Thursday, March 14, 2019

The End of the Golden Age of Incident Response Billing

If you squint, you can see the beginning of the end of the golden age of incident response billing. I’ve seen this movie before and I know how it ends because I lived through the golden age of eDiscovery billing.  Incident response will no more go away than litigation requiring the production and review of electronic documents, but the current billing gold rush won’t continue indefinitely.

I left law enforcement and entered the private sector around the time electronic discovery was really gaining steam and interest in the legal world.  This resulted in legions of eDiscovery consulting outfits of various sizes and abilities getting into the game and charging confiscatory prices for their work.  The billing was such during this period where it took nothing for litigation to result in some eDiscovery consulting outfit making six or seven figure sums for their work.  Law firms and their clients eventually rebelled against being ridden like ponies off into the sunset by the eDiscovery industry and started to bring as much of the work in-house as they could get away with to avoid expensive outsourcing. Electronic discovery cost containment became a very important buzzword in the legal world. 

The gold rush also brought in more competition and interest from giant consulting firms who could offer competitive pricing and performance because of their economies of scale and ability to invest in technology and utilize their existing infrastructure. This resulted in quite a few small to medium sized eDiscovery firms being bought up, merging with other firms, or just going out of business entirely.  It wasn’t that eDiscovery went away or that it suddenly became inexpensive, but the market eventually worked things out where the larger and more efficient firms could offer better speed, cost, and quality to the legal world and their customers.

We’re going to see something very similar in the incident response world. We’re still very much in the information security version of WWII’s Happy Time where the field of battle still greatly benefits the attacker.  That isn’t changing anytime soon and maybe it never will change.  I wrote about this information security happy time in 2011 and very little has changed since then.  We just have to look at the headlines to see the near constant reports of major breaches in all sectors of business and government. These successes are going to continue to result in high demand for incident response services and these services are not cheap.  Many a fortune has been made in recent years by sharp people who set up incident response consulting practices and billed themselves into a king’s ransom. The costs associated with a breach can be immense due to the costs of the technical response itself, resulting litigation, paying for identity theft protection if personally identifying data was involved, and everything else associated with recovering from a breach including potentially rebuilding all or some of the impacted organizations information technology infrastructure.

These costs have created a growing cyber insurance market where organizations are making cyber insurance part of their risk management process and basically paying the insurance companies to help shoulder the risk for them.  The key rule to understand in an arrangement like this is the age old one that says that “He who pays the piper calls the tune.”  When a breach happens, the insurance companies will be the ones dictating the response since they are the ones shouldering the cost. These firms will have already entered into agreements with trusted incident response providers to provide their services at pre-determined billing rates.  The insurance companies will be driving cost containment in this area because their financial health will depend on it.  This will put an end to the current golden age of incident response billing which will put downward pressure on the profits of organization providing incident response capabilities and the salaries of those who work in those organizations. I expect that we’ll see similar consolidation on the industry where it will be hard for smaller incident response firms to survive unless they develop practices based on providing affordable response services to smaller entitles that might not have insurance and the resources to pay expensive incident response fees. That said, there will still be plenty of money to be made in this area and it’s still going to be a great industry to be in if you are interested in developing the incident response skills that will be in demand for a very long time to come. 

In the short term, the gold rush is going to continue because the insurance market is still developing in this area.  The sun will start to set in the medium term as the insurance industry becomes more mature in this area and an increasing amount of breach victims are covered under some form of cyber insurance.  I think we’ll also see legislation helping drive some of the cost containment where organizations that take certain proactive steps such as being compliant with some information security standard or another will have their liability capped and that will also help drive costs down.  In the long term, stick a fork in the golden rush that is the current incident response market. It will be done.

