Month: September 2018

Social Skills For Information Security Professionals: On Credibility, Awareness and Business

Posted on by Dawid Balut

Align strategy with business stakeholders first

Who’s actually responsible for investments in security?

Security issues don’t pop up out of nowhere. Code, products, infrastructure and business quality is always a responsibility of a human being.  So why don’t we treat it as such, and we seem to be always obsessing about technology rather than going after the root cause, which happen to be the people?

However, while talking about the “responsible person”, I rarely think about a software engineer who writes code, but about company’s management layer. Because it’s up to business leaders to decide on all investments. Including how much time employees will be allowed to devote to security and quality in their day to day work. If software engineers are expected to produce inhuman amounts of code, they can not afford focusing on security best practices. Managers who reward software engineers based only on amount of produced features, are the ones truly responsible for insecure products.

Just ten years ago I used to religiously believe that the responsibility for insecure code is all on programmers. After many years working with businesses all over the world, I’ve learnt that my perception couldn’t had been more wrong.

It rarely happens that engineers don’t want to build high quality products, but at the end of the day what they want vs what they’re ought to be doing, may be a two completely different things.
Most software engineers I’ve met were actually very interested in concepts related to application security, infrastructure security and the whole hacking theater. It’s fancy, it’s all over the place, people want to be a part of it, but their fantastic attitude doesn’t matter if we keep blocking them from joining the tribe.

 

The challenge is that more often than not, middle management isn’t held responsible enough for products’ safety. They’re usually rewarded just for shipping feature-rich and functional product on time, and the ‘security-thing’ is somewhere at the bottom of a software release checklist.

It’s also up to the executives, how much time and money they invest in employees education. If you expect your employees to learn about security in their personal time, that’s called being delusional, not visionaire. Because if a software engineer wants to spend time after hours learning something, then most likely they’ll be looking into some new programming library or framework, rather than stressing about complex concepts such as application security they have had unfriendly experience with at work.

 

It all goes top to bottom, the culture and tone set by execs is a real thing

There is a long and rough path ahead of us, till secure software engineering will be considered a part of basic quality assurance processes. It takes a lot of time and effort to make everyone conscious of potential consequences of security negligence, which means the earlier you start educating them, is better.

If execs don’t incentivize middle management to keep an eye on security, then middle management won’t incentivize software engineers to write code securely. If you don’t start from the top of an organization’s hierarchy you’ll have a hard time succeeding with your security initiatives.

Engineers, like most other human beings, generally don’t like to step out and do things their managers don’t want them to spend time on. And that’s for a good reason. In a healthy corporate culture, you want engineers that trust their leaders and focus on bringing value to the organisation. You want people who’re don’t raise a riot against policies set by business leaders, unless there have some good reasons to do so. Many, many people work in IT just to provide for their families, so being anxious that not all of them are questioning the status quo, is just ludicrous. Let others live the lives they want to live, because it’s not for any of us, to judge anyone else. If you want something to change, then focus all your energy on helping yourself drive a change, rather than oppressing people to follow your lead. If you start something that’s worthwhile and sensible, I promise you that there will be people willing to follow.

So if you notice someone stepping up to raise software engineering standards, you can’t miss such rare opportunity to convert it into a long-term partnership. Show your appreciation on the spot, because if someone is risking something for you, you better watch their back.

If you want to push people a bit so they leave their comfort zones, you must be very clear about your expectations and also provide them with some incentives. It doesn’t need to be tangible, just make sure you express your appreciation for an employee going an extra mile and paying attention to code quality.  If you want to create a tribe that follows your lead and steps up, then you need to decrease the discomfort as much as possible. Essentially, you must make people comfortable in the discomfort they’re about to experience. You achieve that, by making them (feel) safe with your leadership.

 

I’m telling you all these, because I’ve seen a handful of my friends burning out. They had no support from the TOP so they’ve tried to take a lead alone, and incompetently enforce their narrative on regular employees. Which then led to toxic atmosphere, very aggressive tone and broken relationships. So be careful, because no matter how big your mission is, office politics apply to every single one of us.

