I recently attended a curriculum planning group for a 1-year post-grad in Information Security. The idea behind the course was a melding of business and infosec. There were a number of industry professionals, from both the vendor side and the corporate side and at the end of the entire thing I realized that there's a bit of a disconnect in the security world between the ones selling security and security-related information and the ones applying the security. It was a disconnect that reminded me of the entire end-user aspect of security issues.
One of the comments that was made, paraphrased because I can't remember it word for word, was, "If I'm hiring someone for my security team, I'd rather they understand the business side of things than the technical side. Anyone can Google how to configure a router." Someone told me that they can agree with the first part of this, and I can see that as well... It explains why my post-secondary education included courses on finance, ethics, project management, teamwork and business. I can't, for the life of me, understand the second part. This is where that "end user" aspect of security issues or in this case "user" aspect comes into play.
Let's look at the technical part of this... More and more high schools are offering the CCNA program and those students can configure a Cisco router... does that mean I trust them to securely configure the router? The answer is no. I decided to see what a Google search would reveal, so I entered the string, "Configuring a router". The first non-Cisco link I found was the one I went with. It read like something out of a CCNA textbook. No mention of security, use of the RIP routing protocol and many other things that were indicative of an amateur configuration. No hardening of the device, nothing... just a couple of IP addresses on interfaces and the ability to route between then.
Another comment I overheard was along the lines of, "Sure a technical person could configure it but a business person would understand where to place the device". I highly doubt that a business person will understand or even comprehend the act of using a perimeter router, a firewall with a DMZ and then an inside router. They may not even comprehend why it's a bad idea to put an Microsoft Small Business Server live on the internet... why it's a bad idea to have Exchange and your Domain Controller on a single box that's live to the world.
I can even understand why you might hire someone with more business skills than technical skills to manage your security team... but they won't function successfully if they aren't surrounded by those with technical skills to do the work and to advise them.
So in the end we're left with a disconnect... a disconnect between those doing the security research and creating the security products and those implementing them. Those of us on the vendor side of the table make the assumption, or at least I did anyways, that our products are going to someone with a technical background so they'll be implemented properly... when in reality they could very well be going to someone with a business background who may or may not know the function of the device.
We all talk about end user education; perhaps we should expand that and talk about corporate security education as well. Explaining to those who are responsible for our data, be it our educational data, our financial data or our voter information, that you can't properly configure a device and implement it in your infrastructure solely by reading Google. We may have a lot of information at our fingertips but experience and ability still play key roles.
Comments (6)
My theory has always been to hire people who understand how to think about security (that is have the right mindset) and enough technical skills to learn what they need to know. I've found this covers for issues like not knowing routers but being smart enough to find out what they need to know to do it securely. The business skills I can either coach them about or give them the opportunity to learn through other mechanisms.
Posted by Arthur | February 25, 2007 6:15 AM
Posted on February 25, 2007 06:15
If the post-grad program is focused on creating business managers of security teams then the focus on business over technology makes sense. Someone has to be able to justify the return on the security investment. The days of hiding behind the hack of the week to motivate management to fund IT security budgets is over.
On the other hand if the goal of the post-grad program is to develop leaders of teams that can assess and improve an organizations security posture than it is critical that the student learns the techincal and the business aspects of security. Too many "security" consultants just know how to read a checklist/guideline and not how to adapt the instructions to a specific system. How many of us have dealt with auditors that insist on turning on all Windows audit events without understanding the implications on storage and manpower to review (or usually ignore) the collected logs.
Posted by jim webster | February 25, 2007 9:11 AM
Posted on February 25, 2007 09:11
MBA thinks he's smarter than everyone else, film at 11.
Posted by Andre LePlume | February 26, 2007 7:31 AM
Posted on February 26, 2007 07:31
I'm not sure I would want to hire someone for the business skills first, unless it's not a technical position. I mean, sure someone can cram and learn how to configure a router, but will that configuration be appropriate for 3 years? Will it have small nuances that non-newbies might have seen? And, like you mention, will it have been secure?
