Have you ever seen a speaker at a security conference, an expert being interviewed on television about the latest cyber attack or an instructor at a whiteboard with the breadth of knowledge one should have when putting your career in their hands? Have you ever wondered what it took for those people to get where they are? Now just imagine all of those people wrapped up into a single individual, add into the mix the extra duties of business owner and husband, and you start to get a picture of Dave Chronister of Parameter Security, HackerU and ShowMeCon.
Covering everything from his first programming project as a child and his BBS days through his first ‘real’ IT job and into how he became who he is today, read on for a fascinating interview. Dave also shares his thoughts on helping you get that job in InfoSec, hiring someone for your next security project and some great general advice. In anticipation of ShowMeCon 2015 June 8 – 9, get to know a little more about the man (and woman) behind St. Louis’ ONLY Premier Hacking & Offensive Cyber Security Conference.
1. What was your earliest memory of hacking something?
When I was around 8 (early 80s) I had gotten into BBSing. I would use a war dialing program to find different bulletin boards. Not too long after I began, I remember dialing into one of the hits. The banner came up with “Welcome to Corporation X mainframe. Please enter your username or guest to login.” I remember being so excited finding this, I yelled to my Dad (who was a cop) who was in the room. He came over and looked at the screen and said something like, “Interesting. If you type guest, you’re grounded.”
2. What was your first coding project as a child and what language did you use?
It was a trivia game. I wrote it in Basic on my TI 99/4A.
3. I’m also part of the generation that experienced the BBS culture before there was a globally commercial Internet. My parents had no clue what it was that I was doing, but they were still supportive and encouraging. What was that time like for you and your parents?
Most of my friends were BBSers. My parents’ biggest complaint was when I would tie up the phone line. They did eventually allow me to get my own phone line and computer. To them it was my hobby. At the time I don’t think any of us looked at it as a potential skill set for a career. The worst part about it was when I would get in trouble, my parents would take my modem. Eventually I got a second modem which I kept in my closet. Took care of that problem.
4. I noticed on your bio that you don’t list any degrees, but you do list certifications and obviously work experience. Can you share your personal educational path and how it helped or hindered your progress?
I was a D student in high school. I was one of those kids who wouldn’t do the homework but would always ace the test. I did one semester of community college and it was just torture. (I was undiagnosed ADD). I got my first IT job in the mid-90s back when you could get an IT job if you could spell IT. Not going to college gave me a 4 year jump-start on getting experience in the field. When the tech bubble hit, a lot of my friends who went to college were having issues with getting jobs without much experience. They also needed more money to pay their college loans. I had experience and could ask for less money, so I had employers take a risk on me which in turn allowed me to rise through the ranks at a younger age.
5. What was your first “real” job in tech and how did that evolve into being a leader in InfoSec?
My first IT job was in 1996. I got a 12 week contract job to roll out 30 new desktops at a mid-size company. Although I finished it in 2 weeks, they kept me around the entire 12 weeks and then hired me. The tech services group was 4 of us. I was able to get my hands in everything. It allowed me to get that generalized experience in every aspect of technology. That type of environment has helped me tremendously in my current career. I may not be an expert in a particular area, but having some working experience allows me to understand the technology from not only a security aspect, but a work aspect as well.
6. What was the turning point in your career that led to starting your own company?
I was the VP of IT for a bank holding company. It was a private company, and I reported directly to the owner. It was a wonderful job and my boss really became a great mentor for running a business. However I had reached the height of my career there. I had two choices, work there for another 10 years to get enough experience to get a CTO job in a larger company or start my own company. My wife Renee was in the same situation as a VP of Marketing. One Christmas eve 2006, we were sitting at home already dreading going back to work. We decided we needed to start our own company. We chose ethical hacking basically because I couldn’t find a decent pen testing company to do my audits at the bank. Everyone was either a CPA or wanted to sell a solution. We went full time in 2007 and at that time security was not at the forefront of their mind. Fortunately for our company it has become a major issue, and like my career, Parameter was one of the first when it blew up.
7. When marketing your own company, it’s clearly beneficial to speak at events, be published as well as appear on numerous media outlets. But what other benefits come from participating in extra-curricular activities for one’s career?
Speaking at cons and in the media requires you to really know what you’re talk about. If you wing it, someone is going to ask that question that knocks you off your game. I spend a lot of time not only researching the technical issues, but also how it affects everyone. The public speaking also requires you to speak about a certain topic to an audience who many not have the same level of technical knowledge. You have to learn how to put complex issues into laymen’s terms. As an industry we tend to try to show off our skills when we are at the mic. It can be intimidating to the lesser experienced techs, and it can come off as egotistical to the non-technical person. Being able to speak to multiple levels of technical skills is the one skill-set that will always trump any technical experience you may have.
8. Working for years for someone else as well as running a business allows you to see the hiring process from both sides. What are the Top 3 Tips for Getting an InfoSec Job? What are the Top 3 Methods for Hiring the Right Candidate?
Getting into InfoSec
1. InfoSec is not an entry level IT job. To be successful you need to not only know the security issues, you need to understand the technology itself. Get experience as an Admin or developer, learn the technology then the security implications.
2. Security is a hot market right now, opportunities are out there. If you want a job in security many big companies are hiring, but understand while they may pay top dollar you may find yourself isolated in a position that is very specialized which will rob you of the experience in different areas. It could end up hindering your opportunity to grow. If you want a career, find the job which will allow you to gain experience in many different areas.
3. Being successful in security, you must understand you’re going to fail. You’re going to be breached, you will not know all the answers, and you will hit uncharted territory. You must be able to handle stress and be comfortable with being uncomfortable. Many people fail in this career, because they don’t feel like they are ever able hit the point where they feel like they know what they are doing. You will never hit that level in this field, there will always be something that comes up that you know nothing about, and you need to be comfortable with tackling the unknown.
Hiring an InfoSec Professional
1. Does the candidate understand the security issues you face? Someone who not only understands security basics but also regulatory requirements you may face.
2. Discuss their plan / vision for securing your environment. This should also include setting the expectation of the management’s level of support. If you’re hiring someone that is very security minded, yet he is unable to get funding for projects or management’s support on enforcing policy, it will be a bad working environment for everyone.
3. A good InfoSec professional will continuously want to strengthen their skill-sets. Expect that they want training and to attend security cons. Budget for continuing education related to security. Be very wary of the candidate who says they don’t need continuing education, they are probably always behind on the new issues you face.
9. In addition to performing penetration tests and various other security services, you are also a trainer. What resources would you recommend to newbies in addition to seasoned pros to keep up with the ever-changing landscape of technology and security?
There are a lot of resources available, free and pay. One of my favorite sites is run by my friend, Adrian Crenshaw, www.irongeek.com. You are able to see talks from many cons covering a vast amount of knowledge. Formal training is good; however, be very choosey on what and where you get your training. Many of the certification classes will be a good starting point for introduction into a specific area, however it will more focus on passing a test. Make sure your instructor understands the subject beyond the courseware. Many teaching CEH or CISSP may teach an Excel class the next week. Make sure you are paying for more than just someone to read the courseware back to you.
Many thanks to Dave for taking the time to share his story. As you can see, there are many paths to a successful career. Regardless of whether one takes the academic route, experience path or a combination of the two, the one common thread is that there are no shortcuts. For any level of success, one may benefit from luck, but being able to take advantage of that luck takes years of hard work preparing yourself for when luck arrives.
Donald C. Donzal
The Ethical Hacker Network