 

Set common goals with management and executives

Senior management must be advocates of healthy security culture, otherwise it’s a Sisyphean task to do all the things from the bottom up. Without healthy leadership of an executive team, it’s very problematic to achieve tangible security improvements without huge costs without compromising quality of your personal life.

So before you start bothering engineers with your requests, make sure you have official support from executives, because engineers need clear and integral guidance coming from the top. Don’t confuse them more than they’re already by their other duties.

A good way to achieve effectiveness of your security program, is try to learn as much as you can about the high-level business objectives of your company and what are the points of focus for people sitting in management roles. Understand their perspective and gain the leverage.
It’s hard and dangerous to provide you with a generic recommendations, because each organization and each executive is different. It’s all in your hands to learn and feel how to approach them on individual basis.

 

Settle down on authority at earliest possible

Security is an executive level issue so it would be really useful if you were in a position to influence all stakeholders at the organization. You shouldn’t be wasting your time on back and forth discussions on why something must be done, or why it must be done this way or another. In a healthy corporate culture it would be enough if you just had a security role and everyone should follow your lead from the day one with a credit of trust. But such organisations don’t really exist. Every single organisation is dysfunctional to some extent, and sometimes you’ll face people which you can not lead as a servant-leader and you’re forced to use your authority in order to execute.
I’ve seen it many times that security professional had great intentions, attitude and leadership skills but they couldn’t complete their tasks, because there is always that one person in a company whom you must approach differently.

It’s CEO’s job to create a culture, where every employee trust new coworkers and respect them with a friendly attitude. Executives should make it clear to the middle-management that you are a serious business stakeholder, no different than any one of them, and they should respect your guidance.

If managers are only penalized and rewarded for shipping working product on time, they won’t want to invest in security which in most organisations almost always slows down software development process to some extent. So execs must make it clear that products security is a part of quality and should be treated as a regular, acceptable software development cost.

Thanks to that you may not need to waste time arguing with people why their teams needs to invest in security and all that stuff. You should be able to focus on effective execution rather than discussions caused by dysfunctional corporate culture and lack of proper communication. Being at the lowest of an organization chart, you’ll likely to have hard time working with non-security savvy management who has no interest in focusing on security. That’s how business works, if there are no incentives then why would anyone want to listen to you, especially when you’re a fresh-hire?

 

Deciding on those bureaucratic matters at the earliest, can save you a lot of anxiety and frustration. I realize that plenty of us want to act like big boys and girls, who can obviously handle everything without anyone having your back, but that isn’t smart. Cost of maintaining your ego really isn’t worth all those bad consequences that may come if you push too hard.
By consequences I not only think of  toxic corporate atmosphere but also about your professional burnout and health issues that may arise when you’re too stressed and anxious for a long periods of time.

With power comes great responsibility so always aim to be empathetic to your people and don’t fall into the trap of taking advantage of your authority just because you can. Use this leverage only in exceptional situations when you’ve tried everything else and it failed.
You want to be in power but you should hope that you will never face a situation when you need to use it.

Build credibility and learn the language of business

Stay away from spreading confusion and FUD

Credibility is something you ought to be building from the day one of your career and tender till the very last day, when you say the final goodbye. What I’m trying to say here, is that the way of doing things really matters. We’re often so goal focused that we don’t pay too much attention to the byproducts of our actions. Sometimes, those byproducts bite back in the future.
Even if you achieved expected outcome, you must consider if you’ve used the best tools for the job, meaning have you persuaded people to do something thanks to your leadership status, or have you spread fear, uncertainty and doubt(FUD)? If the second is the case, then you may expect it to haunt you in the future.


If you’re a renowned expert in your field, you still must remain humble. You still need to build your internal reputation from the ground up by working nicely with people in your organization. You coworkers expect you to comply with their code and aren’t easily impressed by your status outside of the company. So if you’re a rockstar that’s perfect, and you should leverage it to make your life easier, however you should be aware of its shortcomings.
I’ve seen plenty of folks who ended up disappointed, because they believed that everyone will know their reputation and they’ll be treated differently because of their prior achievements. And when we think we’re THE ONES, we tend to forget about the need to play nicely with others. No matter what your perception of yourself is, I promise you that others have it completely different.

