Read the first four paragraphs of this:
Forget the rest, forget that its about 'creative writing', just answer that question.
Bruce Schneier among other, myself included, have asked questions like that. Are you 'paranoid' enough to be in the security business?
One of my colleagues, Rob Slade yes *that* Rob Slade when he is teaching in Toronto, usually asks me to come along to talk for an hour to his students about "The CISSP Experience".
The first thing I ask the class is if there are any active or ex-military or law enforcement people present. To date there never have been, and to be honest it leaves me with a bit of a "Bah Humbug!" feeling when the class is really a company stuffing its IT department through the course and exam "for the numbers". Rob has some cynical comments to add but don't forget for him it's a days work and a days pay.
I'm also hit on for a variety of reasons by kids (even postgraduates) who "want to break into" -- yes that's the words they use, ironic isn't it? -- the security business. I suppose because the press makes it look more glamorous than just being a programmer or sysadmin. I keep telling them that its experience that counts, not certifications; too many, especially those from Asia, seem to think that a certification is badge that gets you work. Not so. Mind you, locally the recruiters cant seem to tell what makes InfoSec different from IT. But that's a subject for another time.
And hence the opening lines to Holly's blog.
No, Holly, you're not alone; many true security professionals, be it Infosec, military or law enforcement, think like that.
- What is the 'attack surface'?
- What are the potential threats? How to rate them?
- How can I position myself to minimise the effect of an attack?
- What is the 'recovery mode' (aka: line of retreat)?
If you can't do this, then you shouldn't be in "Security".
I'm not claiming that, like Holly, you need to be able to do it in the restaurant and mall - though some of us do - but you should be able to do it within the scope of your work. You should do it by reflex, as a matter of course.
At another level, every project manager, perhaps every manager, needs to be able to do Risk Assessment with respect to the project, so perhaps the threats he or she needs to consider aren't terrorists taking hostages so much as things like budget cuts, key staff leaving, competitor products being released and that most dreaded threat of all:
If you're not paranoid, then perhaps you should reconsider what your motivation for being in InfoSec is.
Or would you rather be a sysadmin?
Thought for the day:
When the Way is forgotten
Duty and justice appear;
Then knowledge and wisdom are born
Along with hypocrisy.
When harmonious relationships dissolve
Then respect and devotion arise;
When a nation falls to chaos
Then loyalty and patriotism are born.
-- Lao Tse, "Tao Te Ching"
- Paranoid City at Toycon (flipjams.wordpress.com)
- Information Security Certifications That Will Get You The Job (jobs.answers.com)
- Interview with Bruce Schneier on Technology and Power (thecommandline.net)
Posted by Anton Aylward
I am currently available to offer InfoSec & GRC audit and consulting services through my company - System Integrity