Archive for the ‘Career’ Category

On building fire extinguishers and fighting fires…

June 1st, 2015 4 comments

[Updated below 6/8/15]

The last ten years of my professional life have been spent working for some amazing companies; architecting and building security solutions that are deployed across the globe in the most demanding circumstances imaginable.  It’s been an incredibly fulfilling, challenging and interesting set of challenges, growth opportunities and victories.

I have met amazing people across the globe and the shared perspective of collaborating and co-creating solutions with such a diverse group of people has blown my mind.

The most rewarding aspect is that I have been extremely lucky to have worked alongside really amazing teams of passionate and dedicated people.  I have learned a lot from all of them and I believe I have made a difference.  Through ups and downs, the consistency of a clear mission and a motivation to fight the good fight with credibility, authenticity and transparency has kept me energized.

At the same time, the nature of society, humanity and the way in which our industry has dramatically shifted has driven me to think about the next stage of my career and how I can apply my passion to solve really thorny problems that have equally dramatic outcomes.

I want to take the lessons I have learned and return back to role where I can apply them to help solve them.

With that as motivation, I will transition from building “fire extinguishers” and return to my roots of “fighting fires.”  I have decided to return back to the Enterprise and apply my skills to solving complex problems at a global scale.

I won’t be talking much about where I am going, but it also won’t be a secret…I just want to focus.

My family and I will be moving from California and look forward to a pace of life outside The Valley.

I will truly miss my Juniper family and the amazing company that I have spent the last 4 years helping grow.


Update 6/8:  I can’t say I’m really surprised, but it’s really easy for people to assume the worst when someone in a leadership spot leaves a company; that stuff is falling apart, that there is some acrimonious scenario that makes it untenable, that the strategy or execution is in peril, etc. 

Let me be pointedly clear: NONE of those things is relevant to why I chose to leave Juniper.  The re-aligned strategy and roadmap for both stand-alone and integrated (into routing, switching and SDN solutions) security has never been more solid.  The execution and leadership under Jonathan Davidson and Rami Rahim as CEO has never been better.  I really do think that what we  put together lets Juniper leverage its strengths and differentiate clearly.  I have no interest (financial) in Juniper that would motivate me to state this, but I simply hate half-truths invented by people too lazy to do actual research or ask for comment.

So why leave?  Because after four years of dedicating myself to helping getting Juniper to a better place, I need a break…I need a change of pace and time to reconnect with my family in a slower pace of life…because I need a different set of challenges (not “easier,” but different) that allows me to put my skills to use in a different way.

That’s it. If you’re an analyst, partner or customer of Juniper, don’t read anything else into my departure.  Please.  You’re doing yourself and Juniper a disservice.

If you have any questions or concerns, please reach out to me directly instead of creating your own version of the truth.

Categories: Career Tags:

@Beaker Performs A vMotion…

June 14th, 2011 7 comments

The hundreds of tweets of folks guessing as to where I might end up may have been a clue.

Then again, some of you are wise to steer well and clear of The Twitters.
In case you haven’t heard, I’ve decided to leave Cisco and journey over to the “new” hotness that is Juniper.

The reasons. C’mon, really?

OK: Lots of awesome people, innovative technology AND execution, a manageable size, some very interesting new challenges and the ever-present need to change the way the world thinks about, talks about and operationalizes “security.”*

The Beakerettes and I are on our way, moving to San Jose next week and I start at the Big J on July 5th.

All my other hobbies, bad habits (Twitter, this here blog) and side projects (HacKid, CloudAudit, etc.) remain intact.

Catch you all on the flip side.


* So this is getting interpreted oddly. I really had a great time working at Cisco. I worked very hard there.  I felt like I moved the needle, mostly internally.  I had exposure to an amazing amount of technology and people for which I am extremely grateful.  What I also found is that I need to work in a smaller company where the change I bring can be absorbed and utilized at a pace that meets my needs as well as my employer’s.  I’m really looking forward to being able to do that at Juniper.

Related articles

Enhanced by Zemanta
Categories: Career Tags: , ,

Reflections on SANS ’99 New Orleans: Where It All Started

July 25th, 2010 1 comment

A few weeks ago I saw some RT’s/@’s on Twitter referencing John Flowers and that name brought back some memories.

Today I sent a tweet to John asking him if I remembered correctly that he was at SANS in New Orleans in 1999 when he was still at Hiverworld.

He responded back confirming he was, indeed, at SANS ’99.  I remarked that this was where I first met many of today’s big names in security: Ed Skoudis, Ron Gula, Marty Roesch, Stephen Northcutt, Chris Klaus, JD Glaser, Greg Hoglund, and Bruce Schneier.

