncompliance item fail? Did someone notice a bug in your automation of a compliance report? Keep a list of these issues as they come up, and prioritize which ones need to be fixed ASAP, and which can remain pending until your compliance project is delivered.
- Regular meetings to review status and findings – All the planning in the world won’t help your compliance project succeed if you don’t provide regular updates to your stakeholders. With the milestones and budgets you created during your planning phase, you can now provide status updates showing progress against these targets, and show completion of the smaller subtasks you’ve detailed on your project plan. This is where your small wins will really shine.
There’s a lot of variety in the nature of the compliance projects we come across during our careers. Because this post provides guidance that can be applied to almost all projects, regardless of style or scope, best practices for the execution of compliance projects are going to take many forms. There is one theme, however, that emerges in the list of ‘must haves’ for any compliance project – the need to develop and retain evidence showing that a project’s actual work was executed, and that it was executed well. The form that evidence takes depends on your project, and the type of work it required. Most compliance projects require at the very least these execution components:
- Testing – Did your execution phase include some testing, to show client acceptance of your project, that the functionality of your new system will work as you planned it would, or that you made the best effort possible to scan a list of transactions for compliance? With testing, it’s important to include key details such as: what was tested, how the items tested were selected (sampling methodology), what was the source of your testing documentation, what were the results, and what do they mean (conclusion).
- Interviews – Who was interviewed, when, and what did they say? What were the findings coming out of these discussions, and what is the conclusion?
- Data Analysis – Did you analyze the entire population? If you used samples, how were those selected? What were the dates included in testing? What were the findings, and how do you conclude on these?
Whether the objective of your compliance project is to improve PCI compliance, enhance your AML program’s KYC procedures, or something else entirely, you’ll need solid execution built on strong planning to get there. In the end, though, as Dr. Covey said, if you design your execution stage well, and all activities play a role in the end you seek to accomplish, you’ll be at a much lower risk to waste valuable time and resources on deliverables that have no purpose. Project execution will flow much more smoothly, and you’ll have the tools developed and available that will help keep you on time and within budget. And, with a project progressing smoothly and on schedule, you, your project team, and your stakeholders will all rest easier, knowing that your project will deliver its goals effectively, efficiently, and on time.
Check back soon for the third and final installment in the Project Management series, when we will discuss strategies for successfully closing a project.