2024-10-12 22:09:00
I volunteer for Wiccon, a cybersecurity conference here in the Netherlands. Last year I gophered on-site and did a presentation on stage. This year I'm gophering again, I helped in the CFP (call for papers) and I'm in charge of the gopher-planning. I'd also submitted an abstract, which was ultimately not chosen.
A few days ago Chantal reached out to me, if I could maybe do my proposed presentation after all because another presenter became unavailable. After some thinking and puzzling I thought I could make it work. I had nothing but my abstract, but with 2.5 weeks remaining I could maybe make it work. Right?!
Well, it's caused me a lot of anxiety, to be honest! As I said, I had only the concept of what I wanted to present about, but not even a skeleton or a set of research. I'd not worked on that since my CFP submission was rejected.
This morning I reached out to Chantal and Dani to tell them I couldn't do it.
I'm preparing to teach four classes (DevSecOps in October, Linux+ in November and Linux Essentials and LPIC1 in December), I've got family matters and my primary customer. Shuffling priorities would free up some time, but going from zero-to-complete is simply not possible. I can't do it.
It's ironic that I would fall for this trap, even after telling Roald not a month ago that "I want too much, I'm too greedy".
It felt like I was letting down valued colleagues, friends even. I'd promised to help them, but I can't. If I did, my health and sanity would suffer, to the detriment of all other commitments I have. So I won't do it.
And it's okay. I'm telling myself that and so are they. It's okay if you can't do something. If I can't do it.
View or add comments (curr. 0)
2024-10-12 20:00:00
In 2019 I took a class with Russell Eubanks, SEC566 - Implementing the Critical Security Controls.
Lots of people associate SANS with "super-duper-technical" trainings, which SEC566 was not. It was more about understanding the many, many layers of security controls which an enterprise can (should?) apply to properly secure its assets. I learned a lot back then and the group discussions with fellow students were the biggest value-add.
Last week I participated in Russell's LDR521 - Security Culture for Leaders.
If you'd asked my if I'd see myself as a leader, even until a few months ago, I would've said "no". That's crazy, right? I'm just this gal, you know?
I always associated "leadership" with "management". Or even "higher management". But while I've been waxing introspective the past months, I realized that the past three to four years I have in fact been acting in a leadership role. As in: leading by example.
I've helped start two brand new DevSecOps teams, both having common goals:
Heck, a few years ago my team at the time got an in-house award, for leading security culture! So yeah. I guess I am in a leadership role now!
Which is why I applied for a SANS Facilitator role for LDR521, a security culture training developed by Russell and the famous Lance Spitzner.
There's literally no technological learning to this class, it's all about understanding business, management, finance, "selling" to your audience, training and more. All the things you need to understand, to pick apart existing culture, so you can affect change.
The two taglines for the class are on their challenge coin:
As is expected of SANS, it's "drinking from the firehose". There's an incredible amount of information to take in during the four days of class. While LDR521 doesn't have an exam of its own, you could say the fifth day itself acts somewhat as an examination! The capstone project has our teams tackle six challenges in improving security culture at the fictional family-owned Linden Insurance. It's hard work! Every challenge needs you to dig deep and remember the lessons you were taught in class. If not? Culture at Linden remains suboptimal or even suffers!
Coming from a highly technological background, the LDR-series of trainings requires that you drop your preconceptions about "what is right".
I for one hold strong opinions about the Right Course to sail and I have on multiple occassions been frustrated with management not understanding why my team was Right. I have an ingrained allergy to "the suits" and have had a disconnect between "mission, vision, strategy" and what we were doing in tech.
Well. This class helped break down walls which were already cracking.
Thanks to this class I have formalized things I have been doing the past five years. My teams were somewhat successful at guiding security culture, now I know there's actual words for and theory behind what we were doing. And yes, I am now starting to understand why aligining with "mission, vision, strategy" plays such a big role in culture. Heck, now I even know what this "culture" actually is! It's that iceberg-under-the-water, the "perceptions, attitudes and beliefs" that LDR521 so heavily features in its slides, them and challenge coin.
I very much would like to also do the other two classes in this leadership triad, LDR512 (security management essentials) and LDR514 (security planning and strategy). And once 521 gets an exam, I'll jump on it!
For now? My brain is mush. I need to deflate, reconnect with my loved ones after a week of absence and then I'll go over all the materials a second time. I need to solidify my understanding!
kilala.nl tags: work, studies,
View or add comments (curr. 0)
2024-10-12 19:29:00
Five and a half years ago I took my first SANS training, SEC566, which I worked as so-called Facilitator. This week I repeated the experience, for a newly updated training: LDR521 - Security culture for leaders. I will discuss the course in a separate post.