Sunday, January 20, 2019


Image by geralt via Pixabay
I think the last AFoD blog post in the Life After Law Enforcement series will end up being one talking about the interview process. It’s the logical next step after the resume post and it’s also the one that I’ve been dreading and dragging my feet in doing.  The resume post was enlightened self-interest in that I can help others out by teaching them what a proper resume should look like, but it also helps my teams and me getting better written and more informative resumes for our future open job postings. Win-win.  The interview blog post will go against my self-interest because I’ll go into some of the things that can torpedo a candidate and ways to deal with at least some of the more common interview questions that can trip people up. In other words, it’s me giving out the answers to some of my test questions, but it’s necessary stuff to know if you are plotting that move into the private sector so I’ll have it out at some point soon.

The good news is that Richard Bejtlich’s recent and excellent burnout blog post gives me an excuse to write about something else and procrastinate on the interview blog post just a bit longer.  The first thing you should do is go and read his blog post.  I’ll wait. 

So, now that you are back, I can tell you that burnout is a very real thing in the incident response world.  My first case of career burnout actually happened very early in my career when I was in law enforcement.  It’s a good laugh line that I use early in my conference presentations when I tell people that I used to be a police officer until I got tired of living the Jerry Springer show. However, it’s also an illustration of an early personal and career failure on my part. I had all of the training in the world on how to deal with law enforcement stress and burnout, but I didn’t use those tools.  Throw in some early medical problems dealing with chronic pain issues and I ended up making a decision that I ultimately regretted which was to leave law enforcement and enter the private sector way too early in my career. It’s not that I haven’t enjoyed many aspects of in the private sector and I’ve certainly made more money than I ever would have had in the law enforcement world, but chasing money isn’t worth it and there would have been plenty of time to do that after a longer law enforcement career. 

I’ve experienced a couple different versions of burnout in my private sector career from different sources.  The second case of burnout was one that many people in the digital forensics world experience which is simply too many hours and too much travel.  I started my post-law enforcement career with a small digital forensics and electronic discovery startup.  It was a fantastic experience and I’m glad I did it. I still have an immense amount of respect for the people who started and ran that business. They put their capital (and sanity) on the line to build a business and made a great run out of it. Since it was a new startup business with a lean staff, it required an immense number of hours on the part of everyone. Once it got to the point where I was traveling 100 percent of the time, I had reached the burnout point and was ready for a change particularly since I was newly engaged to be married.

The third case of burnout was just doing one too many major incident responses. I left the consulting world and entered the world of enterprise high-technology investigations. I don’t regret that aspect of my career path and I leaned an immense amount from my time in massive corporate environments.  I built and led some teams made up of some of the finest people I’ve ever met, but the tempo and politics of giant corporations eventually wore me down to the point where I was ready for a change.  In my case, I was presented with the opportunity to leave the digital forensics and incident response (DFIR) world and enter the world of fraud investigation.  It was an easy call to make at the time because of being burned out on DFIR and the opportunity to learn about how banking, payment systems, and fraud actually worked.  I’ll admit to missing DFIR work after I spent a couple years away and wondering whether I had made a mistake or not more than a few times along the way, but it ultimately all worked out well. What I ended up with was this weird unicorn skill set where I can have the ability to build and lead teams and projects that involve both the finance, cybercrime, and information security investigation worlds.  It’s not that I recommend becoming burned out as a tool for career diversification, but it can be the inspiration to change your path and end up with a better result than if you had stayed on your current path.

So after about a half century being alive, I’ve learned that burnout is a thing and it’s important to be able to manage the stress to avoid burnout.  If you do find yourself burned out, there isn’t anything wrong with making a change and finding different pastures, but it’s best to make those changes when it’s not a response to getting the point of being burned out in the first place.  One of the best hedges against this is having activities outside of professional life that help manage stress and give you an opportunity to do something meaningful outside of career life. 

Richard recommends doing something physical outside of your career and I think that’s a fine idea.  In my case, I picked up practical shooting several years ago and it’s a nice way to get some physical activity when I shoot matches periodically throughout the month or when I’m doing dry fire practice at home.  There is very little digital involved with practical shooting beyond the scoring technology.  Pistols are basically springs, levers, and chemistry coming together in a small package that is deceptively hard to excel at when the buzzer goes off. I shoot better and understand firearms much better now than I ever did when I was a police officer. 

