Recently in Professionalism Category

I was deeply saddened last week to hear about the death of Gene Schulz. If a man is judged by the number of his admirers then Gene was a big man. (More than 730 people have signed the guest book on his personal site.)  But Gene was a big man in every way: a towering personality with a commanding presence, huge warmth and a great intellect.

Gene was an outstanding innovator, teacher and diplomat. His professional career was unsurpassed in its breadth and depth, operating across all sectors and encompassing teaching, research, consultancy, security management and product development. But more that he was a wonderful, generous human being. He leaves a gap that cannot be filled and will be sadly missed. Grief is the price we pay for love. 

Back after a longer than usual summer break, this is the fourth and last in a series of commentaries on what's wrong with information security and what needs to be changed. Previous postings have discussed the need for changes in the perception and sponsorship of security, the changes needed in standards and the future solutions needed to safeguard our future interests. This posting discusses the new skills needed to manage the emerging security landscape.

It has taken a few decades to develop, agree and establish mature professional development schemes. Twenty years ago there were no recognised information security qualifications. Now there are dozens. I have a friend with more than fifteen of them. In contrast I have none, though my consultancy day rate is higher - at least for the moment. If this trend continues however I will probably be barred from practising.

Of course having a licence to operate is no bad thing if the qualifications are fit for purpose. The problem is that the problem space is changing, many of the recognised skills are wrong for the future, and the level of education provided is inadequate. I think we'd all agree that security training needs a substantial boost, at all levels. But it must be based on a good understanding of the competences we need to encourage.

So what's wrong with today's security skills? The biggest problem is that management competences are rooted in industrial age thinking. Paper policies and scripted processes dominate the solution space, and governance systems operate on year-long cycles. Risk assessments and ISO certifications are useful background support tools. But they have progressively assumed centre stage.

Today's challenges demand speed, agility and a capability to influence large numbers of people across networks. We need smarter supply chain leadership and effective, real-time analysis and response systems. We need security managers who understand the psychology of human behaviour, as well as the tricks of the trade of the marketing world.

In a world of increasing reliance on trust in external enterprises we need audits, but they need to change from a 400 question, tick-box checklist to a more qualitative, due diligence process that sets out to gauge the degree of business risk associated with partners that prefer not to operate the same security policies. 

And we need better strategic response and investigation skills. Development of good crisis management skills has been constrained by procedure-bound disaster recovery thinking combined with scripted IT Helpdesk response processes. Smart improvisation and an ability to recognise and preserve the value of intellectual assets are the foundations of effective, modern crisis management. 

We also need superior investigative and forensic analysis skills to limit the damage of persistent, fast-moving attacks. But most importantly we need intelligent security testing and creative vulnerability management. At present we teach people to scan platforms for security flaws, but not how to assess and reduce the potential impact of flaws.

I regularly observe a procession of so-called "ethical hackers" scanning systems for flaws without a sensible consideration of the business impact of their findings. These people are neither ethical nor are they hackers.

Twenty years ago, when reviewing the security of a SCADA system, I would sit down with the engineers and identify the type of attacks that might bring a plant to a dangerous state. Today, a team of testers simply plugs in a scanning engine and generates a list of outstanding patches.

Security testing needs to draw on a good understanding of secure development techniques, an understanding of offensive strategies and a capability for real-time reverse engineering. These skills are thin on the ground.  

For all these reasons, I conclude that the competences we possess are inadequate for the emerging challenges we face. Will anyone respond to this need? "Probably not" is the sad answer, as professional development schemes are shaped primarily by the political interests of governments and institutes, the need for organizations to demonstrate a level of competence to regulators, and the revenues generated by training courses. Making the world a safer place is much lower on the agenda. 

Ian Cook's excellent Dragon News Bytes drew my attention to an article in the Wall Street Journal on the importance of having a prepared elevator speech. It's an essential requirement for any CISO, yet one that few security managers have up their sleeves.

Regardless of whether you share an elevator-equipped office with your CEO, every security manager needs to be able to summarise key facts and recommendations in less than ten seconds. Developing the ability to sum up a speech in seconds is essential for presenting to boards as well as for managing the media.

Board directors make quick decisions. They can jump to a conclusion and cut you off before you've made your main points. You need to summarise them at the outset of your pitch. Media interviews, no matter how long, also need a brief summary to introduce the programme or article. 

And, most important of all, in today's world of continuous headcount reduction every security manager needs an instant survival speech to convey their full business value to a visiting McKinsey consultant. So start practicing that pitch if you wish to succeed in big business. 

The bad news about UK education is that computing is going out of favour. The good news is that psychology is booming. Tomorrow's employees might have less ability to program a computer, but they'll be better equipped to understand customers and to manipulate public opinion. That's a step in the right direction for information security management: we only need a small number of expert technologists, but we need an army of good communicators. 

The Sun came out last Thursday to celebrate the award of a Royal Charter to the Information Technologist's Company. It was a spectacular event: a formal service at St Paul's Cathedral followed by a procession of pikemen and musketeers, and topped by a Royal dinner at the Mansion House with the Lord Mayor of London. It's also a sign of the times. The IT industry underpins the success of the City, and rightly deserves a place at its top table.   

What are the skills we should be looking to teach the information security professionals of the future? It's a good and timely question given the current proliferation of training courses and the growth in professional development schemes.

I've been disappointed with much of the accepted wisdom drawn from analysis of member surveys by professional institutes. They tend to have employed the wrong approach. We need some original, logical and lateral thinking. Inspired by this thought, I've drawn up a list of my seven top skills for the future information security profession. They are:

1. An understanding of psychology to plan interventions that can might actually have an impact on the behaviour of staff.

2. Social networking skills to influence and harness the support of large numbers of users and customers over social networks.

3. Skills in marketing communications to design compelling, effective awareness campaigns and materials.

4. Strong commercial management skills to specify and manage security across business partnerships and outsourced supply chains.

5. Sophisticated crisis management skills to safeguard the organisation's intellectual assets (not just the data) in the likely event of a major security breach.

6. Digital forensic skills to detect and prove when an intruder has infiltrated or modified the organisation's intellectual assets.

7. A sound knowledge of legal and regulatory requirements and issues.  

You can read more about my thoughts on how to go about forecasting future trends and skills on my latest Infosecurity Advisor blog posting.     

Congratulations to Graham Cluley of Sophos who won the Computer Weekly 2009 best blog award. Congratulations to Computer weekly also for unselfishly excluding their own bloggers from the competition. In the topsy turvy world of the blogosphere it clearly pays not to blow your own trumpet. 

I was disturbed to read about Adam Laurie's claim that he successfully cloned and changed the data on a UK Identity Card. I was also concerned to read the Home Office response that "This story is rubbish".

It's sad that neither side can articulate a respectable account of the claimed weakness and why or not this might present a problem. Publishing a sensational account in a national newspaper is certainly not a professional way of managing a potential security weakness. But neither is a simple four-word denial from the Home Office.

All technologies, standards and implementations have weaknesses. The science of security management trick is to apply defence-in-depth controls to mitigate the associated risks. Without an insight into these controls, it's impossible to tell if a system is adequately secure. Personally, I would be astounded if the system was as wide open as Adam Laurie suggests, given the considerable expertise available to the Home Office.  

One trend this story does reflect is the inevitable growth in FUD, spin and disinformation that is an intrinsic feature of an information society. It's just unfortunate to see this happening within the information security profession.