David Lacey's IT Security Blog

Lecturing yesterday on the MSc course at Royal Holloway University of London reminded me of the importance of professional training for Information Security staff. As the late George van Eps, a jazz guitarist, once put it: “Luck won’t do it, and ignorance can’t”. Unfortunately there’s nowhere near enough professional training around. And the capacity of our university courses is very limited. So we are heading for problems in the future, unless we change our ways.

Information Security is a rich, complex subject, getting bigger by the day. Most of the leading professionals I know were self-taught. You could get away with a couple of decades ago, because there was no established body of knowledge, very little in the way of professional training and few specialist areas. Today, the scope of the subject is huge, encompassing many niche areas, each worthy of an individual course in themselves.

So what should we be doing to improve the situation? In my view the answer is to put more people through MSc or Post-Graduate Diploma courses. That’s the level of study required to do the job today. I did this at Royal Mail Group and it works. I put all my Information Security staff through Royal Holloway training and it transformed the quality of the in-house function. There is no substitute. Certification bodies, personal development scemes and professional societies are the icing on the cake. None of them can make a real difference without the underpinning professional education.

Looking back over 2006 I have to say that although it’s been largely more-of-the-same for many IT Security practitioners, there's undoubtedly been a significant shift in the perception of other stakeholders, whether business, IT or citizens. Partly it’s been due to increased compliance demands forcing many organisations to manage their operational risks. But largely it’s down to the increasing experience by everyday people of the importance of vulnerability management and the hazards of the Internet.

From my own perspective, with around two and a half decades of professional experience, I’m impressed with the degree of knowledge and professionalism that you can find in large organisations today, as well as the size of their budgets and headcounts. Back in the 80s there were only a handful of full-time practitioners, and no established body of knowledge on the subject. Practitioners were self-taught and operated independently. Throughout the 90s we saw increased networking and knowledge sharing, and the emergence of early security technologies. But few organisations had effective enterprise management systems. And many had yet to establish a professional function. The dotcom boom made some aspects of IT Security fashionable, and we briefly saw some rather ordinary security companies achieve staggering, though temporary, growth in market capitalisation. But this market was driven by investors’ greed, not real customer demand, so the boom was short-lived.

For me 2006 has been a watershed year for security process maturity, professionalism and technology. We’ve seen the birth of a new Institute – The IISP - though it has an awful long way to go to prove it can deliver anything useful. And for the first time, it seems that the majority of large organisations actually have a functioning management system, and a good professional relationship with other corporate functions. I’ve also seen an impressive range of specialised technologies emerge from start-up companies. These technologies will take a few years to be absorbed into the corporate tool box, but when they do they will provide unprecedented visibility and control of security across the enterprise.

So 2006 has been a good year for IT Security. The only thing we missed was the Electronic Pearl Harbour incident to wake us all up. Back in 1999 I forecast this was unlikely to strike until 2006. It didn’t happen. But it might well be on the Horizon as we enter the New Year.

Friday’s excellent White Hat Ball demonstrated that security professionals can deliver value to the Community, by raising a substantial amount of money for the Childline Charity. It was great to see so many user organisations taking tables for their teams. Five years ago, you would have had to look very hard to spot a CISO at any of the London Charity Balls. What a contrast! Congratulations to all of the organisers for a great job done, and special thanks to the highly professional Merrill Lynch team for inviting me to join them.

Stuart King's posting on the importance of process reminded me of the important issue of software development standards. I believe it's time for a big change, for a fresh approach. Because our legacy standards are no longer fit for purpose.

Back in the 80's the US Department of Defense established the Software Engineering Institute (SEI) at Carnegie Mellon University to address the issue of software quality. The SEI built on some emerging concepts from Total Quality Management to develop the first Capability Maturity Model (CMM) - a major breakthrough. Wonderful stuff, except that it was developed to solve the problems of large-scale Defense programmes. And in such environments, implementing and certifying development processes against several hundred pages of controls was no problem at all.

Fast-forward to 2007 and much of the critical software we depend on is developed by small start-up companies with no more than a dozen programmers operating in a highly informal environment. Does the Carnegie Mellon model fit this environment? Absolutely not. It remains a useful benchmark for any organisation that seeks to off-shore their software development. But it does not fit the shrink-wrapped package world, operating out of a Silicon Valley garage or a backstreet Soho office.