Granted, that's something that really only experience will give. And that might be part of the disconnect as well. Our industry is still growing and there will always be newer people coming in, especially as they tend to cost a bit less. ;)
A big amen to your last paragraph. Really well said.
Posted by LonerVamp | February 26, 2007 12:10 PM
Posted on February 26, 2007 12:10
Funny thing about MBA's ... when I worked with Venture Capital, there was an anecdotal joke about valuation of a software company. The joke went something like this: "for each engineer, add $1,000,000.00 to the valuation; for each MBA, subtract $5,000,000.00". I always wondered if someone with an MBA came up with that model. :)
As for education (back to HT's original post), I think he's right on the money ... from the Security Professional's perspective. There are far too many "Business People" running Security departments with no clue about Security. Some education in the Security space would be helpful for everyone involved, although I don't know what the non-Security CISO's motivation would be to spend this time educating themselves to a depth greater than conceptual understanding. Far too often, I've seen career executives put in charge of Security departments for the purpose of raising the profile of Security within the organization and to fulfill executive promotion needs. How do I make an SVP out of a VP? Put them in charge of Information Security for a couple of years. Sad, but all too often true. There are people in this world who are more concerned with their position than the subject matter that they're responsible for. With the move in many organizations to roll up Information Security under the Risk Management umbrella, I don't see this trend getting any better. At least CIO's used to hire CISO's. Under Risk Management, business executives will be appointing the head of Security. I'll leave it with you to do the math on that one.
Instead, I challenge those of us from the Security side of the fence to spend some real time and energy educating ourselves about business. I'm not talking about a 5 day seminar here. I'm talking about living on the business side for a couple of years; living it to the depth that we would expect business folks to live Security. Whether this is within a "customer" environment or on the vendor side, the only way to ensure that our corporate leaders understand and appreciate Information Security is to *become* corporate leaders.
The truth is that business will always win if we continue to make it a choice between business and Security. To revisit the example that prompted HT to write this post, If I'm looking for someone to run my Security department, I don't want to choose between Security and business - and I shouldn't have to.
If you can't beat 'em, join 'em ...
... then you can beat 'em.
Posted by sleb | February 27, 2007 6:55 AM
Posted on February 27, 2007 06:55
Warning, long rant coming...
The disconnect is a good point, Tyler, but I urge you to think about this outside of technology for a few minutes.
We believe that, since we work in technology, that technology is somehow special. However, it's simply that we lack an abstraction layer, currently - there's nothing that isolates us from technology at this point, so we interface directly.
Let me ask it another way: when building a business, how much time do you spend on figuring out where the air conditioner units go?
The answer: you don't. Because you are focused on the business, and you hired someone to do the rest, which is just details. You gave your requirements ("keep us cool"), and someone handled it. You didn't need to think about the configuration of the pipes or the location of the vents - you were abstracted from that decision.
Now, of course, this doesn't work if you work for an Air Conditioning manufacturer - in that case, you need to hire people who know these things.
(In case you're thinking about this not being about security, go back and substitute "burglar alarm" for "air conditioner" above, and see if it still makes sense - it does).
The idea that a security person *needs* technical expertise is as ludicrous as saying that a business person *needs* to have been a janitor before they understand how to run their business.
In my experience, you need to understand the concepts, and, as Arthur pointed out above, need to know who to call for the technical expertise.
As for the product side, the disconnect you speak of doesn't exist. Having intimate knowledge of your business, I can say pretty clearly that the smart product developers in that business understand that there are TWO customers for any product: the manager who is making decisions (who buys the product for reporting and ability to interoperate with the environment) and the technical user who is actually running the product. Both need to be satisfied in the sales process, and there are features developed for both.
If you're making the assumption that there's a technical user on the other end of the product, you're making a fatal mistake: I can guarantee that 90% of your customers (most of whom I know ;) don't care about the difference between SMB on 139 and SMB on 445 - they just want to know whether they're secure, what they're going to need to do about it, and how much it's going to cost.
Which is as it should be.
Posted by Mike Murray | February 27, 2007 8:27 AM
Posted on February 27, 2007 08:27