Notes from a Working Class (not-)Hero

During Episode 16 of The Risk Science Podcast the gang chatted about the forthcoming 2014 edition of SIRACon (get your tickets now!). In conversation about the two great keynotes lined up for SIRACon the concept of a “superheros of risk” panel was discussed. I loved the conversation but the topic causes me to channel a bit of “spicy Jay Jacobs.” The vast majority of individuals I’ve encountered in the infosec field have little to no awareness of the evolution towards data-driven security risk management happening among the more superhero populated sectors. This mass of firewall administrators, line managers, scanner tool workers, engineers, and analysts do need not hagiography but concrete examples and discussions of how folks are actually performing boots-on-the-ground risk management in actual enterprise environments.

I’m more susceptible to starry-eyed fanaticism than many. I’ll confess to regular experiences of awe listening to the gang from the Data Driven Security and Risk Science podcasts, or reading the works of Adam Shostack, Jack Jones, Doug Hubbard, Lance Hayden, and many more than I could possibly name here. My shelves are full with great works that have not only been influential in the field but to me at a very personal level. It is with the greatest respect and affection that I am looking for individuals who are not at the recognized and rather fickle level of thought leader to provide guidance as to how they are working to safeguard their organizations and provide value in the daily work they perform. As I’ve opined before

It’s with this in mind that I’m making an branding changing here on this blog. I’ve rebranded this blog as Sisyphus’s Stone, representative of the never ending uphill journey on which I have found myself. This cycle of learning, application, refinement of practice, only to be inevitably followed by a rediscovery of ignorance before starting the whole cycle over again has been a constant theme in my career. While I enjoy the journey, it’s through the discussion of the wonders (and horrors) of these travels and imparting some hopefully easier paths on this never-ending road to enlightenment that I hope to provide some small value to the community.

I am no statistician, but I’ll cover my efforts to bring data models to risk management. I am no programmer, but I’ll share (hopefully working) code and algorithms that I’ve used to perform and inform work in my organization. I am no guru, but I do enjoy building and will share much of what I and my team create in the hopes of providing work that others can build upon. At the very least, these will be cautionary tales of what not to do!

Stay tuned, true believers. The future is looking awesome!