A Guest Post by Mark Stanislav
What was your initial response to reading that? Were you annoyed? Did it enrage your professional sensibilities? Did you find it sacrilegious? Maybe you already closed this blog post just by seeing that (and will never know I called you out for it).
I am the Security Evangelist for Duo Security, a two-factor authentication and mobile security company based in Ann Arbor, Michigan. My role here is to ensure that we as a company are engaged in the broader information security community, as well as promoting the services we offer. Duo hired for this position not because they wanted a figurehead to send on a world wide speaking tour 90% of the year, but rather, have someone who could interact with technology communities and help increase thoughtful dialog, content, and information among professionals and end-users alike.
My background is mixed. Really mixed. If you called me a Linux/FreeBSD/Solaris admin, or a PHP/Rails developer, or an adjunct professor, or a startup co-founder, or a blogger, or a pre-sales engineer, or a penetration tester, you’d be right! For me, information security was always my passion and the job I held was a way to apply my passion. I don’t know what qualifications a Security Evangelist should have, but I’d like to think that by having such a diverse background I have an easier time interacting with a variety of professionals and end-users, rather than just people within one niche I consumed myself in for over a decade.
So, what do I actually do? I spend a lot of time working across teams here at Duo, from product to marketing to sales, trying to ensure that the team has the internal knowledge and external point of views needed to succeed. Since I do present at a number of conferences yearly and interact with customers and would-be customers online via many social networks, I have a chance to understand how the industry is shifting both in terms of end-user perspectives and competitor initiatives.
I’m also here to cultivate the community around Duo Security, whether that’s by discussing how to do a Ruby on Rails integration for two-factor or discussing the merits of our two-factor platform versus competitors. I also spent a good part of my time writing content for blog posts, white papers, case studies, and other avenues to discuss security technology. Of course, there are a few things in the works I can’t discuss quite yet, but all efforts are to help allow me to more thoroughly interact with people who love technology and information security.
A fair question is of course, “How would I become a Security Evangelist?” Frankly, I wouldn’t aspire to be a Security Evangelist. Rather, I’d say you should focus on making yourself a knowledgeable, friendly, and engaging professional who is active in many technology communities (beyond simply information security) and gain a diverse view of the intersection between technology, people, and security. Also, it’s hugely important for you to know technology and security beyond an academic point-of-view. Having the hands-on basis of knowledge to state, “Technology X was terrible because of merit-able points A, B, and C.” is critical to not being washed-out of conversations immediately.
In terms of education, I did attend college for both a bachelors and masters degree. I also hold some of the common certifications we all know about like the CISSP, Security+, and CCSK. Those credentials certainly don’t define me, nor do they prove that I hold any certain set of real knowledge. I do, however, find those experiences allow me to discuss a broad set of topics with the large population of college educated and/or certified professionals out there. I tend to stay out of the sometimes clique nature of the security community and rather enjoy meeting new people at events ad-hoc, chatting, and going over war stories (some bloodier than others). Stories like when I spent my 16th birthday at a Detroit hacker conference and had my FreeBSD box rooted. Yep, go ahead, laugh away.
Outside of “evangelism” I spend my professional free-time doing various types of security research, consult occasionally for ethical hacking and Linux administration companies, and of course interact with a variety of technology communities in person. For me, it’s important to stay active in actual IT and not sit on my job title as an excuse to stop learning. Rather, I took this position because I had a plan to stay active in technology at a hands-on level. I am also more dedicated to seeing other people’s presentations to gain knowledge that I may not otherwise be able to gain first-hand anymore. Continuing education is crucial to the success of any IT professional, job title aside.
At the end of the day, I hope people that meet me in the coming months and years (online or in-person) have a chance to adjust their likely disparaging viewpoint of people who hold my title. More so, I look forward to sharing my knowledge and opinions, and have each of you reciprocate, so that we can all benefit from the amazing and diverse backgrounds we possess.