Or, The Difference between Information Security Professionals and those Paid to Perform Information Security
Evidence of people performing accounting has been found as far back as Babylon (circa 4500 BC). We have records of a civil engineer from as long ago as 2630 BC. It’s fair to say that these are mature, well understood professions. The education and training for their practitioners has been thoroughly tested and documented. If you want to become an accountant you take some classes, learn your craft, and prove you’ve learned it by taking the Certified Public Accountant (CPA) exam. If you want to become a civil engineer, you do the same (only take the Professional Engineer exam instead).
Compared to those fields, IT and information security are fresh and brand-new. For many of us practicing now, there was no accepted path for entering the technical fields. We came from all over. We saw the wide-open opportunities that technology provided and we jumped on the bus. Students from business, engineering, history, chemistry, communications, engineering, and performing arts (not to mention many who never received any kind of undergraduate education) saw opportunities in IT, picked up some self-directed or on-the-job training, and became part of the IT industry.
This first group of IT pioneers had a lot going for them. They were the better innovators than your average group of CPAs, and they were much more willing to take risks than a civil engineer (and if you ever drive over a bridge or through a tunnel, you should be very thankful for this one). This led to great leaps and bounds forward in information technologies. Systems quickly became interconnected, and new functionality started sprouting up everywhere. Our lives moved from a paper calendar to our computers and then to the internet. We stopped writing checks and started paying bills on our computers. Our IT innovators were changing the world.
The same people who gave us world-changing innovations also gave us system crippling vulnerabilities.
Unfortunately, while that our well-meaning innovators were adding new functionality they were also adding new vulnerabilities. You see, civil engineers are taught early on that they must account for all potential vulnerabilities in their structures. Wind, floods, earthquakes, unexpectedly high usage, all of these possibilities need to be factored into their designs and their risks considered. But our first generation of IT staff had no formal education, and so they continued building new functionality and leaving massive holes. And when these holes were identified they would stick a Band-Aid over it and move to the next innovation, because that’s what paid the bills.
Somewhere along the way (probably around the time that we started trying to do our banking and shopping online) we realized that these vulnerabilities really needed to be addressed. Considering the track record, it obviously couldn’t be the IT departments who had been baking these vulnerabilities into the systems. Thus information security started getting budgets and staff. When these new information security jobs opened up, where did the folks come from? Yup, most of us came directly over from the IT world.
The skills that make for a great IT professional are not the same that make for a great information security professional
The primary issue is that the skills that make for a great IT professional are not the same that make for a great information security professional. IT professionals manage systems, information security professionals manage risk. IT pros spent years learning that when they run into a problem they should make or buy a new technical solution. But information security pros are learning that more technology is almost never the solution to a security problem.
The IT mindset is that problems are to be overcome by driving forward, innovating and creating new solutions. But often in information security the correct answer is to go backward, look at what we’ve done, and determine whether we did it right the first time. Instead of sticking on another Band-Aid we should be crafting secure systems from the ground up.
I am certainly not suggesting the IT professionals cannot be successful information security practitioners (if that were the case, I’d be out of a job myself). But some of the attributes that made us good in IT are opposed to those which will help us succeed in information security. We still need to be responsive, analytical, courteous, and solution oriented, but we can no longer afford to value speed over quality (don’t forget, security IS quality), and focus on technology instead of business.
Risk management is not system administration. You don’t get an error message when things aren’t going right. And there’s no Google search that is going to help you figure out what the problem is. Information risk management requires you act and think like a business-person. It’s only secondarily that your technical skills will support that mission.
Cross-posted from Enterprise InfoSec Blog from Robb Reck