The InfoSec Blog
23Jul/09

The Need for Social Engineerig in InfoSec

Communication major dimensions scheme
Image via Wikipedia

When I took my undergraduate Engineering degree the attitude of my professors was that if we had chose engineering as our career then a few things were going on.

First, technology is changing, so teach fundamentals and principles and show how to apply them but don't get hung up on specific technologies. (Who would have guessed then that the RF theory work on transmission  lines would have an impact on writing software for PCB layout and even chip design!)

Second, that if we stayed in engineering, then within three to five years we would have "managerial" responsibilities so we better know about "managerial" things such as budgeting, logistics/supply-chain,
writing proposals and reports.

I mention this to make the point that being a CISSP is not about being a techie-geek. Knowing all there is about crypto, pen testing, or any vendor or product is inherently self limiting. You have put a cap on the authority and influence you have.

To be effective in InfoSec you need to be able to do that "social engineering" - as a recent article says,

"... the application of social science to the solution of social
problems," he said. "In other words, it's getting people to do
what you want by using certain sociological principles."

What you want is for your managers to implement certain strategies that
you believe are for the good of the company and society (see our code of
ethics an associated guidelines). This means you need communication
skills
.

I realise many people reading this are in fact managers, but they too have to
report to higher authorities. Some here have MBAs. Management is more than the technical skill of a MBA course - that's another form of geekiness. (I know of one very good technical guy who saw Dilbert's Principle being applied in his firm an went and got a MBA. The trouble is that he never had any 'people skills' and the MBA course didn't supply them!)

So we get back to a parallel thread - "Trust"'.

Occasionally I run a workshop "Why people don't follow Policies and what you can do about it". Its for technical managers, those who have to enforce many policies, not least of all InfoSec ones, and manage those who are carrying out the associated Procedures. Its always a difficult workshop since its about seeing the patterns in behaviour, something technical managers are quite capable of, but have never been taught before.

Its my belief that InfoSec is meaningless unless it deal with the social and psychological issues. Right now we treat the term "social engineering" the way we do "risk", as something that has *only* a negative meaning. That has to stop. Management don't see "risk" as being bad and as far as threats go, we know that People are the sourceof them all! First and foremost, InfoSec practitioners need to be able to deal with People. Technology is for geeks. If you want to being
about change you have to deal with people.

"Social Engineering" - in the broadest and positive sense - is every bit as key as any other of the domains of the CBK. Its omission just shows how technology-centred the profession is, despite the threats and despite what needs to be done by practitioners to fulfil their roles.

Reblog this post [with Zemanta]

Posted by antonaylward

Comments (0) Trackbacks (0)

No comments yet.


Leave a comment

No trackbacks yet.