My experience as Facilitator in the SANS Work Study program echoes my 2019 trek: highly positive.
To remind you of what the Work Study program entails: if accepted by SANS as "Facilitator", you will participate in a SANS training while at the same time helping SANS staff run a successful event. Primarily you are there to help your teacher with things they may need (call it a gopher, a runner, an errand person).
Secondarily you will also help classmates with questions and you may end up helping them setup their lab system. Aside from that: you act as SANS rep to welcome all guests during breaks, to ensure everyone's feeling good and happy.
In return, you gain a big fat discount on your training package. You are also given access to the on-demand class and (if applicable) you receive an exam voucher.
In my case, LDR521 does not include an exam, so I got the training, the on-demand and access to NetWars Core. Normally that would rack up a bill of around €12.000. As Facilitator, my company paid €2.300 on the final bill.
As I said: big fat discount.
What did I do for this?
Since five years ago, a number of things have improved! Changes from 2019:
Now, after the full week I am absolutely drained.
Twenty years ago, I described PCD: post-convention depression, after coming home from AnimeCon. Coming home after a week of SANS is very similar! My brain is mush, my social battery is dead and the sudden switch back from "150 cool people all working hard at learning" to "my usual routine" is harsh.
Working with my co-Facilitators was a joy: they were a great group of people, I thoroughly enjoyed their company. My class was good, properly "drinking from the firehose" as is behooves SANS. The legwork and social interactions left pretty tired by Thursday already!
Is it worth it? Absolutely. Working with these awesome people is the best, the discount is just a bonus. I'm shooting for LDR512 or LDR514 in May.
kilala.nl tags: studies,
View or add comments (curr. 0)
2024-10-08 10:14:00
This morning I made a difficult choice: I left a community I'd been a very active part of for years.
The /r/comptia study group on Discord was a highly active community when I joined in 2020. Dozens of people would chat every day, while preparing for one of many CompTIA certification exams. My original goal of joining, just like with joining the /r/comptia sub-Reddit, was to offer mentoring and coaching.
Per the start of this year I volunteerd to co-moderate the group on Discord. Despite dwindling activity over the years, trolls and spammers were still very active and the moderation team could use the help.
What also changed over the last years, is that some community members got more vocal in their political discussions in the #breakroom channel.
At times I would contribute to the discussion, offering a left/socialist/progressive point of view in a discussion that was very much right/conservative oriented. At other times I would attempt to steer the channel towards halting the discussions as I felt they were drifting further away or even discouraging the actual, intended purpose of this Discord community: providing a welcoming studygroup for anyone and everyone.
With the upcoming elections in the United States, I have noticed an uptick in the conservative diatribe in the breakroom including exchanges which could be characterized as "dog whistles": sentence of ambiguous and figurative language which make hide the sometimes extreme points of view under a veneer of deniability.
I feel that this situation not just detracts, but goes against the goal of our community. I feel that many students would be actively dissuaded from participating in the studygroup, because of these messages.
I decided this morning that I have two choices.
I can remain part of this community, trying to provide a counterpoint to these messages. Or maybe I could try to moderate more heavily, steering away from these discussions. But given that one of the active contributors to these extreme discussions is a co-moderator, I don't feel this stands much chance.
Or, I could leave the community because staying implies that I tolerate or even support these points of view being ventilated so openly in a shared space. Tieing my name to such a community, implies that I'm okay with scaring off a large group of students.
I chose the latter.
I publicly announced why I left, also sending a private message to the people involved. With one person I also decided to unlink on LinkedIn, clarifying again why I felt the need to do so.
What I didn't expect to happen was that someone whom I'd trusted and mentored for two years, whom I'd help complete their master's capstone project, unlinked and blocked me in return (though without sending a message as to why). That was a big punch to my gut.
It was to be expected that I would be accused of being intolerant myself, of not "reaching across the aisle", of not "welcoming open discussion and respecting each others opinions", of not "looking beyond the message to see the person".
All of this is part of the Paradox of Tolerance. To quote the Wiki article:
If a society's practice of tolerance includes the intolerant, intolerance will ultimately dominate, eliminating both the tolerant and the practice of tolerance
Or to put it differently: simply by associating with people who utter extreme points of view, to an outside audience it implies that I endorse their message.