Learning how to weigh your words, so that people understand your intentions well, will ease a lot of interactions. Security field is very special, because we often tend to be the  ones who worry more than managers and executives, because they simply don’t realize the true nature of security risks. However, if you complain too often, people may start labeling you as a frustrated person, who doesn’t understand that business is an art of tradeoffs. They may become afraid that all you care about is building a fortress and slowing down the business growth.
We have our reasons, but our good motives don’t matter much if others don’t know about it. You must work out a relationships in which people understand that you’re trying to help them do their work safely, that you’re the enabler and troubleshooter, not the troublemaker.

So you really want to be perceived by business people and other coworkers like someone who has it all under control.  When discussing severe security issues you’ve had discovered, you must be careful, so your language and tone aren’t unclear, negative or overwhelming. As an InfoSec Pro myself, I know why you’re using certain jargon, but everyone else outside of our little echo chamber have no idea what’s going on. Don’t be too simple in your  speech, just be impossible to be misunderstood.

While it may sound counter-intuitive, sometimes it actually makes sense to slightly underrate the issue you’re reporting, so they accept it without anxiety and you can make a progress. Small progress always trumps no progress, and good now is better than ideal never.

Because of the negative tone, we had set for all-things-security in the past few decades, people overreact when you have even a little aggressive tone. Security folks who too-passionately want to secure companies they work for, often don’t comply with a corporate communication code. Overreaction may ultimately lead to them ignoring you, which is one of the biggest challenges to overcome after the damage had been done.

The most practical advice I can give you is that we must learn how do adapt at the fast pace. Yes, it does mean that you won’t get as much technical work done at the beginnings, but building credibility and foundations really pays off in the long run. Because once you’ve built credibility as a “smart security leader who knows business, risk management and knows how to work with people”, you can progressively start expressing your thoughts more in-depth.
So be careful about all that and once you’ve figured it out for yourself, stick to it. Different things work for different people and organisations, so keep doing what works for you. You do you, keep that in mind thru the whole book and life actually. If being passionate and verbose works for you and everything is good, then I’m happy for you! Keep doing what you’re doing, but revisit often so you don’t fall into the trap of being too romantic about your past approach. Effectiveness and practicality trumps attachment every single time, so stay alert and don’t let your ego blindfold you.

“Make it till you make it” is much better strategy than “Fake it till you make it”

If you feel that what you’re doing is right, then you shouldn’t let anyone who doesn’t know you influence your point of view. But bear in mind, that when you act a certain way and don’t listen to suggestions from others, you gotta take it all on your shoulders when stuff goes sideways.
If you act overly confident to the extent that it may be perceived as narcissistic cockiness, yet you make too many mistakes, people will lose respect to you very quickly. Humility is a huge tool you should use, to give yourself a space for making mistakes.

For example, if someone asks you for help but you aren’t sure of the answer, be honest about it and tell that person that you’re going to figure it out for them, but you need to do your homework first to make sure you provide quality advice.
Then do the homework digilitently, and get back to that person with all the details they needed.
Never let your ego try to make things up, because people are smarter than you think. If you fake too much, they’ll figure you out and you may end up forever labeled like an incompetent imposter.

Fake it till you make it, doesn’t really work and I much more prefer a version “Make it till you make it”. Learn stuff, be humble, reiterate till you’re pretty good at things you do. Competence inspires confidence, so till you have serious body of work to backup your words, just do stuff in silence and don’t try to overdo it.

Everyone is a target these days, but are they truly aware of it?

