Charlatans don’t bother creating detailed schemes for deception. They
just have a feel for what fools people.
Its not about technology…
Bad guys have better people skills
Criminals usually don’t bother learning all the ins and out of the
technology they exploit — they simply learn enough to be dangerous. But
they spend endless hours understanding the people they plan to fool.
Hackers long ago learned a short cut, what they call social engineering:
Why spend years trying to hack into a bank when you can just ask an
account holder to give you their name and password?
and not only that, but adding technology won’t fix things.
The technologists, on the other hand, tend to fight this battle with one
hand tied behind their back. They generally spend most of their time
studying technology, learning all its nooks and crannies from the ground
up. They write careful research papers following the strict rules of
scientific method. They must spend endless hours defend their findings
against all comers, and they can’t hurt anyone while conducting studies.
They know the technology well, but they have little time to sit around
understanding how people work.
I’ve been saying for over a decade that InfoSec qualifications should focus on psychology and sociology and business rather than technical matters, but exams & qualifications such as CISSP, CISA, CEH, and SANS focus on technical matters.
Part of this is “the metrics problem”. We focus on what can be measured, the “if you can’t measure it, you can’t manage it” myth that started with Taylorism and has been promulgated by people who only see the numbers side of Deming’s principles. His “System of Profound Knowledge” advocated that all managers need to have a deep understanding
of psychology and human nature. His famous “14 points” are about attitudes towards management of work, not about numbers; in fact he was against many ‘numbers’ such as quotas. He viewed managing by numbers to be a “deadly disease”, along with an emphasis on short term results (more number-keeping), and relying on technology to solve problems that are really based in the organization, management and psychology of the workplace and corporation.
So how do we actually manage? How we evaluate people and their work?
How do we grant certifications and issue awards? How do we solve our business problems?
The media says that InfoSec is a growing market. I wonder sometimes if that growth isn’t in the sales of appliances – throwing technology at the problem and resisting the changes that are really needed, changes in organization, attitudes and management.