Introducing the SecOps — InfoSec Army initiative
It gives me great pleasure on doing this announcement today. During all my life I have always been an idealist. There is no point in denying it. Ever since I can remember I’ve been or actively working on it or supporting projects, ideas, and concepts that could in some way improve our life or bring advantages to us all. Do you believe an idea can change de world? Well, I do. And it’s finally our time.
Of course, due my area of expertise, most of this initiatives have obviously been in the Information Security matter. During my entire career I have always for some reason, saw things differently from most of other professionals. I remember clearly of me, back in 1997 explaining clients about the importance of paying attention to the people issues when implementing information security on their organizations, when everybody else was offering tools such as firewalls, as the magic saviors from the bad hackers.
I remember also in 2002 when the market was pushing even more security tools and solutions, of me nagging like an old lady. PEOPLE > PROCESSS > TECHNOLOGY. However to be fair, most of these views are result of experiences I have over the way. They were several, but I'll tell a short one to illustrate what I'm trying to say here. I'm natural from Curitiba, one of the most beautiful cities in Brazil, know by the top-notch public transportation and futurist urbanist solutions implemented since back in the 90's. I was just a young IT guy with great interest in the information security area when a good friend of mine told me this story about a problem that a bus company was having with the new type of buses they were launching. Instead of picking people from the normal bus stop we all know, the new models would pick the passengers from a "giant tube bus stop", and with that came a problem: Aligning the bus door with the door on the tube station.
Immediately engineers and technicians start coming up with solutions, as laser sensors on the bus doors and station doors that would light a lamp on the drivers panel and show the right position, or electronic sensors on the street that would detect the bus presence an open doors automatically when the bus were in the right position. However all those solutions, while pretty cool and innovative would greatly enhance the total cost of the project. That was when someone thought about asking some of the drivers about this issue, and listen to some of their insights about it. One of the drivers after hearing the long, technical explanation from the engineers sad: Well, that's pretty cool, but why not just measure the distance between the station doors and the front of the bus, then paint a strip on the floor, so I can align to it, when I stop the bus in the station. Total silence and "Oh my god faces".
That story (and many others I've been in touch thru all my life) change forever my way on seeing things. Don't get me wrong, I think technology is cool. Not just cool, it's awesome, but is not the answer to everything, and must be accompanied of truly humility and genuine willingness of hearing the people involved on the matter. Even the doorman, may have an input that the PhD specialist, due the complexity of their mind and thoughts sometimes is not able to see it. Also as I learned from many years of dealing with smart and intelligent people, is very hard to deal with the egos and personal interests. The latter lead us to another problem I have always saw in the Information Security market. The lack of impartiality.
It's no use. It's part of the game. Almost every company on earth, for several reasons, sometimes commercial ones, sometimes passionate ones, tend to develop some degree of preference for a specific tool, or a specific vendor. And if you ask then, they will defend their choice with blood in the eyes. On the other side we have the clients. Almost hostages on a "war" between service providers each one trying to convince them, that their solution is the better one. How can the client, that have several other issues to deal it, make an informed decision about the best tool for his problem? Or, as experience teach me, does they even need a tool for it? Maybe they could solve the problem by modifying their internal process somehow? But you see the information security company, is doing nothing wrong, they are defending their product or their solution. However they lack the impartiality required to truly and fairly point out a solution. This is something that always bothered me. Always.
Another problem I regularly saw in the market was the waste of professional talent. Companies in general, do not hire independent professionals to deal with a big project, for good reasons. They need to make sure, they're being attended by a liable and solid provider, that is capable of taking responsibility for any problems it may come up during the project. High profile professionals that already build a reputation can circumvent this, however they fall into another problem. The simple logic that if I have only one guy doing the job I need, what happens if this guy for some reason vanish from the world? He is not immortal. What if he have an accident and get into a coma for several months? Those problems create an environment where security companies fulfill an important need of the market. However this reduces the use we do of this individual talents. Note that this talents in other times, for necessity or their own decision, are working in regular jobs at companies all over the world. But wouldn't it be nice if we could allocate let's say two or four hours per day of a top infosec expert, that is well employed on the security team of a bank for example in a specific project?This would bring more value for the hiring organization, and an opportunity for the professional, that could make some extra money. But no only for him.
So you are a CEO, or some management professional for a big information security company. Tell me the true. How high is the allocation percentage of your team. Are you able to maintain what 60%, maybe 70% of your employees available hours in use? Chances are you're working on one of two scenarios. You are paying overtime for your workers cause 1) You are getting a hard time finding them, and 2) if your hire too many, you'll end up in the other scenario a lot of companies operate. Being obligated to raise the cost of your billable hours to overcompensate the idle time of your team, as their are unable to allocate 100% of their employers time on projects. In either way this is not the optimal scenario. I know. Been there, done that. But wouldn't if be nice if we have a better way of doing these? A way that we could optimize the use of our team, and reduce our losses with idle hours?
Well, another big problem specially for large companies are big information security implementations. You see, is almost standard all over the world. Big centers are the ones that attract the most skilled professionals. I think maybe 95% of the big information security companies are located on big cities, or big centers. So when there's a big project, for a client with offices or installations on a lot of cities all over the country, or all over the world, you can be absolutely sure the transportation and lodging costs will be a substantial part of the total cost of the project. But what if we could use the hundreds of individual professionals residents on this locations, or the small companies already working on those individual places. Looks cool, but a rather herculean task for an individual security company to have all the connections, contracts and correlate processes to manage an operation like that on top of their other affairs.