Vast majority of startups and SMBs – especially outside of tech world – tend to have this dangerous believe, that  they’re too small to become a target for malicious hackers.
When you look at the statistics and reverse engineer hacker’s mindset you can figure out why it’s actually the opposite way around. Hackers, cyber thieves, script kiddies and other malicious actors, come after the easiest targets not only because of the instant reward that stimulates their brains, but because hacking is these days is more of a business than it is a hobby.
Thieves seek quick wins, because like most business owners, they realize that time is their most precious resource. So they’re more likely to attack organizations with weak security posture, because in a week they can hack dozen of them, rather than spending a month without certainty that there will be any return of investment.

It’s not to say, there aren’t hacking groups that go for the big brands, it’s just there are far more average skilled hackers than there are sophisticated and well funded hacking groups. And that leads to a very important point. As an owner of a small business consider your investments as something that is supposed to stop those lone wolfs, rather than trying to spend a lot of money on trying to protect yourself against gangs or state sponsored attackers.

Management needs to understand that while big organizations can often survive a security breach, small ones can’t afford it, often because of its impact on their public image. If business providing enterprise solutions has stable position on the market and great product, most customers will stay because it’s expensive to transit whole enterprise to another vendor. But if you’re a small startup that has been compromised, you’ll have hard time preserving your customers. Not only that, because in this era, breaches get overblown on social medias and PR/marketing-wise you’re finished even in terms of new, potential customers. This is really important thing to mention here, because recently I’ve seen many article saying that “it’s cheaper to get hacked than secure an organization” which are nonsense and are doing a lot of harm to us who work on executives’ security awareness.
Basic security isn’t that expensive and articles like that make more bad than good, so ensure everyone understands business risk management including dangers coming from social media scandals and get the solid perspective on why security breaches bring different results to different organizations.

You can earn some love from your marketing and sales people if they learn that you’re protecting the business to make their job easier, so they won’t need to explain to each prospect why you were hacked and convincing them that the company is in much better shape nowadays.
Be smart and unite people from various departments to help you achieve your goals.

Social Skills For Information Security Professionals: The Preface To My Book

Posted on by Dawid Balut

On my motives for this book

How and why – I believe – can my story make your life easier

It’s been roughly 11 years since I’ve started commercially working in IT, out of which 7 were profoundly dedicated to InfoSec, a field in which I truly believe there is a lot yet to be done and that each individual can make a difference by their contributions. Similarly to the careers of so many of us, I’ve made a plenty of mistakes that had put my career at risk, significantly slowed down my growth, significantly lowered the income, as well as had negatively impacted my health and personal life. Although making mistakes should be an expected part of any worthwhile career, I had certainly not expected that along the way I’ll taste so many different flavors of life.
I’ve had my ups and downs, but I always tried to ensure that whoever was involved, came out with something beneficial to them. Despite having good intentions in my heart, not always was I successful in demonstrating that well. To me, everything I’ve been doing was always about bringing value to others and being the most productive person in the room, long before I have realized that I’ve had been doing it all wrong and my hunger for success was my biggest obstacle. But as the saying goes, “obstacle is the way”, which is why I’m grateful for all of it, and I really want to share my experiences with others, so they can save themselves some trouble and get smarter faster than I had. I wish I’ve had a resource that would guide me through at least the basics of human interactions and effectiveness in the business world. So here it comes. A book that I wish someone else gave me 11 years ago.

