Business Centric Security Professionals
Security professionals are under constant pressure to create a security program that is both effective and efficient. They are often required to adhere to multiple regulatory requirements (which are, as we all know basically just methods to ensure organizations adhere to the security basics) while controlling costs and fighting numerous and seemingly ongoing fires. Michael Farnum wrote a good article in his Computer World blog describing how security professionals should also remember that the basis to their existence is the actual business they are supporting. I followed it up with a comment about how security professionals need to start looking to products that perform security functions while also providing benefits to other parts of the organization.
As I was thinking about these topics I was reminded of an incident that occurred during RSA 2007. I was sitting in the back of Ed Skoudis’ class during his pre-conference tutorial. Ed talked about some of the work that he and his crew have done with IDS/IPS where they compared how several major vendors handled different types of traffic. He pointed out that some handled certain traffic better than others but that they all had strengths and weaknesses in different areas. A situation that most of us are already aware exists.
When he finished with that topic we took a quick break and a man in the back row turned to me and asked me a question. From speaking with him earlier I knew he was new to the security field and had basically been moved into the position by his company from an administrative position. He told me that he had just recommended going with TippingPoint and, on his recommendation, his company had spent alot of money doing a full deployment within their organization. He asked me, referring to Ed’s examples, if he had made the right choice and how he should go about tell his executives that the option they went with might be flawed.
I had to explain to him about managing risk and that he was going to get weaknesses and problems with any solution. I reminded him that defense in depth should be their goal and that they should identify weaknesses in each one of their controls and decide how they are going to address them. I’m not sure if I helped his fears at all but it just goes to show that people do think (even today) that there is an end-all-be-all solution, the whole silver bullet concept. And, if it takes a while for somebody moving into security to figure out it will take even longer for executives to do the same. These types of situations and this type of thinking definitely has a direct impact on how business plans and decisions are made.
I think that the work Ed Skoudis, HD Moore, David Maynor, and other security researchers are doing help us identify products whose solutions have inherent, accidental, or misguided problems so that we can protect ourselves. But, unfortunately, their work does not instill the uninformed upper management with confidence in the security field. Actually, it probably has them all cussing under their breath. Of course this is where the security professional should be earning their keep by providing a buffer between the constant barrage of seemingly negative information and the actual state of the organization’s environment. I guess this is the point where people like Mike Rothman and Michael Santarcangelo step in to help security professionals learn how to provide this buffer so that the executives can go back to managing the other aspects of the business.
I know this post has jumped around a little bit. But the basic point I have been trying to make is that security professionals are a unique breed with a wide range of responsibilities. From developing and implementing security plans, to dealing with administrators, developers and vendors, to handling malicious intruders and vandals, to managing upper management, all while making sure the business flow does not stop or, at the very minimum, only experiences a slight hiccup. I think that NIST has established another good way to show how all of these skill tie together. They have recently released a job posting for their new Chief Cybersecurity Advisor. Although the job summary details their requirements don’t forget to have a look at the Duties and Qualifications & Evaluations that they believe are appropriate from the person filling this position. They list some impressive requirements that many CSO/CISOs currently fulfill. With these types of requirements and responsibilities I, like many of you out there, find it hard to believe that CSO/CISOs are finding it hard to break into the executive meetings. This gets back Michael Farnum’s original point about the necessity for security professionals to remember they are supporting the business operations. Until security professionals get a track record that shows we are business centric, we might just find ourselves hanging out to dry for while. And being left out of the loop will, eventually, have an adverse effect of our organizations.
Go forth and do good things,
Cutaway
Technorati Tags: Security Ripcord, NIST, Michael Farnum, Computer World, Ed Skoudis, David Maynor, HD Moore, business, security, RSA, Mike Rothman, Michael Santarcangelo, Chief Cybersecurity Advisor, InGuardians
Help support my training and travel to security conferences. Get your SANS Training and GIAC Certifications through the Security Ripcord.
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
June 2nd, 2007 at 2:28 am
Very good post, Cutaway. And the point about security professionals not being is management is one of the points Pete Lindstrom made as well.
It might be said that it is easier for me to say all of this now that I am not in security management anymore, but I can say that selling security brings its share of frustration with management as well (try selling the stuff to make a living and have management decide that your product is not needed after you spent days on the evaluation - it sucks).
Michael