Posted by Anton Aylward
Yes the government needs a culture change if it is to address its own and the national issues pertaining to security, technological, in general, internet related and more. But not like this.
A real culture change would involve hiring the likes of people such as Marcus Ranum, Gene Spafford, Becky Herrold., and more significantly the very vocal Bruce Schneier AND PAYING ATTENTION TO WHAT THEY SAY AND CARRYING OUT THEIR RECOMMENDATIONS. And please note: none of this is new or radical.
But a read of Bruce's articles blog and published articles will make it clear to any intelligent reader, even those outside the InfoSec community, that they won't. The culture change it would require would impact too many vested interests and long held beliefs, even though Bruce -- and others -- have long since shown them to be in the same class as The Emperor's New Clothes.
When the government talks of cyber-security experts it really doesn't want people who think in terms of policy and strategy. The fact that most government agencies could do better if they carried out the recommendations that have been made to them -- but consistently don't -- tells you something about their innate culture. Just adopting the GAO recommendations would take a culture change. Adopting 'uber 133z h4x0r'-wannabes for job roles that are written as what amounts to jumped-up netadmin and sysadmin positions doesn't make for good security.
Yes, a culture change is needed. But the kind of changes that the 'insiders' -- and that goes for the media too -- envision don't really amount to a meaningful change.
 The idiom "rearrange the deckchairs on the Titanic" comes to mind
Or perhaps the Hindenburg.
Posted by Anton Aylward
Well what would you ask?
These seem to be the kind of questions that might be asked by someone with a strong technical bias. The CISSP cert is supposed to be more oriented towards security management than to the technical aspects, so what would you ask?
We should, I think, be asking about "The Tone At The Top", the organizations attitude towards security and, but what does that mean in terms of interview questions?
My thoughts tend towards Policy and Certification, but them many of my past clients have been financial, so regulatory compliance looms large for them. I'd certainly ask about Policy, how it is formulated, how it is communicated and how it is enforced. That's not as easy as it sounds: most people know what should be done but ask that tactlessly and other than being an opening ("Yes, I can work on that for you") all you've done is embarrassed the interviewer.
So we have a refinement that the article never touched on: this is an interview not an audit.
I am currently available to offer InfoSec & GRC audit and consulting services through my company - System Integrity
Calendar of Posts