I’ve also picked up amateur ornithology now that I’ve found myself living in Florida.  Birds are a testament to the wonder of God’s creation and we’ve got a bumper crop of different types of bird species here in Florida alone. I enjoying going to our local beaches and see what our various birds and sea life are up to and I’ll post pictures from time to time on my Twitter feed if I get a good picture of video of some seabird doing something interesting.

The biggest thing that made a difference my life is my relationship with Christ.  The best stress relief I’ll ever get is attending various services and events at my church.*  I grew up and attended various churches throughout the years, but it was only in recent years when I really started to take my faith seriously and that’s been the most lifechanging hedge against stress and burnout that I’ve ever experienced. It’s allowed me to see my career as something I do rather than something than I am.  One of my favorite Bible verses is Philippians 1:21 (I even have it on my Twitter profile) which says that “For to me, to live is Christ and to die is gain”.  I even have that verse listed on both sleeves of the shooting shirt that I wear to major shooting matches to remind me what the purpose of my life is sanctification (an ongoing struggle since I’m really good at sinning early and often just like everyone else), following His example, and sharing the transforming gospel of Jesus Christ through my words and deeds. 

(*Unfortunately, even though I’m a member of a church centered on Calvinist doctrine, I don’t have a proper Calvinist beard. My facial hair just won’t cooperate to get a proper beard, sadly.)


Sunday, November 25, 2018

Life After Law Enforcement: Can We Talk About Your Resume?

I’ve been a high-technology hiring manager for a long time and one of the consistent themes I’ve noticed when assessing candidates is that most resumes are abject clown shows. Chances are excellent that your resume falls into this category, because I know my early resumes certainly did.  It wasn’t until much later in my career after working with executive recruiters who actually knew something about resumes that I finally got mine under control.

In the name of community service and enlightened self-interest (because I’m assuming anyone who is applying for one of my teams now or in the future is going to do basic social media searching and find this post), I’m going to do a full blog post what I think makes a good resume.  The warning is that this is very specific to my experiences based on my experiences over the years so it’s not to be considered authoritative by any means.

The primary purpose of a resume for employment purposes is to get you that initial interview and into the hiring pipeline. You want to put your best foot forward quickly and concisely to the reader so that you will stand out as a qualified applicant that they want to talk to more about the position you’re interested in.  The secondary purpose for your resume is keeping track of your various experience, training, education, and accomplishments so that you can use for non-employment purposes like court expert witness validation, speaking engagements, grant submissions, certification applications, and anything else along the way that documents your professional career progression.  It’s important to keep your resume up to date as new things get added so that you aren’t stuck trying to remember several years of accomplishments on short notice. I update my resume with each new speaking engagement, for example, so that it’s always up to date and ready to go.

I’m reasonably agnostic as far as formatting, font type, and font size. For the longest time, I was using 9-point font to reduce the number of pages, but I discovered that it was causing issues recently when converting to PDF files so I just decided to go to 12-point font.  It’s easier to read and I don’t have any conversion issues.  I’m using Times New Roman because it’s a standard font that is easy to read, but there isn’t anything wrong with using other standard fonts like Arial, Calibari, and the like.  You just want to avoid using something exotic like wingdings and you should be fine.  It’s also important that you stay consistent with your font.  I’ve seen some really awful attention to detail failures on this front where one job listing on a resume will be in one font and another job will be listed in another font. 

The ultimate goal is to have something that looks professional, readable, and will look good when you convert it to PDF. I prefer PDF whenever I send someone a resume because it reduces the chances of something going sideways with fonts, edits, and the like when someone opens it up or passes it around.  It looks professional and PDF is such a universal format that any given web browser can open them up so specific word processing software isn’t necessary for a reader to review it.