I want to be really upfront and transparent with you. Although the companies I’ve worked for were very satisfied with the outcome of my work, to me it came at the cost of my professional and personal relationships. Without any doubt, I can say that because of my stubbornness and improperly directed hunger, I’ve wasted a ton of my potential as well as burnt some potential in others. And that feeling sucks. Realizing that while chasing greatness I’ve had a negative impact on a quality of life of a few people around me, as well as looking at my own life and noticing how much health and energy I wasted – it just sucks. But it sucks in a different way than most things in life suck. It’s not about discomfort this time, but about an actual pain, because while I’ve got compensated quite fine for my around the clock grind, I’ve forgotten about the most important currency we have access to in our lives – time and health. If you’ve got good health and you’ve got time, you have all the resources necessary to makes something great happen. Assuming obviously, that you’re resourceful and can actually understand the value of these powerful two. That’s what I want to be the leading point of this book, i.e. how to achieve your goals quickly, yet without compromising quality of yours and others’ life. I respect your time, which is why I wanted to keep this book as concise as possible, cutting out the fluff each time I’ve noticed any. If this book takes you 2 hours to read, and it saves you as little as 1 day of your life – I’m all set. My mission is accomplished and I’ll feel good about it, because there is no bigger mission than saving lives. This is one of the reasons I’m publishing this book for free. I’m making fair amount of money on selling my time to the corporations, and I want these lessons to reach as many people as possible and help them preserve their time and health. I can make money by other means, but the opportunity to help people improve their health and relationships is so rare, and so huge, that I couldn’t let myself to agree for commercial publishing. I’ve been sharing my knowledge for the past 5 years all over the Internet, at conferences and meetups; and those few voices generous enough to share with me that I’ve helped them improve their lives, are the biggest reward one can get for their work. That’s what I hope this books will do for you – help you achieve your goals at lower costs of all involved stakeholders at all facets of life. I don’t want to monetize on this book. I want you to learn from it, and then for you to monetize newly acquired knowledge by improving as a professional and getting compensated well for your effort.
You don’t owe me anything and I don’t expect anything from you. You’ve already given me enough than I’m audacious to ask – your time and attention. Thank you for that, and if you still want to do something for me, then please share your experience and knowledge with others. Help you peers, show them your perspective and help them grow by exposing them to various point of views. Pass your knowledge to others, so they have it easier than you had. To help them avoid the mistakes you’ve made and so that they can save their time and use it to build something bigger or experience other thing life has to offer. Standing on the shoulders of giants. That’s what it all is.
I guess at this point you can already smell how much I dislike wasting time and reinventing the wheel 🙂

How and why – I believe – my story can make you avoid personal and professional suffering

Infosec is a stressful job and if not managed properly leads to unhealthy situations which surely can end up with a long-lasting burnout. Burnout is one of the most painful experiences in the life of a professional, especially a good one who is self-aware enough to realize how much of a potential they had and how it just got destroyed. There are many critics saying that the job-related stress in industries such as IT isn’t worth discussing, but I call that a dangerous misconception. You couldn’t get more wrong in thinking that we’re not under high pressure. InfoSec is one of those industries where many things are totally out of our control, and you can’t really sleep well – ever. Many of us got so engaged into the work we do that we started compromising other parts of our lives, introducing unhealthy imbalance. Precisely such imbalance led . So I can relate to all of us, who had experienced tough times. That’s one of the reasons I believe in this book so much. It’s not that it contains any secret knowledge, or that I’m such an egocentric writer. Heck, I’m not even a native speaker english speaker, so I realize my shortcomings, yet I am still ready to take the heat, because I believe in its value. I believe that this book can help – at least to some extent – my InfoSec friends who have struggled, struggle or will struggle with the challenges I’ve been struggling for many years. I hope this book answers some of the questions we ask ourselves and will turn out helpful especially to those of us, who have nobody to turn to for a practical and non-judgmental advice. Writing the book has certainly help me in understanding some concepts better and instilling them deeper into my mind, so I have the answers handy whenever I need them. And I need them pretty much on daily basis, so having this handbook on my computer allows me to stay in sync with reality and remain calm and humble.  

The tough experiences had made me who I am today, and with many bad outcomes, I’m getting more and more comfortable with helping others avoid my mistakes. Losing relationships, not taking care of my health which resulted in life-long illnesses and daily pain which decreases the quality of my life, had all contributed to the process of reinventing myself. Moments of the truest joyfulness were these where I’ve learnt that something can be done better. That I can do better and I can be better to other people. It’s thanks to those moments that I’ve used to reinvent myself, I’ve been able to achieve long-lasting fulfillment.

I know I’m starting to sound meta and all that corny stuff, but I decide to still leave it here as I’ve met people who will get to feel the hope again while relate to my story. I’ve got good news for you though. Only the foreword contains so little substance.
Please feel free to use this book whatever way you like to. You can read it as a regular book in its entirety or using it as a reference handbook, with easy to navigate index which allows you to jump into specific questions and answers.

