The Security Hippie
The Security Hippie is Barak Engel’s second book. As the originator of the “Virtual CISO” (fractional security chief) concept, he has served as security leader in dozens of notable organizations, such as Mulesoft, Stubhub, Amplitude Analytics, and many others. The Security Hippie follows his previous book, Why CISOs Fail, which became a sleeper hit, earning a spot in the Cybercannon project as a leading text on the topic of information security management.
In this new book, Barak looks at security purely through the lens of story-telling, sharing many and varied experiences from his long and accomplished career as organizational and thought leader, and visionary in the information security field. Instead of instructing, this book teaches by example, sharing many real situations in the field and actual events from real companies, as well as Barak’s related takes and thought processes.
An out-of-the-mainstream, counterculture thinker – Hippie – in the world of information security, Barak’s rich background and unusual approach to the field come forth in this book in vivid color and detail, allowing the reader to sit back and enjoy these experiences, and perhaps gain insights when faced with similar issues themselves or within their organizations. The author works hard to avoid technical terms as much as possible, and instead focus on the human and behavioral side of security, finding the humor inherent in every anecdote and using it to demystify the field and connect with the reader.
Importantly, these are not the stories that made the news; yet they are the ones that happen all the time. If you’ve ever wondered about the field of information security, but have been intimidated by it, or simply wished for more shared experiences, then The Security Hippie is the perfect way to open that window by accompanying Barak on some of his many travels into the land of security.
1. Failing to Fail
2. They be Comin’ After Ya
4. People be People, Yo
5. Designer Goods
6. Advice from Experts
8. Back to Basics
Good storytelling is both an art and a gift. When mixed with real world experiences, they can combine to create a masterpiece. The Security Hippie masterfully uses real world experiences and compelling storytelling to paint a picture of what real life looks like in the security profession, and in doing so, becomes that masterpiece.
– Brian Ahern, CEO, Threatstack
The Security Hippie tells stories about what it takes to have a career in security with plenty of learning moments and laughs along the way. Security is a field that is all about ethics, trust, and often, finding out who you shouldn’t trust. Security professionals have a moral obligation to call things out when they see them and Barak’s career narrative serves as a prime example of how we should all play a role in protecting society.
– Nick Santora, CEO, Curricula
There are many lessons in the dark arts of information security management that Barak shares in The Security Hippie. They remind us that CISOs are, more importantly than IT experts, people. Drawing source material from the frontlines of the evolution of infosec, Barak shares relevant personal experiences that are by turns illuminating and thought-provoking while being funny and engaging, and always informative and well-written. Security Hippie offers a confessional-style memoire that emphasizes the human aspect of information security, providing CISOs actionable insights for unlocking next-level performance. You’ll laugh, you’ll cry, you’ll re-examine your information security management system design and implementation.
Like other great counterculture authors before him, Barak takes his readers into new territory on a journey paved with personal experiences. Courageously displaying the good, the odd, and the downright embarrassing moments of his career, Barak spins a yarn that showcases the soft skills and strategic business mindset needed to elevate this traditionally IT-focused profession.
Today’s CISO cannot thrive in an IT sandbox sealed off from the business they are charged with protecting. In conversational-but-intelligent prose, Barak explains how to think outside the CISO sandbox.
-- Eliot Baker, Sr Mgr, Hoxhunt
When I first read Barak’s book I thought it was about tactical examples to survive security breaches or ways you could be a better leader. I mean it is a book about all of that; you get to see his life play out through his lens, as a security special agent. Helping companies prepare for and React to security incidents. But in reality I saw it as an authentic biography about a person who deeply believes in integrity and relationships and how he’s built a sustainable enterprise in the service of his customers. Finally, even his writing style speaks to his lifelong pursuit of showing other geeks like me that we can find success in our own skin. In that, I found a lot of inspiration and I am certain you will as well.
-- Dilip Ramachandran, Chief Product Therapist at Nimi, Author of "Gangsta PM"
I'm at a loss for words for Barak. Literally. When I suggested that hippie wasn't a big enough word to capture his uniqueness, he suggested I come up with another. I couldn't. I don't think there's a word or a sentence or a handful of both that could accurately describe his unique quiver of skills and traits.
I met Barak nearly two decades ago. By that time I already had two decades of security experience under my own belt, and we both had lots of war stories to share. Many stories since, and I can't think of an expert whose counsel I would seek first, or trust more, than Barak's.
-- Neal O'Farrell, Executive Director of the Identity Theft Council
We are all wired to soak up stories and narratives - and that is where this focused, well-organized and colorful collection of information security anecdotes really shines. An important reminder that career success in the world of information security demands not just technical aptitude, but solid communications, problem-solving and even diplomatic skills. And a little snark doesn't hurt! If you like to laugh while you learn, give this short book a read.