Well I could go on and on with a lot of other issues, but the main point here is that we're doing what we can on the information security matters but we're not doing enough. We can do better. We can be more than this. How? Oh, I thought you would never ask.
Introducing the SecOps — InfoSec Army
The SecOps — InfoSec Army is a global initiative that aims to unify in a single fully integrated ecosystem, all the human resources available in the area of information security. Liberal professionals, security firms, IT companies and even development enterprises. From the junior professional to the most renowned specialist. Allocated in projects according to the need and budget available, coordinated in a centralized manner, offering a unique solution, 100% customized according to the peculiarities of each company or organization. The most varied competences of the area of information security, allocated on demand, in a dynamic and optimized manner for clients all over the world.
It's an opportunity for all sides of the market chain, as it provides benefits for all of them. If your a client (Hi, how are you doing today, nice to see you here, my name is AJ, may I…Oops, sorry, strong habits) you can be benefit by the initiative's unique capacity of executing projects 100% focused and custom tailored for your individual needs. Also you'll be able to make use of our ability to assemble a unique set of talents according to the specific needs for each project. Through the allocation of analysts with extensive experience for defining strategies or designing the solution and local professionals near the geographic location of the customer to the operational tasks, our initiative will be able to optimize the total cost of a project and maximize the quality of the delivery in an unparalleled way.
However if you are a professional working solo, you can, at your own necessity or wiliness bring potential clients and projects you normally could not attend by yourself or need our unique advantages and expertise to help you providing a better service for your client. As an associated professional, even if you are well employed, you can make an extra money on your own time, by making yourself available in the time you wish to dedicate or can dispose for it. And as you CEO or owner of an information security company already guessed your company can join the SecOps — InfoSec Army and be allocated on projects your expertise is needed, or just allocate your employees idle time in our projects, ultimately maximizing the use of your human resources. One important detail here. There are no employees here. We are all literally partners, that's why this is rather an initiative then a company. The plan is that every single information security professional on the planet will own a piece of it.
Remember we talk about impartiality? For that reason the SecOps — InfoSec Army will never have any direct relationship with manufacturers or suppliers of market solutions, so we can be able to evaluate the projects with fully exempt and impartiality and then allocate the associated companies and professionals specialists in any specific solution, when we deem appropriate based on the premises of the project and needs of the customer.
So you're saying that you are going to unite and coordinate all the human resources and information security companies all over the world, providing a new concept that can potentially maximize the excellence off the offerings in the information security global market?Is that even possible? Well, to quote a good friend of mine: "I never ask that question until after I've done it".
But you're missing the point here. I'm not doing anything. We are doing! We all the information security professionals and enthusiasts. SecOps — InfoSec Army is an international world-wide initiative to create something better, that can bring benefits to us all. Both clients and providers, workers and owners, beginners and specialists.
Of course we make a lot of effort on the last months implementing extremely controlled processes, tools and artifacts that enable us to maintain one of our most important values. Excellence. Provide extremely high-quality services is not a need for us, it's a must. Our operations were designed from the ground aiming to become a synonym of highly-added value with optimized international standards all over the globe. By the way, if you are an information security professional, extensively experienced in project management and international security standards we'll certainly have a need for you services very soon.
Cool, but how about all that story about the bus company you talked about it earlier on this text? Well my friend, that's because this is another main value this initiative borns with. The "think outside the box" concept. The notion that it doesn't matter if you are the "bad ass super smart information security analyst" you'll only benefit from hearing the insights other people may have. It's almost arrogant to think that a person in two weeks, or even few months, of a project will have better understanding and knowledge of a given companies processes or particularities, that a guy that worked there for the last 20 years! Sure you know a lot about information security, but you can come up with a non technical and much more inexpensive solutions just by combining you knowledge about information security and his knowledge about his own company. I've participated of projects all over the world where millions of dollars were saved just by getting out of the technical comfort zone and getting into the practical and viable solutions. Pragmatism, is something every professional in the world should have it. The name of this initiative comes exactly from a concept that advocates for the need of unparalleled and seamless communications between ALL the people involved on the information security matters off an organization, and that means everybody. From the janitor to the CEO, everyone can contribute to empower the levels of security, increase the maturity and adoption of the matter, consequently reducing the potential risks and optimizing the dealing of this subject inside a company.
But that doesn't happen by magic, it needs hard work, dedicated passionate professionals with an acknowledgement of important concepts many companies still do not fully comprehend, or absolutely cannot implement due the inherent limitations of the business models we have available today. The SecOps — InfoSec Army initiative comes to change this reality. It will bring the power of a crowd-based basis, along with the concepts and benefits brought by disruptive innovation. You are doing great. We are doing our best. But together we can do better. Much better. We can achieve the insanely awesome!
Learn more about our vision at https://secops-isa.org. Follow us on Twitter, Facebook and LinkedIn to stay ahead of our initiative progress, developments and growing. Also don't miss our operations kick-off, live from Campus Party Brasil in São Paulo on february 2th, 2018
Join us in the revolution.