These seem to be the kind of questions that might be asked by someone with a strong technical bias. The CISSP cert is supposed to be more oriented towards security management than to the technical aspects, so what would you ask?
We should, I think, be asking about “The Tone At The Top“, the organizations attitude towards security and, but what does that mean in terms of interview questions?
My thoughts tend towards Policy and Certification, but them many of my past clients have been financial, so regulatory compliance looms large for them. I’d certainly ask about Policy, how it is formulated, how it is communicated and how it is enforced. That’s not as easy as it sounds: most people know what should be done but ask that tactlessly and other than being an opening (“Yes, I can work on that for you”) all you’ve done is embarrassed the interviewer.
So we have a refinement that the article never touched on: this is an interview not an audit.
It’s a perfectly valid question we all have faced, along with the “where do I begin” class of questions.
The ISO-27001 standard lays down some necessities, such as your asset register, but it doesn’t tell you the detail necessary. You can choose to say “desktop PCs” as a class without addressing each one, or even addressing the different model. You can say “data centre” without having to enumerate every single component therein.
I go slightly further and think that a key part of a security practitioners professional knowledge should be about human psychology and sociology, how behaviour is influenced. I believe we need to know this from two aspects:
First, we need to understand how our principals are influenced by non-technical and non-business matters, the behavioural persuasive techniques used on them (and us) by vendor salesmen and the media. many workers complain that their managers, their executives seem t go off at a tangent, ignore “the facts”. We speak of decisions drive by articles
in “glossy airline magazines” and by often distorted cultural myths. “What Would the Captain Do?”, or Hans Solo or Rambo might figure more than “What Would Warren Buffett Do” or “What Does Peter Drucker Say About A Situation Like This?”. We can only be thankful that most of the time most managers and executive are more rational than this, but even so … Continue reading An “11th Domain” book.
If you have a good information security awareness amongst
the employees then it should not a problem what kind of attempts
are made by the social engineers and to glean information from
Yes but as RSA demonstrated, it is a moving target.
Faced with an attack surface that seems to be growing at an overwhelmingrate, many security professionals are beginning to wonder whether their jobs are too much for them, according to a study published last week.
Right. If you view this from a technical, bottom-up POV, then yes.
Conducted by Frost & Sullivan, the 2011 (ISC)2 Global InformationSecurity Workforce Study (GISWS) says new threats stemming from mobile devices, the cloud, social networking, and insecure applications have led to “information security professionals being stretched thin, andlike a series of small leaks in a dam, the current overworked workforce may be showing signs of strain.”
Patching madness, all the hands-on … Yes I can see that even the octopoid whiz-kids are going to feel like the proverbial one-armed paper-hanger.
Which tells me they are doing it wrong!
Two decades ago a significant part of my job was installing and configuring firewalls and putting in AV. But the only firewall I’ve touched in the last decade is the one under my desk at home, and that was when I was installing a new desk. Being a Linux user here I don’t bother with AV.
“Hands on”? Well yes, I installed a new server on my LAN yesterday.
No, I think I’ll scrub it, I don’t like Ubuntu after all. I’m putting
in Asterix. That means re-doing my VLAN and the firewall rules.
So yes, I do “hands on”. Sometimes.
At client sites I do proper security work. Configuring firewalls, installing Windows patches, that’s no longer “security work”. The IT department does that. Its evolved into the job of the network admin and the Windows/host admin. They do the hands-on. We work with the policy and translate that into what has to be done.
Application vulnerabilities ranked as the No. 1 threat to organizationsamong 72 percent of respondents, while only 20 percent said they are involved in secure software development.
Which illustrates my point.
I can code; many of us came to security via paths that involved being coders, system and network admins. I was a good coder, but as a coder I had little “leverage” to “Get Things Done Right”. If I was “involved” in secure software development I would not have as much leverage as I might have if I took a ‘hands off’ roles and worked with management to set up and environment for producing secure software by the use of training and orientation, policy, tools, testing and so forth. BTDT.
There simply are not enough of us – and never will be – to make security work “bottom up” the way the US government seems to be trying We can only succeed “top down”, by convincing the board and management that it matters, by building a “culture of security”.
This is not news. I’m not saying anything new or revolutionary, no matter how many “geeks” I may upset by saying that Policy and Culture and Management matter “more”. But if you are one of those people who are overworked, think about this:
Wouldn’t your job be easier if the upper echelons of your organizations, the managers, VPs and Directors, were committed to InfoSec, took it seriously, allocated budget and resources, and worked strategically instead of only waking up in response to some incident, and even then just “patching over” instead of doing things properly?
Information Security should be Business Driven, not Technology Driven.