In addition we now have to accommodate the new science of security vulnerability management. No code should be cut today without meeting tough security standards to remove exposures to buffer-overflow and other nasty vulnerabilities. Microsoft has set the standard in this direction and they should rightly be applauded. But not everyone else gets it. And even then, we have a big hill to climb in order to update our System Development Lifecycle (SDC) methodologies and train our designers and programmers in how to develop security architectures and cut secure code.

So we need a new approach. We need a new software development standard that's lightweight enough to be adopted by small technology companies, but captures all the essential new security practices. Any ideas on how we get there?

I never know whether to believe IT vendors when they tell me that they're serious about security. After all, as Mandy Rice-Davies famously put it: "Well they would say that wouldn't they". So I was very pleased when Microsoft recruited ex-FBI Special Agent Ed Gibson in a high profile security role. Because I know that Ed wouldn't work for an organisation he didn't believe in. When Ed speaks - as he did rather eloquently at this week's NISC8 Conference - you can tell it comes from the heart. It's not company-speak and he doesn't pull his punches. And that's the best way to manage PR in today's highly-connected Web 2.0 World. Smart companies listen to - rather than gag - their employees. And that way, as Mandy Rice-Davies also put it, they may one day be able to look back on their life as "one long descent into respectability".

I'm a very keen supporter of research and innovation. Without it, I believe we will face serious problems in the future, as many of our traditional physical and procedural controls will be largely irrelevant in a highly-networked, fully-automated business environment. We need fresh thinking, new approaches and innovative solutions. The problem is that traditional research and development models are not a good fit for today's fast-changing, short-term business world. The old pipeline process that took an idea from theoretical research, through applied research to implementation broke down a long time ago. We need better, more dynamic approaches to help bridge the gap between business problems and academic solutions. The excellent MIT Media Lab does this by regularly introducing visiting business executives to blue sky researchers, in the serendipitous hope that a spark of left-field scientific thinking will generate a breakthrough solution for a thorny business problem. But it costs a lot to join one of their consortia. And even more to ship your executives over to Boston for tours of the Lab.

UK organizations have provided much of the thought leadership for modern Information Security Management. We have the advantage of a well-connected user community and more than our fair share of top CISOs. But we need stronger links between Industry, Government and Academia. So it's great to see DTI bringing together security managers and researchers through their Cyber-Security Knowledge Transfer Network. It's free and it has already introduced many business managers to a new world of academic research. By participating in their programme, I've already discovered many new hot-spots of academic excellence in areas such as network security, artificial intelligence, secure coding and behavioral analysis. And a lot of it is directly relevant to many of my current activities. Whether you're a security manager, a product developer, a researcher or a venture capitalist, it's well worth getting involved. So make a date in your diary for 12th June to attend the Cyber-Security KTN Conference in London. It's free and I guarantee that it will give you a fresh perspective on how to develop solutions to your security problems.

I’m always fascinated but saddened to read about cases where wealthy people pay large sums of money to buy intelligence from shady information brokers. The recent case of two police officers, caught bugging phones and hacking into computers is a classic case. As is so often the case, it seems that most clients are domestic, i.e. husbands spying on wives or vice versa. You rarely see blue chip companies engaging in such practices. Of course, we have seen one recent example of dirty tricks within a top technology organisation. But that’s the exception. Most respectable companies will avoid engaging in illegal information gathering activities at all costs because the risks are too great and it's always possible that some company staff will object or blow the whistle.

That’s not to say that organisations shouldn’t engage in healthy competitive intelligence gathering, which is a fundamental business requirement in a fast-moving competitive environment. But it’s vital to draw a clear line around the limits of acceptable activity and to avoid crossing it at all times. Because it’s increasingly hard to keep secrets in today’s world of free-flowing, open communications. And if you’re caught it’s hugely damaging to corporate reputation and staff morale.

Over the last week, I’ve been interviewing a few selected security managers for a forthcoming Computer Weekly special. It’s been an interesting experience, and I was highly impressed with what I heard. Today’s security managers are far more sophisticated than they used to be. They have a better understanding of the business landscape and the emerging challenges. They also have a more realistic appreciation of the limitations of the resources at their disposal and how to get the best out of them. And they are more articulate when explaining complex security issues to directors and business colleagues.