John responded back:

I couldn’t agree more.  That was an absolutely amazing time. I was on my second security startup (NodeWarrior Networks,) times were booming and this generation of the security industry as we know it was being given birth to.

I remember many awesome things from that week:

  • Sitting in “Intrusion Detection Shadow Style” with Stephen Northcut and Judy Novak for something like 8 hours going cross-eyed reading tcpdump packet traces and getting every question Stephen asked wrong. Well, some of them, anyway 😉
  • Asking Ron Gula’s wife something about Dragon and her looking back at me like I was a total n00b
  • Asking Ron Gula the same question and having him confirm that I was, in fact, a complete tool
  • Staying up all night drinking, writing code in Perl and doing dangerous things on other people’s networks
  • Participating in my first CTF
  • Almost getting arrested for B&E as I tried to rig the CTF contest by attempting to steal/clone/pwn/replace the HDD in the target machine. The funniest part of that was almost pulling it off (stealing the removable drive) but electrocuting myself in the process — which is what alerted my presence to the security guard.
  • Interrupting Lance Spitzner’s talk by stringing a poster behind him that said “” (a domain I registered during the event.)
  • Watching Bruce Schneier scream at the book store guy because they, incredulously, did not stock “Practical Cryptography
  • Sitting down with Ed Skoudis (who was with SAIC at the time, I believe,) looking at one another and wondering just what the hell we were going to do with our careers in security
  • Spending $14,000 (I shit you not, it was the Internet BOOM time, remember) by hitting 6 of the best restaurants in New Orleans with a party of hax0rs and working the charge department at American Express into a frenzy (not to mention actually using the line from Pretty Woman: “we’re going to spend obscene amounts of money here” in order to get in…)
  • Burning the roof of my mouth by not heeding the warnings of the waitress at Cafe Dumonde, biting into a beignet which cauterized my mouth as I simultaneously tried to extinguish the pain with scalding hot Chicory coffee.

I came back from that week knowing with every molecule in my body that even though I’d been “doing” security for 5 years already, it was exactly what I wanted to for the rest of my life.

I have Stephen Northcut to thank for that.  I haven’t been to a SANS since 1999 (don’t ask me why) but I am so excited about going back in August in DC (SANS What Works In Virtualization and Cloud Computing Summit) and giving a keynote at the event.

It’s been a long time.  Too long.


Enhanced by Zemanta

Don’t Hassle the Hoff: Recent Press & Podcast Coverage & Upcoming Speaking Engagements

February 19th, 2010 No comments

Here is some of the recent coverage from the last couple of months or so on topics relevant to content on my blog, presentations and speaking engagements.  No particular order or priority and I haven’t kept a good record, unfortunately.

Important Stuff I’m Working On:

Press/Technology & Security eZines/Website/Blog Coverage/Meaningful Links:

Recent Speaking Engagements/Confirmed to  speak at the following upcoming events:

  • Govt Solutions Forum Feb 1-2 (panel |n DC)
  • Govt Solutions Forum Feb 24 D.C.
  • ESAF, San Francisco, March 1
  • Cloud Security Alliance Summit, San Francisco, March 1
  • RSA Security Conference March 1-5 San Francisco
  • Microsoft Bluehat Buenos Aires, Argentina – March 16-19th
  • ISSA General Assembly, Belgium
  •, Belgium
  • Codegate, South Korea, April 7-8
  • SOURCE Boston, April 21-23
  • Shot the Sherrif – Brazil – May 17th
  • Gluecon , Denver, May 26/27
  • FIRST, Miami, FL,  June 13-18
  • SANS DC – August 19th-20th

Conferences I am tentatively attending, trying to attend and/or working on logistics for speaking:

  • InterOp April 25-29 Vegas
  • Cisco Live – June 27th – July 1st Vegas
  • Blackhat 2010 – July 24-29 Vegas
  • Defcon
  • Notacon

Oh, let us not forget these top honors (buahahaha!)

  • Top 10 Sexy InfoSec Geeks (link)
  • The ThreatPost “All Decade Interview Team” (link)
  • ‘Cloud Hero’ and ‘Best Cloud Presentation’ – 2009 Cloudies Awards (link), and
  • 2010 RSA Social Security Bloggers Award nomination (link) 😉

[I often get a bunch of guff as to why I make these lists: ego, horn-tooting, self-aggrandizement. I wish I thought I were that important. 😉 The real reason is that it helps me keep track of useful stuff focused not only on my participation, but that of the rest of the blogosphere.]