Almost nothing worthwhile comes without pain or some sort of suffering so I’ve came to the point where I accept my mistakes and allow myself to live without blaming myself too much for making them. I advise you to look at things similar way, because holding to the past in which we weren’t as smart and wise brings nothing good. Looking at the future as a blank page, allows you to approach things differently and avoid repeating the old mistakes.
In the book, I”ll be guiding you through subjects that are very subjective and focus mostly on emotional intelligence and social skills, which can’t be as accurately measured. So you might feel like I’m yet another bozo, but you need to open your mind to fully benefit from it. I promise you that nothing in this book hasn’t been thoroughly tested, and each and every single chapter you find in this book describes lessons learnt from mistakes I’ve made personally in my career. I’m never talking about others, about things I’ve only read or heard about. Everything has been battled tested by yours truly and I believe most of it can be easily replicated into most working environments. It worked for me with minor contextual adjustments while working for companies from various countries on two continents with organisations ranging from a small services startups from Silicon Valley, through public institutions in Poland, to hundreds million dollars big corporations.

You need to sacrifice the present for the better future, but it doesn’t mean you need to sacrifice as much as I’ve had to. I’ve learnt a ton and I want to use that knowledge to help you make your professional life easier. I want you to be more effective and productive than I used to be all those years before I started taking the human aspect more seriously.

Understanding these concepts can potentially enable you to see a bigger picture and gain richer point of view. Please bear in mind that nothing is set in stone and that my experiences may be different from the things you’ve had a chance to experience in your career. So to limit the amount of anxiety and misunderstanding, let’s create a healthy narrative for this journey of ours. I want this book to be an inspiration for you, showing you yet another perspective of someone who gotten his hands dirty, not a predefined set of rules one must follow.  Use it as a doof for thought, a content for consumption and a spark to initiate something bigger and adjusted to the to culture of your organization and your personality. Your personality matters. Just because something had worked for me and is indeed a sane way to do things, doesn’t mean you’ll want to follow the same path. Things that come to me easily now may come hard to you, and that’s all fine. We are different, so embrace what’s best in you and use that to achieve what you want to.

How to squeeze maximum value out of invested time in reading this book

This book isn’t an ideal picture of the world. It never intended to be. It was meant to show us ways in which we can be more practical and effective. To show you how we can abandon the fears, imposter syndromes, anxiety and stress – or at least reduce it significantly, by small tweaks in a way we operate on daily basis. I want this book to be practical, so I recommend you to read this book slowly and don’t rush into next chapters. Please read a chapter and give yourself some space to reflect on it. Try to remind yourself a situation to which a chapter would apply and outline counterarguments to what I’ve written. Then find a right balance for you and find the best way for you to navigate through life. I’m not right, and you’re not wrong. We’re both doing our best, and sometimes the best solution is in the middle of two perspectives, of two totally different individuals. You do you.
After all while we’re expected to bring value to the business and help it make more money so if you’re still employed, then apparently you must be doing something right! However, regardless of how much we like or dislike our job currently, we can make ourselves like it more. We can make others like us more and we can reduce the anxiety of a whole system.
But for that to happen, we must improve our social skills, especially communication skills at scale.

I believe that security professionals can’t achieve their greatness at the workplace, if they’re not being actively supported by all stakeholders across the entire organization and if other employees don’t feel ownership for the organization’s safety. Security just must one of the core values of corporate culture. Each time I have joined an organization, where security professionals wanted to do everything themselves, they miserably and painfully failed shortly after.  Fighting a broken security culture without any support from the top leads to burnouts for InfoSec folks and creates general anxiety, irritation and a toxic atmosphere within an organization. No one wants that to happen, yet so often we end up in exactly such situation.

