This is an ongoing blog series, which touches on my upcoming speaking and workshops on Social Engineering for the Blue Team. My current schedule is as follows: BSides Indy, March 20, 2018; I am an alternate at BSides Nashville April 14, 2018; and I will be doing a workshop on the topic at Converge and BSides Detroit, May 10-12, 2018. I hope to see you there.

"You're a Rockstar."

These were the words uttered to me after turning in my two-week notice at a previous place of employment. I know infosec rockstars are looked down upon in social media circles. I took this as a compliment. These were words from our CIO. He followed that up with, "Everyone seems to like you." Which I took as another compliment. Both compliments made me feel extremely good, because compliments are few and far in between in our industry. That's a topic for another blog post. For this blog post the compliments started me down a path of self discovery.

I always seemed to have a knack for getting along with others. I never knew why, though, and I definitely didn't feel like I was doing anything special. My early years of life were filled with a lot of happiness and joy. I loved school up until about the fourth grade. I was good at it, but I also had a lot of fun with my classmates. It wasn't until I moved midway through fourth grade that I started to realize the mean side of kids. We moved to New Jersey.

My dad served in the Army for 20 years. I moved a lot. I averaged two and a half years in places. Thankfully, after fourth grade we moved again. This time to Kansas. I had a much better time in Kansas. Middle school was pretty good. I had friends. I also had some enemies that used to be friends. We moved back to New Jersey for eighth grade and half of high school. This is considered some of my darkest years. I had friends, but I was also picked on. A lot.

My pants were to tight. My glasses were too big. All I wanted to do was fit in. My mom bought me baggier pants and scheduled an eye appointment to get contacts. My grades slipped in an effort to be part of the in-crowd. I moved my junior year of high school to Minnesota. I was picked on there for my baggy pants (remember JNCO jeans). I had girl friends, but in general I found talking to the opposite sex intimidating at first. While I missed out on the academic side of school, I was learning about human interaction.

I failed a lot at human interaction. That, eventually, led to me picking up David Deangelo's Double Your Dating series. This was after a six-month period in which: my girlfriend dumped me; my roommate bailed on me and left me with paying for a two-bedroom apartment; and a captain's mast for showing up an hour late to duty. Technically, I was supposed to go to captain's mast after three write ups. Being late was my first one and something everyone did when they only had a few weeks left at a duty station. In this case I was being made an example of by the new commanding officer. Still I had failed, because I wasn't viewed as a good sailor. Something need to change.

Studying Deangelo's content I realized that I wasn't just learning interaction with women, but people in general. I was getting self-improvement tips and techniques. I picked up (on the recommendation of Deangelo) Feel The Fear And Do It Anyway by Dr. Susan Jeffers. This was the turning point. I started honing my soft skills. I did this for life quality reasons. After I was told I was a rockstar and people seemed to like me, I started to understand how. This was just a few years ago. Last year I read Social Engineering: The Art of Human Hacking by Chris Hadnagy and it opened my eyes to the how.

I've excelled at my roles party due to my technical prowess, but mostly due to my ability to build strong relationships with people. I see that as the key to my success in building security programs, processes, and improving the security culture of an organization. My current role has me sitting with developers. I am successful there because of the relationships I've built. Leadership wants to hire me away from the security team. The developers are making good security decisions without my input.

We talk about the talent shortage quite a bit in our field. A lot of solutions start with improving security programs in school and mentoring juniors in our field. I think those are good solutions. It will take time for those solutions to be fully realized in our industry. I also, don't have much influence there. Where I do have influence is in the better relationship realm. I think if we can interact better with other departments we can make strong improvements in security.

That's why I've put together this content. I'm really excited about the idea. I've had a lot of success with it and I think others will too. More to come.

This blog post first appear on Exploring Information Security.

I am over six months into my new role as a senior software security engineer. My role has me embedded with the development team. I go to meetings and interact with the team on a day-to-day basis. My desk is in there area. I go to lunch and conferences with them. As I’ve gotten more familiar with the environment and team, my task list has started to grow.

One of my co-workers noticed this and while leaving a meeting the other day asked if security had plans to hire another security person. I responded that I thought they might in the future, but that I wasn’t counting on it. It took two years to fill my role. With the current “talent shortage” it may take another two years to fill a similar role.

My strategy for getting security into the software development life cycle is to leverage the skills and knowledge of the developers. They are really smart people, so I put a focus on improving the security mindset of the developers. In meetings, I let them to talk through security issues and find their own solution. Just me being there the developers know that security needs to be taken seriously. For the most part they choose the right path.

I also recognize when security issues are identified and addressed by the development team without my involvement. The development team is already doing a lot of good things from a security perspective. By recognizing that in a meeting or one-on-one I am amplifying and encouraging that type of behavior. Using that strategy, I’ve started to see improvements in the development team in regards to security. The other person I was discussing this with agreed. They were seeing more focus being made on security.

Do we need more people in security? I don't know. What I do know is that the security industry is having a tough time finding the right people. Maybe we need a different strategy. I think that strategy should include leveraging the security mindset of others. I've had some encouraging results so far. It will be interesting evaluate the strategy a year from now.

This post first appeared on Exploring Information Security.