Original Post on 12-Jun-06 9:24pm
The Information Assurance (IA) industry is quite small; the same major players are known throughout everyone’s circles. Gene Spafford is the GodFather. His legendary research into the security arena influenced most (read all) computer science/engineering students since before my time, and his contributions through Purdue’s CERIAS department still push IA research. Martin Roesch designed the Snort Intrusion Detection System, considered by most as the only open source IDS deployable in a true operational environment. And Stephen Northcutt, the Director of the SANS Institute and originator of the SHADOW IDS from the Dahlgren Naval Surface Warfare Center, advertised by many as the first Network IDS. All of these men are well connected, and their reputations don’t do their contributions justice.
So recently, in the midst of finishing my graduate studies and a shakeup within my current company, I thought it might be a good idea to clean up my resume. I’ve written a few papers, passed a couple of certifications, and spent time with a few companies. When I do a vanity search, I come up with a half dozen hits. Not bad, but those hits don’t cover most of my work. In the wake of my recent schooling on the importance of marketing, I decided I should begin building my personal “brand”. That’s about the time I received an invitation to join “Linked-In” from a former colleague, and I started examining the networking sites. What a way to rediscover my contacts! Linked-In claims 6 Million users. The US has a population of roughly 240 M. And think who actually joins these networking sites: Information Technology or other well heeled white collar workers. I went through my stack of business cards, and found 100 or so people I’d met, be them vendors, University contacts, or colleagues. Each person that joined added a couple more names I recognized, and everything kept growing.
Now for the funny part. Remember about the size of the IA industry. The major players were already on the site. I sent them invitations, and received word back from most of them. Until Northcutt. I found him on the site, and posted the invite, expecting a quick note back saying hello. Instead Stephen Northcutt writes: “For real, I am not a member of LinkedIn, that is weird.”
I sent him a copy of “his” profile, to which I received: “That is awesome, and that was my job title back in 2004. Anyway, I promise I am not a linked inner”. I started thinking about what could actually happen with irresponsible/malicious use of these sites. What could branding theft hurt? I could see networking impersonation benefits, people sending invites based on your status/reputation… They put together a huge email list of the best/brightest of your contacts, those that are the most “linked-in”. What happens when they ask for introductions, based on your title and prestige, to other top connections. Think about “you” asking Spaf or Marty for introductions to their 600 or 1000+ contacts. Or better still, a VC evaluator, someone like Becky Bace, another IA heavy weight. Your contacts happily oblige the introductions. It’s no longer a cold call for the imposter.
The reason I bring this up is simple. These are security experts. Stephen has a list of accomplishments that most people dream of for an industry reputation. I mean, he started an Information Security training institute. How would he ever know he’d been duped? And how would it be corrected? If the security experts miss this, what about you?