What’s the biggest problem in computer security, according to valsmith at carnal0wnage.attackresearch.com? Well, it’s…
Staffing.
As the author admits, the post leans toward self-promotion of the company, but it makes many good points and deserves a read and a good pondering.
8 Critical Skills for Security Analysts
If you’re interesting in really mastering computer security, reading through the list of 8 skills that the author says you must have will be disheartening. It’s a long, tough list, and few can do it all, and it takes decades to get there.
But I agree that at minimum you need to master the top 3 (soft skills, documentation skills, and data mining), and add the others as you gain experience. Just being a bad dude is no longer enough.
Lone Ranger
One of the points in the post is that too many “security” companies out there get bids for projects and then try to find people to do the job, much like temp agencies. Or they are top heavy with management and mentors, but few actual security analysts.
I was courted by what I’d call a “little 4” firm that wanted to add security analysis and penetration testing to their list of IT audit, SOX audit, and financial audit services. Yep, I would have been THE TEAM. Just me.
Although I’ve developed the security department and processes from scratch before, being the lone ranger on this team would have been a disaster, because whether you’re a big 4 and or little 4 firm, billable hours are king. I would have burned out.
Besides, I know myself well enough to admit that I am not skilled enough to carry such a load by myself, at least not in the exploit and penetration arena.
I had one job where I was the top security guy without any other security people around me. It was miserable to have everyone come to me for the answers, without anyone to challenge me. It worked out, but it was a lonely trek for several years until I could hire others.
Certification is not the Solution
At the end of the Biggest Problem post is this statement:
Going through the entire SANS curriculum isn’t doing it and CISSP sure as hell isn’t doing it.
I agree. Going to top-notch classes is great, but if you don’t continually practice and use what you’ve learned (and constantly learn more), classes are just CPEs. And too many think they’re a security pro once they get their CISSP. No, that just means you have a good foundation to build on.
The same goes for the CISA, which does not an IT auditor make. True, you can get jobs with either certification if HR and the hiring manager are weak, but it’s tough to keep the job if that’s all you have–without years of experience in doing actual projects and grappling with the technology.
Getting back to the main point of the Biggest Problem post: computer security is poor because of staffing, or the lack of skilled security people…While I agree that’s a big problem, I believe the bigger problem is management–hear me out.
Management is the Biggest Problem
The reason that more people are not highly skilled in security is because most executives don’t believe security is worth the big investment. It’s supply and demand.
As a result, partially skilled people are hired to do the job because 1) lack of skilled pros, 2) skilled pros are too expensive and management will ignore the results anyway, 3) most management does not understand security basics (or risk!), and 4) cheaper, partially-skilled people allow you to “check the compliance box” and still make your budget. At that point, if a company DOES has any good security staff, they don’t stay for long.
Now you could say that security pros can’t convince management that they need real security maintained by highly skilled people, but if something happens, who’s responsible? Management! So you cannot blame security teams for not being good enough salespeople.
Yes, security teams need to educate management continually, but management has to WANT to learn and understand, and then they have to back it up with funding. Blaming poor security budgets on the lack of security salesmanship is just a bogus reason.
The Biggest Problem post is long, but worth the read; get it here. What do you think?
My other posts that touch on this and related subjects:
ITauditSecurity 