You’ll also see all sorts of rules and recommendations when it comes to resume length and you can count me as agnostic in that area also.  A resume should be as long as it needs to be to accurately reflect your value as a candidate and to score an interview for the job you are seeking. I’ve seen some resumes that just dragged on and on because they were loaded with nonsense and others that I knew were too short because I knew they were leaving some critical information out.

The top of your resume will, of course, list your name and your contact information. I see most people listing their full mailing address and I’ve long since stopped doing that.  I just leave things with my city and state. It’s not that there is anything necessarily wrong with listing your full mailing address, but I will admit it sort of gives me the cold and pricklies when I see college students doing it because I’m always concerned some creeper will use it for stalking purposes.  That’s my Dad radar at work and I know it’s not hard to figure out addresses through open source investigations so take it for what it’s worth.

I list my city and state, my Google voice number (because I have it set to ping me any number of ways if someone leaves me a message or sends me a text and I hate giving out my direct cell phone number. I get enough fraud calls as it is without having to deal with recruiters dialing me directly), an email address, and the URL to my LinkedIn profile.  The email address should be something that you don’t mind getting recruiter spam sent to for the rest of your life. I get hit up by recruiters all of the time and quite a bit of it is clearly based on resumes I had out about a decade ago.  What I’ve noticed is that, for the most part, the recruiters who are pitching jobs that are appropriate to my skill set and career progression reach out to me directly via LinkedIn.

What I don’t list is any post-nominals letters because, in general, I think they are grossly misused (here in the United States, at least) and strike me as unnecessary puffery. I understand that there’s more than a few people who disagree with me on this, but even if you do list eight security certification acronyms after your name, you don’t need to do that on your resume because you’re going to be listing those in the body of your resume.  Remember that Robin Williams taught us that in the dictionary for word “redundant” it says “see redundant”.

Once you’ve got the contact related information down, it’s time to start into the body of your resume.  I’m going to start off by saying there are many ways to craft a proper resume and I’m not offering up “The One True Way”, but rather recommendations based on what has worked for me in my career and what I’ve found effective both as a candidate and as a hiring manager. It is a very good idea to not only do research by reading blog posts like this, but to pay someone to review and help craft your resume.  In my case, my current resume is the productive of various executive recruiters that I’ve worked with over the years.  Since I was the product they were trying to sell, they were happy to help me craft my resume for free, but there is nothing wrong with paying someone to help you with if you aren’t at the point in your career with professional recruiters (and I mean the few that are any good at their jobs) will do it for you.

The next section that I have in my resume is basically a biography section that I have titled “Profile”.  It’s a basically a mirror of the third-party biography that I have up on my LinkedIn profile and serves as a sort of generic cover letter.  The idea is to give the reader a reasonably quick overview of what I think makes me a good job candidate, speaker, expert witness, and the like. It’s basically an extended written version of an elevator speech.  This is also where I list the URL of the AFoD blog and my twitter account. I could have also just listed both in my contact area at the start of my resume.

There is no reason why anyone can’t write a good profile that doesn’t catch the attention of the reader no matter where they are in their career cycle. If you have some career experience, this is where you draw that out and explain to the reader why you are awesome and why they should keep reading through the resume.  If you are a college student, this is where you talk about what you are passionate about, what classes you’ve taken, and all of the side projects like college clubs, volunteering, research work, and the like that you’re working on during college to prepare you for that first job.  Everyone has a cool story no matter where they are in their career. This is where you can tell yours.

The next section in my resume is my work experience. This is the next logical progression for my resume since I’ve been in the job market for a while, but if you are just starting out and in college, it might make more sense to lead with your academic background and really hit that hard and then list any paid or volunteer experience after that.

