Back after a longer than usual summer break, this is the
fourth and last in a series of commentaries on what's wrong with information
security and what needs to be changed. Previous postings have discussed the
need for changes in the perception and sponsorship of security, the changes
needed in standards and the future solutions needed to safeguard our future
interests. This posting discusses the new skills needed to manage the emerging
It has taken a few decades to develop, agree and establish
mature professional development schemes. Twenty years ago there were no
recognised information security qualifications. Now there are dozens. I have a
friend with more than fifteen of them. In contrast I have none, though my
consultancy day rate is higher - at least for the moment. If this trend
continues however I will probably be barred from practising.
Of course having a licence to operate is no bad thing if the
qualifications are fit for purpose. The problem is that the problem space is
changing, many of the recognised skills are wrong for the future, and the level
of education provided is inadequate. I think we'd all agree that security training
needs a substantial boost, at all levels. But it must be based on a good understanding
of the competences we need to encourage.
So what's wrong with today's security skills? The biggest
problem is that management competences are rooted in industrial age thinking. Paper
policies and scripted processes dominate the solution space, and governance systems
operate on year-long cycles. Risk assessments and ISO certifications are useful
background support tools. But they have progressively assumed centre stage.
Today's challenges demand speed, agility and a capability to
influence large numbers of people across networks. We need smarter supply chain
leadership and effective, real-time analysis and response systems. We need
security managers who understand the psychology of human behaviour, as well as the
tricks of the trade of the marketing world.
In a world of increasing reliance on trust in external
enterprises we need audits, but they need to change from a 400 question,
tick-box checklist to a more qualitative, due diligence process that sets out to
gauge the degree of business risk associated with partners that prefer not to operate
the same security policies.
And we need better strategic response and investigation
skills. Development of good crisis management skills has been constrained by
procedure-bound disaster recovery thinking combined with scripted IT Helpdesk
response processes. Smart improvisation and an ability to recognise and
preserve the value of intellectual assets are the foundations of effective,
modern crisis management.
We also need superior investigative and forensic analysis skills
to limit the damage of persistent, fast-moving attacks. But most importantly we
need intelligent security testing and creative vulnerability management. At
present we teach people to scan platforms for security flaws, but not how to
assess and reduce the potential impact of flaws.
I regularly observe a procession of so-called "ethical
hackers" scanning systems for flaws without a sensible consideration of the
business impact of their findings. These people are neither ethical nor are
Twenty years ago, when reviewing the security of a SCADA
system, I would sit down with the engineers and identify the type of attacks
that might bring a plant to a dangerous state. Today, a team of testers simply
plugs in a scanning engine and generates a list of outstanding patches.
Security testing needs to draw on a good understanding of
secure development techniques, an understanding of offensive strategies and a
capability for real-time reverse engineering. These skills are thin on the
For all these reasons, I conclude that the competences we
possess are inadequate for the emerging challenges we face. Will anyone respond
to this need? "Probably not" is the sad answer, as professional development
schemes are shaped primarily by the political interests of governments and
institutes, the need for organizations to demonstrate a level of competence to
regulators, and the revenues generated by training courses. Making the world a
safer place is much lower on the agenda.