Back after a longer than usual summer break, this is the fourth and last in a series of commentaries on what’s wrong with information security and what needs to be changed. Previous postings have discussed the need for changes in the perception and sponsorship of security, the changes needed in standards and the future solutions needed to safeguard our future interests. This posting discusses the new skills needed to manage the emerging security landscape.
It has taken a few decades to develop, agree and establish mature professional development schemes. Twenty years ago there were no recognised information security qualifications. Now there are dozens. I have a friend with more than fifteen of them. In contrast I have none, though my consultancy day rate is higher – at least for the moment. If this trend continues however I will probably be barred from practising.
Of course having a licence to operate is no bad thing if the qualifications are fit for purpose. The problem is that the problem space is changing, many of the recognised skills are wrong for the future, and the level of education provided is inadequate. I think we’d all agree that security training needs a substantial boost, at all levels. But it must be based on a good understanding of the competences we need to encourage.
So what’s wrong with today’s security skills? The biggest problem is that management competences are rooted in industrial age thinking. Paper policies and scripted processes dominate the solution space, and governance systems operate on year-long cycles. Risk assessments and ISO certifications are useful background support tools. But they have progressively assumed centre stage.
Today’s challenges demand speed, agility and a capability to influence large numbers of people across networks. We need smarter supply chain leadership and effective, real-time analysis and response systems. We need security managers who understand the psychology of human behaviour, as well as the tricks of the trade of the marketing world.
In a world of increasing reliance on trust in external enterprises we need audits, but they need to change from a 400 question, tick-box checklist to a more qualitative, due diligence process that sets out to gauge the degree of business risk associated with partners that prefer not to operate the same security policies.
And we need better strategic response and investigation skills. Development of good crisis management skills has been constrained by procedure-bound disaster recovery thinking combined with scripted IT Helpdesk response processes. Smart improvisation and an ability to recognise and preserve the value of intellectual assets are the foundations of effective, modern crisis management.
We also need superior investigative and forensic analysis skills to limit the damage of persistent, fast-moving attacks. But most importantly we need intelligent security testing and creative vulnerability management. At present we teach people to scan platforms for security flaws, but not how to assess and reduce the potential impact of flaws.
I regularly observe a procession of so-called “ethical hackers” scanning systems for flaws without a sensible consideration of the business impact of their findings. These people are neither ethical nor are they hackers.
Twenty years ago, when reviewing the security of a SCADA system, I would sit down with the engineers and identify the type of attacks that might bring a plant to a dangerous state. Today, a team of testers simply plugs in a scanning engine and generates a list of outstanding patches.
Security testing needs to draw on a good understanding of secure development techniques, an understanding of offensive strategies and a capability for real-time reverse engineering. These skills are thin on the ground.
For all these reasons, I conclude that the competences we possess are inadequate for the emerging challenges we face. Will anyone respond to this need? “Probably not” is the sad answer, as professional development schemes are shaped primarily by the political interests of governments and institutes, the need for organizations to demonstrate a level of competence to regulators, and the revenues generated by training courses. Making the world a safer place is much lower on the agenda.