The work experience section is really where resumes can fall flat on their faces.  Getting this right is difficult is this is where the professionals who have helped me with my resume over the years have really added value.  What I’ve been told to do by these people is to tell people what I’ve done accomplished rather than just making it a job description.  This is not easy even if you have an easy list of accomplishments in your head. It’s also one of the reasons why I frequently keep my resume updated because it’s very easy to forget everything you’ve done over the years especially if you are trying to quickly update a resume on relatively short notice.

What I do for my employment section is that I list each employer that I have had and then I provide no more than a paragraph explaining the employer.  For example, for my JP Morgan Chase section, I have “JP Morgan Chase is a leading global financial firm made up of over 235,000 people and 2.4 trillion dollars of assets. The firm provides retail, commercial, and investment financial services to millions of customers around the world.” This just gives the reader an idea about the size, scope, and purpose of your organization.  I think this is a great idea even if you are working for a law enforcement agency.  Sure, people are going to know who the Pittsburg Police Department is, but do they know, for example, how many officers there are or the population size that they serve?  If you belong to an agency that no one has heard of before, this is a great time to explain some basic information about the Burning Stump Junction police department and the community that it serves.

For my law enforcement people reading this, not only should you be talking about what you accomplished during your law enforcement career and giving us some background on your department, but you should also be describing what the purpose was of those various nifty specialized units who served on during your career.  This includes the digital forensics type units as well as anything else you did during your career.  Don’t assume that a human resources person screening resumes is going to have any idea what an RCFL or ECTF task force officer does or what those units are.  Don’t assume that a hiring manager like me is necessarily going to understand what you did when you left patrol and were working that first assignment as a detective on some specialized unit that might not have had anything to do with high-tech crimes. 

Do NOT just copy and paste a civil service job description into the work history for your employment history for a job. I've seen people do this several times over the years (including the part that says "other duties as assigned") and it's sloppy, lazy, and tells me that I've got someone who just decided to phone it in for their resume. These resumes get no further consideration from me.

All of this goes double for my military veterans.  I love you guys and gals, but you leave so much on the table with your resumes.  All too often when I get a resume from someone who was in the military, I’ll just get some small burb at the start of their resume work history section (because most of what I see are folks who enlisted right after high school or were commissioned as officers after college) telling me the brand of the service, some dates, a job title, and maybe a bit of text telling me about their MOS/AFSC/Rating for enlisted people or their general warfare community if they were officers.

You veterans should go nuts with your service history.  Look, you don’t have to necessarily spend a lot of time telling me about the United States Army, but you should explain what that 31K Working Dog Handler MOS is, what you did during your time in the service, the relevant training you received, and especially all that you achieved. This means listing all of your various awards. Every. Singular. One.  The general rule is that if it’s listed on your DD214 under the section that says “decorations, medals, badges…” it should show up somewhere on your resume. This includes your warfare community qualifications.  Frankly, if you did something like earn a United States Navy submarine warfare qualification badge, I wouldn’t blame you if you put it as a high-resolution graphic on the top of your resume.  I’ve literally got someone on my team right now who earned a Combat Infantryman Badge in Iraq (You know exactly who you are. I know you are reading this. I’m so glaring at you right now) and doesn’t have it on his resume.

I also strongly recommend that you explain on your resume what you did to earn the non-campaign type awards.  You should certainly feel free to explain what that GWOT medal means, but it’s not necessary. What I think is necessary is explaining why you were awarded that United States Air Force Achievement Medal.  There is some citation somewhere that explains what great thing or things you did to get that award so it should merit at least a sentence or two explaining why you got it.  This gets back into the concept of explaining what you achieved on your resume rather than just your job responsibilities.  