Right, but what about Secure SDLC you may ask? To me Secure SDLC is more technology centric, while DevSecOps is more human and culture centric. I may even write a book on secure SDLC one day, but we have a lot of great content on that matter already, so it’s not a priority by any means. To me, helping people understand the DevSecOps culture is much more important task, although they are very powerful couple, and I believe in the long run, one cannot exist without the other. I would even say that many companies have magnificent SSDLC, but it could be so much better if the operators understood that each business, is a human business first and you can boost whatever you’re doing by involving more people and making them care about it.
I’ve met many people who understand how to implement SSDLC principles into their organisations, however not many know how to build the DevSecOps culture which can bring their SSDLC or whatever they’re doing on the totally next level.
I’ve spent over 5 years working on implementing DevSecOps culture at the organisations I’ve worked at, because I believed that with so limited resources doing things together is the only way to go. We all hit a point in which we can’t scale anymore, which is why we must seek help of others. And to get such help, it’s good to provide it first. Be the leader people will happily look up to and many doors will open. And by working all together we can do much more and do it much better.
SSDLC is fabulous piece of art, and I wish more companies adopted it since 2002 when Microsoft officially announced it. I really with, because we’d be in a completely different shape as the whole industry. But we haven’t so we must add something to it, that will fill the gaps with a work that doesn’t cost much every single one of us. Collaboration and empathy is something that’s not that complicated or expensive if we only decide to take one step forward each and every single day.
With a right attitude the culture is something that can be created in the background, while we can use our technical competence to enhance our SSDLC workflows and incrementally improve resilience of the organisations we work for.

I hope the lessons shared in this book will save you – and everyone around you – a lot of anxiety and trouble. I wish I had access to such a resource when I was starting out, which I believe could’ve helped me prevent the damage that has happened otherwise. It’s never too late to learn and improve, so I’m still extremely grateful for an opportunity to have experienced so many things and that now I can share it for benefit of others. I hope this book helps you navigate through social interactions with lower stress and more fruitful results and although this book summarizes the most important lessons learnt over the past decade, I’ll be still happy if it saves you a single day of your life.  

Let’s get started already! 🙂

QA Summer Fest #1 – Miquido

Posted on by Dawid Balut
Miquido,  fantastyczni ludzie, fantastyczna organizacja I mega atrakcyjne biuro!
Na wewnętrzne zaproszenie miałem przyjemność występować na pierwszym wydarzeniu z serii QA Summer Fest, więc nijako jestem z tego dumny 🙂
Spotkałem się z niesamowicie przyjaznym przywitaniem oraz pożegnaniem, wobec czego jeśli kiedykolwiek usłyszę “Miquido”, będę mieć tylko i wyłącznie dobre wspomnienia.
Sala konferencyjna była dostępna już na godzinę przed pierwszą prelekcją,  dzięki czemu każdy mógł się komfortowo przywitać i znaleźć sobie przyjemne miejsce do brania udziału w wydarzeniu. Ciężko było mi dostrzec choć jednej osoby, która by się nudziła, mimo, że przyznaję się bez bicia – przeciągnąłem swoją prelekcję mocno. I trochę za mocno i wiem, że uczestników wymęczyłem, jednak “connection” które czułem z grupą, sprawiło że prelekcja przemieniła się w przyjazną rozmowę na tematy życia codziennego w branży IT.
4 października po raz kolejny będę miał szansę spotkać się z ekipą Miquido w ramach mojej prelekcji na Mobiconf. Coś pięknego, dzięki jeszcze raz za gościnę!
Podrzucam jeszcze link do prezentacji, o który parę osób pytało:

