Security Pros on Twitter (SPoT): Andy Willingham/@AndyWillingham

This week we look to another talented Security Pro, Mr. Andy Willingham. In his day gig, Andy serves as Information Security Officer for a Financial Services Holding Company, a role he evolved into from his extensive hands-on experience with Administrating the network. In an effort to establish and evangelize his security objectives, Andy is quite active on social media, and he also keeps his own blog titled Andy ITGuy; The voice of reason in a world of FUD. His blog highlights key events in security, latest news and developments, and his take on select topics of interest. We recommend you give a look to it to hear some of the important commentary Andy has available for your reading enjoyment.

SPoT: Andy Willingham / @andywillingham

Real Name: Andy Willingham
Twitter Handle: @andywillingham
Top 3 Social Media/Networking Sites:
Linkedin, Twitter, Facebook

1. In which area(s) of security are you most involved?
I started out in Network Security but have focused mostly on program development, regulatory compliance, and architecture for the last few years.

2. What security topics will be the most important in the next 18 months? Why?
I think we really need to focus on user education, reclaiming the desktop, social media and “The Cloud”. The first two will give us the biggest bang for our buck, and the last two have to be tamed before they get too far out of hand. They are coming fast and furious, and we can’t stop them, so we’d better learn how to secure them.

3. Biggest Pet Peeve: Name one thing about Network Security that you wish business stakeholders would understand and why.
We have got to start involving security in the beginning stages of projects. I can’t tell you how many times I have found out about something in a Change Control meeting when the business was trying to get approval to go live with something. They had been working on it for months, and no one ever said “Hey, I wonder if Security would have any concerns about what we’re doing?”. It only hurts them in the long run, because they end up getting delayed on launch, or if someone with enough clout “insists” that it still go live, they end up spending lots of time and money fixing things that could have been prevented. It looks bad to their customers because of all the down time and bad features.

4. Tell us why you became so active on Twitter and any other important social media outlets. What value are you getting?
I’ve spent much of my career in smaller companies with limited tech staff, and there have been lots of times when I needed someone to bounce an idea or question off of, but the only option that I had was an online forum. Not that there is anything wrong with that, but you are taking a chance that 1) someone will know the answer and 2) that person will actually check the forums and see your question, which can often take several days. With Twitter and other social media sites, I’ve got experts in all fields right there willing to help out. It also keeps me informed on up to the minute happenings in security, and it is lots of fun to banter with and trade ideas with others in near real-time.

5. Name one security peer whom everyone with an interest in Network Security should follow. (Okay to name two if you can’t decide on only one)
Michael Santarcangello, The Security Catalyst, @catalyst on Twitter. Santa thinks like no other security pro that I know. He is on to something that has the potential to set the security industry, and by default the companies we protect, on it’s ear. He not only realizes that we need a shift in how we think and how we practice security, but he has a plan and is actively getting the word out.

6. What’s your take on security for social media and cloud services in general? Top concerns, overstated issues, etc.
First off, as I said earlier, they are here to stay, and we had better do something about it. We can’t just sit back and wait until our company adopts them, and then try to figure out how to secure them. Chances are there are people in your company who are already using them, and you just don’t know about it yet. As security pros, we have to know the issues, concerns, and threats to fix them before they become problems.  My first concern is that [this movement] is happening too fast and the industry is not keeping up. Businesses are adopting them without taking proper measures to ensure that they are being used in a secure manner. As for overstated issues, there are a few, but what makes them overstated is that lots of “experts” are talking about them and complaining about them withoutt offering any real solutions. It’s okay to talk about problems so that others become aware of them, but then you need to either quit talking or start offering something of value.

7. What are the top 3 real-world (i.e. live) events you’d recommend for networking with security professionals?
Picking a specific three is hard because what you choose (especially if it costs money) needs to be based on what your area of focus is. RSA is a safe bet for most any aspect of security, but beyond that, it gets foggy. If you have the budget, I’d say do something like this: Go to RSA and one conference that is specific to your area of expertise. Then I’d say find local chapters such as NAISG, ISSA, InfraGard, DC 404, etc., and attend their meetings and events. If you can do those three things, then you will be able to build a network that will serve you well in solving problems, answering questions, and finding new positions when the time comes to move on.