-- Ben Smith, Field CTO at RSA Security
Sometimes a great notion starts with a simple idea. Just like in his previous book "Why CISOs Fail," Barak Engel distills decades of experience into those "Aha!" moments that seem so obvious in hindsight and yet so elusive beforehand. One of the things that always impresses me about Mr. Engel is how he effectively cuts right to the root of things, going beyond the threats, the vulnerabilities, the technology stack, and even the business dynamics, to the people that operate across all of those layers. As he always does so well, the insights and lessons are made accessible to a broad audience with Mr. Engel’s distinctive wit and unassuming style. As he says, "a good storyteller will pretty much always defeat any security system"!
-- Dylan Capener, Director of Security Engineering, Box
Stories and commentary abound in "The Security Hippie." I may even recognize a number of them, with a wry smile. This isn’t a technical manual, per se. It is a series of vignettes and lessons learned from being out there in the field and experiencing first-hand the world of information security (and a smattering of privacy) in companies large and small. There are strategies for how-tos, should-not-do, should-have-done, all with a dose of logic and a common sense approach to security. This is highly recommended reading for anyone interested in some keen insights and the thought process and rather different way of looking at relevant issues in security and privacy.
– Marc Escuro, Privacy Program Manager, Facebook
Akin to a foreword, shouldn't a backword be something that one writes after having read it and is then providing a review?
The beauty of having worked with and known Barak for nearly 100 years (IT years being like dog years) is that I’ve had the privilege of participating in or seeing some of these stories play out. I’m a huge fan of stories. Humans are fundamentally incapable of sharing technical (or cybersecurity) information with others in technicalese – as most would fit the ‘eyes-glazed-over’ category if they were on the receiving end. Barak and I are on the same page philosophically - when he was recently visiting me in San Diego, and I said ‘information of any kind is best relayed through story and song, and trust me, you don’t want to hear me sing’, he immediately read the relevant excerpt from the preface (so perhaps I can be the first to claim that the author read part of this book to me!)
Barak’s storytelling is captivating - the stories are all relatable, and on top of that, there are implicit lessons learned that may help you better understand our crazy cybersecurity world. And even if you are one of the few who didn’t learn anything from his stories, I can guarantee that you will be entertained. And true to life, the hero in these stories didn’t always win – in fact, one common theme was that ‘business will always trump security’ (or IT for that matter). Therefore, it is critically important to be able to present security, risk, IT, and so on in a way that the business understands. After all, it’s about doing business in a reasonably secure manner. You will see that even though Barak has always had the client’s best interest in mind, security is a difficult sell. Wisdom is often acquired at a cost (even if it means getting older), and Barak’s takeaways from some of his ‘losing’ experiences can help the aspiring security practitioners to hopefully steer their company in the right direction with less pain.
While consulting is a relationship-oriented business, security consulting, including filling the virtual CISO role, is foundationally built on trust – and Barak states that integrity is essential. Trust must be earned – sometimes over years. Integrity, along with a dash or two of believing strongly in karma is truly the cornerstone of cybersecurity – be it consulting or be it taking on a security role, from analyst to CISO,. This means that it’s imperative to provide pragmatic and logical guidance that is delivered in a humble or at times humorous manner. This is part of Barak’s magic – and through his storytelling the reader can learn the best way to present cybersecurity thoughts in a way that the stakeholders may best embrace the thoughts rather than repel them.
Chapter four’s theme about baking security into software (or any ecosystem for that matter) is one that we’ve encountered over the years more times than I can count. Sometimes disasters-that-could-have-been serve almost as effectively as ones that played out. Oftentimes the person who can best provide security oversight or feedback is not part of the design discussions so that security is relegated to an ‘afterthought’. In modern times where businesses need to be extremely agile, and timing is everything, there’s no time for engineering in security when the business is scrambling to get a product to market. While Barak’s story about the company with the faulty crypto plan could be a recipe for a disaster for the company, sometimes luck prevails – though it doesn’t make it right. This just helps illustrate how important it is for the security practitioner to have a seat at the table as early as possible in the process.
In Chapter Five, one of the various aspects that Barak brings to light is that security has become an increasingly specialized field which seems to become more complex with each twist and turn of the threat landscape. I often use the potato chip (or vodka) analogy – that degrees of complexity/specialization has increased roughly at the same rate of the amounts of flavors of potato chips (or vodka) that you can buy at the store. Back in the day you could purchase one or two flavors, but now – heck – you can even get cotton candy flavored vodka. Therefore it is increasingly difficult for small and medium-sized firms to have a full assortment of disciplines necessary to provide a multi-faceted security strategy.
One thing that my peers, partners, and clients have heard me utter on multiple occasions is that ‘The problem is not the silicon, it’s the carbon’. The most effective way to get your organization or key stakeholders to embrace security is to humanize it and to talk about it in terms that are relatable, and not in technical gobbledygook. And as Barak drives home with this book, it certainly doesn’t hurt when it’s in the form of a good story."
-- Steve Levinson, VP Security/Privacy, OBS Global