SJSI Quality3D meetup #3

Posted on by Dawid Balut
Paręnaście dni temu zdarzyło mi się pojawić na https://www.facebook.com/events/225878038117535/ i niestety dopiero teraz znalazłem chwilę, żeby stworzyć podsumowanie.
Przy pozytywnych doświadczeniach generalnie tak jest, że nie ma za wiele o czym mówić. Inaczej wygląda sytuacja gdy jest negatywnie i chcemy się tym podzielić, żeby wyrzucić to ze swojego systemu i iść naprzód, upewniwszy się wpierw że każdy jest świadom naszych cierpień 😉 Tu cierpień nie było ani odrobinę, przez co chwilę zajęło mi napisanie podsumowania.
A tak poważnie, było dobrze, nawet bardzo dobrze.  Miałem szansę spotkać się z bardzo przyjemnie aktywną grupą, z którą mogliśmy prowadzić dialog, zamiast prawić jednostronne prelekcje.
Taki format, real time Q&A odpowiada mi najbardziej, bo wtedy czuję, że nie tylko mogę poznać ciekawych ludzi ale też wnieść wartość przez proponowanie rozwiązań do realnych, kontekstowych i indywidualnych problemów.
SJSI organizuje ostatnimi czasy bardzo ciekawe wydarzenia, na które zapraszają ludzi z wielu dyscyplin, by ci podzielili się swoja wiedza i doświadczeniem. I dokładnie w ten sam sposób sytuacja miała się z moim wystąpieniem. Zostałem zaproszony i bez chwili zastanowienia krzyczałem “TAK, TAK, TAK!”. Możliwość dotarcia do nowej grupy osób ze swoimi ideami, pomysłami oraz gotowymi recepturami rozwiązań do szansa której nie mógłbym odrzucić.
Jestem wdzięczny za możliwość docierania ze swoja wiedza i doświadczeniem do innych. Za każdym razem, podczas każdego występu, mam nadzieje na dostarczenie jak największej wartości ludziom którzy zdecydowali się zainwestować swój czas i pojawić się na wydarzeniu by słuchać własnie mnie, Jestem szczególnie wdzięczny za mile przywitanie oraz za interakcje podczas prelekcji.
Mimo, ze początkowo byłem myślami gdzieś indziej przez realizowany wcześniej projekt, to po 5 minutach już byłem all-in i totalnie pochłonięty przez interakcję z uczestnikami. Było dobrze!
A teraz czas na linki o które pytaliście.
Książka:
Prezentacja:
Artykuł o tym jak przebić się do branży security:
A w skrócie, event był o:

“Najlepszych rzeczach, jakie możesz zrobić dla bezpieczeństwa Twojej firmy w ciągu najbliższych 3 lat”

Firmy, ich pracownicy oraz cała społeczność IT jest zakłopotana i lekko zagubiona w ogromie zagadnień związanych z bezpieczeństwem organizacji. Jest tyle szumu informacyjnego dochodzącego z każdej strony, że ludzie nie do końca wiedzą, którą drogą pójść, aby zwiększyć bezpieczeństwo swojej firmy. Czy powinni testować manualnie czy automatycznie, czy powinni zamawiać usługę pentestów, czy używac programów bug bounty, czy powinni trzymać swoje dane w chmurze czy w klasycznym centrum danych.
Podczas niniejszej prelekcji postaram się odpowiedzieć na te i wiele innych pytań – schodząc do poziomu technicznego. Moim celem jest podsunięcie Wam pewnych pomysłów i gotowych rozwiązań, tak abyście mogli skupić się na realizacji istotnych zadań.

oraz o

 “Testowanie najpopularniejszych błędów bezpieczeństwa – rozwiewamy mity o trudności pracy jako bezpieczniki i pokazuje że może robić to każdy z Was.”

W świecie bezpieczeństwa krąży legenda o tym, jak wyjątkowym trzeba być by zajmować się testowaniem zabezpieczeń i ochroną organizacji.
W rzeczywistości – uwaga, uwaga! -wszyscy jesteśmy ludźmi i jeśli coś udało się zrobić jednej osobie o podobnym do Ciebie profilu, to możesz to zrobić i Ty.
Podczas półtoragodzinnego warsztatu pokażę Wam praktyczne narzędzia oraz przybliżę sposób myślenia konieczny podczas testowania bezpieczeństwa, dzięki czemu – niezależnie od obecnej profesji – będziecie w stanie wgryźć się w temat testów bezpieczeństwa, testów penetracyjnych, audytów bezpieczeństwa i tym podobnych.