Security has come a long way in the last two decades. Back in the eighties it was a backwater for aging operations managers, or auditors trying to escape the accountancy profession. In contrast modern security managers have to straddle the technical and the business dimensions of the problem and solution spaces. And they must be able to master the human factor, whether it's tackling staff, criminals or hard-nosed business managers. It’s a major challenge. A top CISO needs all the qualities of a CIO but with state-of-the-art know-how about current vulnerabilities and emerging threats. And many are rising to the challenge. I've seen far more successes than failures in recent years.

Where will it all end? Will we ever see security on the Board? Probably not, because at very senior levels it’s hard to justify operating within such a narrow specialism. One thing is certain however. Top security practitioners will continue to require a greater set of skills and knowledge than many other parts of IT and business. That's why the top jobs continue to attract such high salary packages.

I always felt there was potential for IT Security to become fashionable, especially with those Die Hard and James Bond connections. Of course the problem is the rather pedestrian types that IT Security attract, who are generally rather conservative or nerdish types. So it’s so refreshing to hear of one our community being described as the “rock star of security outreach”. I’m referring of course to the excellent Ian Cook of FIRST and other fame. I’d certainly endorse that. Though as a long-standing jazz fan, I’m not entirely sure it’s a compliment.

What’s in a phrase? Not a lot if you’re gossiping casually, though style, fashion or taste might perhaps shape your choice of words. But words mean a lot if you’re aspiring to operate in a professional manner, because precise definitions are the basis of the body of knowledge that underpins any professional practice.

So perhaps it’s about we cleaned up our choice of terminology. I was reminded of this today when a professional body asked me for my views on the term “ethical hacking”. It’s one of those phrases that’s crept into usage to describe what I’d call "penetration testing", though I’m not entirely if that’s an accurate description for the activity of live testing of systems or infrastructure to identify security vulnerabilities. But ethical hacking is definitely a misnomer. Firstly, because it has a different objective from hacking, i.e. it’s intended to detect security vulnerabilities, not achieve a penetration of a system. And secondly, because it’s a straightforward business requirement and has little to do with ethics.

There are lots of security glossaries around. Microsoft has one but it doesn’t include the word testing (bit worrying that). SANS has one that includes penetration testing but describes it as merely testing the external perimeter security. The IETF has a better definition for penetration testing, but falls down when it comes to “hacker” by describing it as "someone who figures things out and makes something cool happen”. Arghhh!

I was surprised to read that a 16 year old teenager has achieved a qualification in ethical hacking. It’s clearly a great achievement for him. No doubt he will have a great future ahead of him. But how can such a thing be possible? Penetration testing requires a lot more than technical knowledge. It calls for a high level of integrity, a good appreciation of business risks and a sound understanding of the economics of security solutions. Let's hope that organisations look for more than paper qualifications when hiring contractors to test their systems. And let's hope that security professionals stop using that dreadful term, which has little to do with ethics or hacking.

I’m pleased that my fellow blogger, Stuart King, takes pride in his new qualification as one of the first full members of the Institute of Information Security Professionals (IISP). It’s certainly a good thing to encourage security practitioners to aim for professional recognition. And as a founding director I have a soft spot for the Institute.

But I do worry about the continuing focus on qualifications rather than education. In my view we’re not tackling the real problem. Qualifications don’t make people better at their jobs. The key requirement is training. And there’s simply not enough of that.

Security professionals should be encouraged to attain an MSc or post graduate diploma. That’s the minimum standard appropriate to the work, and the target I set for Royal Mail Group practitioners. Obtaining qualifications on the basis of experience is a less demanding route. It might solve a management problem but it doesn’t improve the quality of the work.

For the last few days as I've been over in Orlando speaking at MIS Training Institute's excellent Infosec World. It's one of the most comprehensive conferences in terms of subject area coverage, with 11 simultaneous streams of in-depth presentations. And the feedback from delegates is always good. So it provides an interesting perspective of the state-of-the-art of the US security community and an indication of the challenges facing security professionals.

In the UK we're used to looking to the USA for an idea of what's coming next. But in the information security world the opposite has often been the case in recent years as US companies adopt UK innovations such as ISO standards, ITIL management processes and de-perimeterisation strategies.

However the traditional gap between US and UK security emphasis - the former having a stronger technology focus and the latter more process-oriented - has largely disappeared. Programmes such as Infosec World now have a strong emphasis on softer management issues such as leadership, business alignment and human factors. It's an encouraging trend and one that's set to continue for a long time.