So I left. It cost me a community and someone I considered to be a friend. But I do not wish to be in a group where the rest of the moderation and admin team abide others creating an unwelcoming atmosphere.
kilala.nl tags: life,
View or add comments (curr. 1)
2024-09-27 13:09:00
A new client has asked me to teach short sessions preparing trainees for the Linux Essentials and part of the LPIC1 / RHCSA exams.
Since I already teach Linux+, I thought I'd do a quick comparison of the exam objectives between the three big names. This comparison is only valid for the versions current per September 2024.
The PDF linked below has a number of columns which might not be self-evident. From left to right:
Rows marked "-" mean the objective is not on the mentioned exam. A red box marked "-" means the same, but also indicates that I feel it's something that should be on the exam. Or at least should be taught to a new Linux sysadmin.
LinuxPlus-LPIC1-RHCSA-ITVitae.pdf
kilala.nl tags: work, studies,
View or add comments (curr. 0)
2024-09-13 14:24:00
Hot on the tail of last night's didactics training with Rick at Security Academy, I decided to immediately tackle one of my biggest pitfalls: I'm not an observant person, I take a lot of things at face value.
To help myself notice (and track) student behaviour in class, I whipped up a booklet with key behavourial patterns and Likert rankings. I'm sharing it under CC BY-NC-SA (meaning anyone's free to use and change it, but not for commercial purposes).
kilala.nl tags: work,
View or add comments (curr. 0)
2024-09-12 21:56:00
I love teaching. I very much enjoy helping people understand and apply new concepts.
Thus I'm very grateful for the opportunities I've been granted! I've taught in-house classes with my customers and I'm a returning instructor at ITVitae. I teach Linux, DevSecOps and security concepts, all with a lot of professional experience and a modicum of didactics. I got lucky this week, on the latter part!
But first: I'm looking to diversify my portfolio. I'm already a backup trainer for Firebrand and Logical Operations, but I'd like to actually teach more frequently! Which is why I've reached out to Security Academy, here in the Netherlands, earlier this year. At the time I had a great first meeting with Rick. Great insofar that we both saw opportunities and because that single hour held some educational nuggets of wisdom for me.
This week I had my try-out training session with them and let me start with my conclusion:
Even if I had not been hired, I would have still come out as a winner.
The try-out session had me prepare a 15-30 minute mini-class (which I did on zine-making). My audience consisted of three Security Academy colleagues and Rick observing as the fourth person present. What I didn't catch on to, was that the three colleagues were put into very specific roles: the enthusiast, the disruptor and the dead horse.
In just half an hour, they managed to find a whole bunch of my pitfalls and strong points! Some of my pitfalls I was already aware of, sometimes painfully so, others were novel.
Hence why I say: even if Rick decided not to move forward with me, I'd still taken a free masterclass!
Well, speaking of?! Rick invited me to take part in two masterclass sessions on didactics, with other Security Academy trainers. Those sessions? Awesome! The theoretical parts were a repeat and solidification of things I'd learned in my CTT+ certification. The practical session uncovered more pitfalls which I was not conciously aware of. I'm very grateful to have been part of this free masterclass!
Now... As I told my co-worker Roald: I have a tendency of biting off more than I can chew.
This is yet again evidenced, this time by me taking on a new customer! So, not only have I been accepted as trainer by Security Academy, I have also been hired (with two actually planned classes!) for teaching Linux to a group of trainees.
kilala.nl tags: work,
View or add comments (curr. 0)
2024-07-26 10:27:00
This morning on my way to work I listened to the latest episode of Open Source Security podcast. Their topic was very relevant to a past-intern Jana's master's research and to my current intern Cynthia's software project.
Specifically, episode 438: CISA's bad OSS advice, vs the White House's good advice
They made some very good points speaking against our team's ideas of doing risk analysis on open source dependencies. I really like it when smart people provide counterpoints to my own thoughts.
My teams and interns followed a classical approach, where we discern a number of key factors and metrics to determine whether a software dependency is "trustworthy".
I still like that we did these projects, because they can provide insight into our risk exposure. But I agree with the podcast's presenters that such a tool doesn't provide a solution to the problem.
They pointed to CISA's recent document about this very same problem, which they dubbed unhelpful. And they referred to Mitre's Hipcheck, which is another software solution for risk assessment on open source dependencies.
It all sounds like great materials to read into! It might even make for some interesting conclusions and counterpoints for our current intern's final report.
kilala.nl tags: work,
View or add comments (curr. 0)
All content, with exception of "borrowed" blogpost images, or unless otherwise indicated, is copyright of Tess Sluijter. The character Kilala the cat-demon is copyright of Rumiko Takahashi and used here without permission.