Re: My Frustrations

[Joseph McCray <joe () learnsecurityonline com>]

Last year I posted a similar message to this list titled "I want the PT
list back....":
http://www.derkeiler.com/Mailing-Lists/securityfocus/pen-test/2007-12/msg00052.html


My frustration was similar to yours. I just missed how much I used to
learn on this list.

The security community has changed, and now the bleeding edge
information is spread out across tons of blogs and the IRC servers where
people dropped 0-day in the channel has transitioned to private silc
servers.

As I said in my previous post there are some REALLY smart people on this
list that have forgotten more about security than I and a lot of other
people on this list will ever learn.

I used to b*tch about how I was so tired of reading the "I've just been
hired to do a pentest - how do I scan a host behind a firewall" posts
questions that I was about to swear myself off of this list.

I had a buddy that pulled me aside and just told me - "You are just
getting better as a security professional so you aren't in awe like you
used to be." There is still plenty of stuff talked about on this list
for newbies to learn from. Occasionally there is something that even
pretty experienced people can learn from as well.

As far as how you handle competing against incompetent security
professionals (that often underbid you - no I'm not
bitter...heheheheh...) and how that affects your business - now that I'm
dealing with a lot of business development - I'm really learning that
you are only as good as what you can convey to the customer. 

The customer isn't a security expert, and often can't differentiate
between you and someone that's not as technical as you.

In terms of business - that incompetent security professional either
conveyed his value to the customer better than you did, or got the
customer to believe that they didn't need to go with a larger more well
known firm.

As much as we are geeks and love geeky stuff - this is business. You
have to be able to convey your firm's value to the customer.

Show them the books you've written, the tools you've developed, your
whitepapers, conference presentations, and demonstrate your knowledge of
regulatory compliance. Provide credible references in your customer's
industry, and most importantly prove how you add value with your
professionalism, your customer service, your attention to detail, and
your ability to explain complex problems to developers and
administrators.

If you are really that much better than someone you think is incompetent
you shouldn't have an issue conveying that to the customer.


I'm not saying all of this to be harsh - this has been a hard lesson for
me to learn as well and I still struggle with it a lot.

Hope this helps.....


Joe

On Wed, 2008-12-17 at 14:19 -0500, Adriel T. Desautels wrote:
> I recently wrote this blog entry and wanted to get some comments from  
> readers of this list. I'm frustrated with the caliber of the people  
> that are offering security services and posing as experts, thats the  
> subject of the post. Please comment, insult, whatever... I'm interested.
>
> http://snosoft.blogspot.com/
>
>
> Adriel T. Desautels
> ad_lists () netragard com
>
>
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Security Trends Report from Cenzic
> Stay Ahead of the Hacker Curve!
> Get the latest Q2 2008 Trends Report now
>
> www.cenzic.com/landing/trends-report
> ------------------------------------------------------------------------
-- 
Joe McCray
Toll Free:  1-866-892-2132
Email:      joe () learnsecurityonline com
Web:        https://www.learnsecurityonline.com


Learn Security Online, Inc.

* Security Games        * Simulators
* Challenge Servers     * Courses
* Hacking Competitions  * Hacklab Access

"The only thing worse than training good employees and losing them 
is NOT training your employees and keeping them." 

        - Zig Ziglar


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------