You should have a section that lists your academic related education.  In my resume, I have this after my employment section.  This is where I list my undergraduate and graduate degrees. This is also where I list that I’m a graduate of the 141st Iowa Law Enforcement Academy because that’s still a big deal for me as a personal and professional accomplishment.  I list my various honor society memberships under the degree programs that they were associated with because it looks cool.  I don’t list my grade point averages because no one cares about your GPA unless maybe when you’re just out of college.  Frankly, with the way grade inflation is these days, a 4.0 GPA doesn’t really tell me much of anything as a hiring manager.  If you are in college or just out of college, it’s not a bad idea to just lead off your resume with the educational portion and put in more details such as club memberships, leadership positions, interesting research projects, a more detailed description of both your university, the academic program you were involved with, relevant classes, and anything else that would tell the hiring manager why you should get that first interview.  You spent many years cranking on your degree program and if it’s the primary focus of your resume, it should have much more content on your resume that it does on mine. 

The next section on my resume is basically me just punting when it comes to professional training.  I long stopped keeping track of all of the conference presentations, online training webinars, and the like that I attended.  I think I still have a list somewhere that lists various classroom training that I’ve done, but I’m at a point in my career where I just decided to include a paragraph that says:

Successfully completed hundreds of hours of advanced training in areas such as computer forensics, fraud, payment systems, financial technology, mobile device forensics, cybercrime, malware analysis, data assurance, interviewing and interrogation, investigation, incident response, and open source intelligence.

….because I didn’t want to add several pages of training classes to my resume.  Don’t be me.  Add several pages of training classes to your resume unless maybe you’re in a senior position like mine where it doesn’t matter as much.  I should have at least kept track of everything that I’ve done so that I can list it if I ever need it for court purposes or something similar.  The training section is where you want to list all of the classes you’ve taken that are relevant to the job you are seeking.  Unless you’re just desperate for something to beef up a thin resume, there’s no reason to put that ASP certification class you took on your resume.

The next part of my resume is where I list the necessary evil that are professional certifications.  You have to have them for the most part in our industry so list all of the relevant ones that you have.  I just list the active certification names and leave it at that. I don’t anything else such as the years that I have had them, certification numbers, or anything else.  Feel free to list expired certifications. I don’t list my expired certifications, but if you slogged away on that CCNA back in the day and decided not to renew, it still tells me that you suffered like I did with the Cisco certs (mine are all expired) and at some point you passed a reasonably difficult test on networking.  Again, I don’t care if you are ASP certified, but I do care if you are an ASP instructor.  The fact that you are qualified to teach someone something is interesting to me even if it’s not relevant to a digital forensics position.

The next section that I list are my “selected presentations and media appearances” where I list the various times that I have given presentations at conferences, webinars that I’ve done, or times that I’ve shown up in the media.  I call it “selected” because, once again, I didn’t keep track of this sort of thing as well as I should have early in my career so I don’t remember all of the times that I’ve presented.  I have done a pretty good job of keeping track of this sort of thing for most of my career, however, so this is a pretty extensive section.  If you teach a class, give a presentation somewhere, or anything similar, it should be listed here.  An alternative that I have seen some other candidates do is keep a list of this sort of thing in something like Google documents and then just provide a link in a cover email or something similar for the hiring manager to access. I prefer keeping everything in the resume so that if people print it out, they have everything in front of them.  You can’t assume that someone is going to click on your link (and we’re a bit of a paranoid bunch in general when it comes to clicking on links) and some people prefer to just print out resumes and review them in paper form.

The next section for my resume is one that I have titled “Professional Activities” and this is a bit of a mixed bag of things such as advisory boards, committee memberships, side consulting engagements, and anything similar that I have done over the years.  This is also where I list things like the fact that I attended the FBI Citizens Academy out of the Newark Field Office back in 2010.

The last section that I list are my professional affiliations and those are my various association memberships such as the American Academy of Forensic Sciences, Association of Certified Fraud Examiners, International Association of Computer Investigative Specialists, and everything else.  I just list the names of the organization and I don’t include any dates, membership numbers, or anything similar.

All of this should just be considered a guideline for how a proper resume should be crafted. There are any number of ways to do a proper professional resume and how I crafted mine is just one of many.  Frankly, if the only thing you get out of reading this post is understanding that it’s a great value to pay someone to craft a proper resume for you, my work here is done.