Don’t Hassle the Hoff: Recent Press & Podcast Coverage & Upcoming Speaking Engagements

October 26th, 2009 1 comment


Here is some of the recent coverage from the last month or so on topics relevant to content on my blog, presentations and speaking engagements.  No particular order or priority and I haven’t kept a good record, unfortunately.

Press/Technology & Security eZines/Website/Blog Coverage/Meaningful Links:


Recent Speaking Engagements/Confirmed to  speak at the following upcoming events:

  • Enterprise Architecture Conference, D.C.
  • Intel Security Summit 2009, Hillsboro OR
  • SecTor 2009, Toronto CA
  • EMC Innovation Forum, Franklin MA
  • NY Technology Forum, NY, NY
  • Microsoft Bluehat v9, Redmond WA
  • Office of the Comptroller & Currency, San Antonio TX
  • Intercloud Working Group, GooglePlex CA 😉
  • CSC Leading Edge Forum, VA
  • DojoCon, VA

I also forgot to thank Eric Siebert for putting together the VMware Top 20 blog list and putting me on it as well as the fact that Rational Survivability made the Datamation 2009 Top 200 Tech Blogs list.


SQUIRREL! I’m joining Cisco.

June 9th, 2009 10 comments

squirrel-xsmallFrom the Cisco Data Center Networks Blog:

So, for me, one of the best parts of working here at Cisco is the opportunity to work with some incredibly smart folks.  Today, I can add one more person to that group of folks—Christofer Hoff is joining the Cisco Data Center Solutions team.  Chris has built a solid reputation in the industry for domain expertise, forward thinking and incisive commentary blended with a healthy dose of wit.  I know Chris has the tenacity of a squirrel chasing an acorn, and I am personally quite pleased to welcome Chris to the team as I see he will add both depth and breadth to our efforts.  So, if you are not familiar with Chris, definitely check out his blog, Rational Survivability and you can also follow him on Twitter as @Beaker.

Thanks for the warm welcome, Omar.  I’m beyond psyched. Besides getting to work with some awesome friends, I finally get to hug a Nexus 7000.  Getting my fingers back in the pie with cutting-edge technology, partners and customers should translate into even more interesting things to discuss when appropriate.  I can’t wait.

To answer your question before you ask it: “Yes, Same blog time. Same blog channel. Now with extra datacenter fu.”


Categories: Career, Cisco Tags:

Hoff’s (Still) For Hire: There’s Only So Many Honey-Do’s I can Do’s…

April 15th, 2009 No comments


hoffforhireUpdate: Since I posted this in February, I’ve had some awesome opportunities arise but I haven’t yet secured my dream job, so I thought I’d repost this prior to the RSA Security show next week.

I’ll be keynoting at the America’s Growth Capital Information Security Conference as well as speaking numerous times at RSA.  You can reach me in any of the ways listed below.

The last two years have been a blast but all things must come to an end.

At the conclusion of March, I am moving on to newer pastures.  Where that is may be up to you.
I am exploring all options with a focus on traditional security roles including CISO/CSO, but I’d prefer architect/evangelist/CTO roles that focus more on virtualization and Cloud Computing security.  Start-ups, Up-Starts or large companies are all game.

If you’ve got an opportunity that you think we’d both be a match for, feel free to reach out.  

A dose of reality: If you’re not serious about envelope pushing, thought/industry leadership, world domination and unabashed enthusiasm sprinkled with rational pragmatism, I’m not your guy…

My LinkedIn profile is here.  My email is here.  You can reach my call router at +1.978.631.0302.  You can find me on Twitter here: @beaker



Categories: Career Tags:

Hire the Hoff – I’m On the Market, Whatcha Need? ;)

February 23rd, 2009 5 comments

The last two years have been a blast but all things must come to an end.

At the conclusion of March, I am moving on to newer pastures.  Where that is may be up to you.

I am exploring all options with a focus on traditional security roles including CISO/CSO, but I'd prefer architect/evangelist/CTO roles that focus more on virtualization and Cloud Computing security.

If you've got an opportunity that you think we'd both be a match for, feel free to reach out.  

A dose of reality: If you're not serious about envelope pushing, thought/industry leadership, world domination and unabashed enthusiasm sprinkled with rational pragmatism, I'm not your guy…

My LinkedIn profile is here.  My email is here


Categories: Career Tags:

Your InfoSec Dream Job?

January 4th, 2008 9 comments

Assuming you were going to stay in the "Information Security" industry, what would you do if you could pack up your office tomorrow and move into shiny new digs in your dream job?  What would that be?  With whom?  Doing what?

