SPoT: Alex Hutton / @AlexHutton

Welcome to our ninth installment of Security Pros on Twitter.  This week, we are featuring Alex Hutton, who “works in Risk Intelligence for a Fortune-something company”, according to his profile on The New School of Information Security blog, where Alex is one of the main contributors of content. The blog shares its name with a 2008 book authored by blog founders Adam Shostack and Andrew Stewart, and they are joined by some savvy security pros including Alex, David Mortman, and Brooke Paul. Mr. Hutton has been involved in security since the early ’90s, and we are very glad to profile him as a SPoT.

Real Name: Alex Hutton
Twitter Handle: @alexhutton
Top 3 Social Media/Networking Sites:
Twitter, Facebook, LinkedIn

1. In which area(s) of security are you most involved?
I love Risk, Management Science, & Security Metrics.

2. What security topics will be the most important in the next 18 months? Why?
Regulatory pressures & Business Intelligence.

I think we’re going to see Regulatory pressures (both government and private pressures) increase, because I believe that our industry will continue to see people outside our profession try to “solve” our problems for us.  The danger being that their good intentions will lead us towards an undesirable destination.

Business Intelligence for InfoSec, done right, could be a major catalyst towards solving significant problems in security.  If we’re lucky, it’ll destroy GRC as we know it.

3. Biggest Pet Peeve: Name one thing about Network Security that you wish business stakeholders would understand and why.
Wow, if you’ll forgive me for saying so, I think that question is backwards.  If you think about it, it’s rather egotistical to think that “they” need to “get” us.  Nope, my perspective is that they sign the paychecks, so “we” need to “get” them.

4. Tell us why you became so active on Twitter and any other important social media outlets. What value are you getting?
I became active when I was developing Risk Analytical software using Ruby On Rails.  Twitter was just kind of experimental then, a neat RoR app to play with.  I was also very interested in how my application would provide security practitioners with a feeling of “Miryokuteki Hinshitsu“, and thought maybe Twitter (or rather twitter-like functionality) might be a piece of that.  The idea being rather than long, arduous web forms in Archer-like software for project management, security analysts could just “tweet” their processes and outcomes back to a central server using an IM-like interface (yeah, this was back when you could still use Jabber for Twitter).

The value I get is twofold.  First, I get to meet good people.  That’s important, as everyone has perspective that contributes to your world view, and I believe that your world view is only as good as it is broad.  Second, and related to that, I get to watch really smart people talk.  For example, I used to despise PCI-DSS, and now I don’t.  That’s largely because of conversations I’ve had with @sfoak and others on Twitter who desire that we stop whining and start solving problems.

5. Name one security peer whom everyone with an interest in Network Security should follow. (Okay to name two if you can’t decide on only one)
Only two?!  Ed Bellis (@ebellis) and Dave Lewis (@gattaca) – both Security Management, both with massive amounts of “get it”ness.  Apologies to dozens of others I would have liked to have mentioned.  And everybody mentions @shrdlu, so he goes without saying.

6. What’s your take on security for social media and cloud services in general? Top concerns, overstated issues, etc.
IMHO, social media represents more of a time-wasting threat than new attack vector threat.  With regards to the cloud, it’s going to be a mess. And I like that.

7. What are the top 3 real-world (i.e. live) events you’d recommend for networking with security professionals?
I would break down real world events into two categories – local and non-local.  Pick any of the large non-local events to try to get travel budget for.  Networking with peers is super-important for your career on so many levels.  That said, I’d spend a ton of time getting to know the local environment, even if that means creating your own informal events (especially  if your ISSA/ISACA/Infraguard meetings are “Death by Powerpoint”, with little time for socialization).  The most successful professional events I’ve ever gone to was our Security MBA (Masters of Beer Appreciation) events in Columbus organized by Dan Houser.  We can put our professional guard down, not be over-exposed to some “speaker”, and really have meaningful conversations about our professional and personal lives.