Open Source InfoSec Defense

Remember when you couldn’t look through a pile of resumes without seeing all of the paper tigers who have a freshly minted Microsoft or CompTIA certification?  Every time we would bring new candidates into the organization to interview, they would routinely demonstrate some very disturbing traits.

An over focus on the marketing aspects of their computer education created a generation of future system administrators who would be destine to continually look for work and never really stretch their legs into the discipline of computer science.

Generalities are generally true; and in our current market, there are a number of job seekers who are eyeing Information Security as the hot new marketing term, but fail to really understand the underlying needs of the market.

As a CISO, my role is often to help our customers understand the nature of risk, and more importantly how they can effectively mitigate it.  Our current risk?  Too few professionals really understand InfoSec Risk, and how it poses real threats to our business.

To assist with this, I’ve started an Open Source project called the InfoSec Defense Curriculum (ISDC).  The project is aimed at creating a common set of curriculum, targeted at K12 and Collegiate students who want to develop a basic understanding of Risk and how to mitigate it in the real world.

Our first class is a survey course designed on the NIST Risk Management Framework.  It contains an overview of all of the skills necessary for students to categorize their target systems, identify and mitigate risks, and finally monitor and respond to active threats. 

While it’s designed for younger minds, that is simply because they are the easiest to reach.  I think the lessons of the course are generally usable at all levels of the profession, and I hope they will be useful to the community.

You can find the course at

Leave a Reply