I’ll start:

  • On the vendor side: I’d go to a start-up/up-start (my 5th?) again where I can make a huge difference.  I’d do something with virtualization, information-centric security survivability and converged enterprise architecture.  I’d find my next Crossbeam.
  • In the Enterprise, I’d go to a mid-sized progressive services-focused company who understands and "appreciates" the management of risk and investing in security that can be used as a strategic differentiator for the betterment of the business.
  • Venture Capital: I’d love to work in some capacity for a fund with a large and diverse portfolio that would allow me to evaluate technology for investment potential.
  • Research/Analysis: I’d look into a DARPA/NSF-funded long-term research project focused on next generation networking with an integrated security services layer, working to solve long term event-horizon survivability/assurance problems and delivery modality constructs.
  • Independent Consultancy:  I’ve done it before and it became a 7 year rollercoaster ride that was fantastic.  More and more companies need objective "executive steering assistance" for business-aligned, long term strategic risk management, business resilience, information assurance and infrastructure protection guidance.  Just ask Mogull.

You can thank the fine people at St. James’s Gate Brewery for this one.

Your turn.


Categories: Career Tags:

The Seesaw CISO…Changing Places But Similar Faces…

December 8th, 2007 1 comment

…from geek to business speak…

Dennis Fisher has nice writeup over at the SearchSecurity Security Bytes Blog about the changing role and reporting structure of the CISO.

Specifically, Dennis notes that he was surprised by the number of CISOs who recently told him that they no longer report to the CIO and aren’t a part of IT at all.  Moreover, these same CISOs noted that the skillset and focus is also changing from a technical to a business role:

In the last few months I’ve been hearing more and more from CEOs,
CIOs and CSOs about the changing role of the CSO (or CISO, depending on
your org chart) in the enterprise. In the past, the CSO has nearly
always been a technically minded person who has risen through the IT
ranks and then made the jump to the executive ranks. That lineage
sometimes got in the way when it came time to deal with other upper
managers who typically had little or no technical knowledge and weren’t
interested in the minutiae of authentication schemes, NAC and unified
threat management. They simply wanted things to work and to avoid
seeing the company’s name in the papers for a security breach.

But that seems to be changing rather rapidly. Last month I was on a
panel in Chicago with Howard Schmidt, Lloyd Hession, the CSO of BT
Radianz, and Bill Santille, CIO of Uline, and the conversation quickly
turned to the ways in which the increased focus on risk management in
enterprises has forced CSOs to adapt and expand their skill sets. A
knowledge of IDS, firewalls and PKI is not nearly enough these days,
and in some cases is not even required to be a CSO. One member of the
audience said that the CSO position in his company is rotated regularly
among senior managers, most of whom have no technical background and
are supported by a senior IT staff member who serves as CISO. The CSO
slot is seen as a necessary stop on the management circuit, in other
words. Several other CSOs in the audience said that they no longer
report to the CIO and are not even part of the IT organization.
Instead, they report to the CFO, the chief legal counsel, or in one
case, the ethics officer.

I’ve talked about the fact that "security" should be a business function and not a technical one and quite frankly what Dennis is hearing has been a trend on the uptick for the last 3-4 years as "information security" becomes less relevant and managing risk becomes the focus.  To wit:

The number of organizations making this kind of change surprised me
at the time. But, in thinking more about it, it makes a lot of sense,
given that the daily technical security tasks are handled by people
well below the CSO’s office. And many of the CSOs I know say they spend
most of their time these days dealing with policy issues such as
regulatory compliance. Patrick Conte, the CEO of software maker
Agiliance, which put on the panel, told me that these comments fit with
what he was hearing from his customers, as well. Some of this shift is
clearly attributable to the changing priorities inside these
enterprises. But some of it also is a result of the maturation of the
security industry as a whole, which has translated into less of a focus
on technology and more attention being paid to policies, procedures and
other non-technical matters.

How this plays out in the coming months and years will be quite
interesting. My guess is that as security continues to be absorbed into
the larger IT and operations functions, the CSO’s job will continue to
morph into more of a business role.

I still maintain that "compliance" is nothing more than a gap-filler.  As I said here, we have compliance as an industry [and measurement] today because we manage technology
threats and vulnerabilities and don’t manage risk.  Compliance is
actually nothing more than a way of forcing transparency and plugging a
gap between the two.  For most, it’s the best they’ve got.

Once organizationally we’ve got our act together, compliance will become the floor, not the ceiling and we’ll really start to see the "…maturation of the security industry as a whole."