The InfoSec Blog

Are *YOU* ready to give up yet?

Posted by Anton Aylward

Apparently (ISC)2 did this survey ... which means they asked the likes of us ....

http://www.darkreading.com/security-monitoring/167901086/security/security-management/229219084/under-growing-pressure-security-pros-may-be-ready-to-crack-study-says.html

Faced with an attack surface that seems to be growing at an overwhelming rate, many security professionals are beginning to wonder whether their jobs are too much for them, according to a study published last week.

Right. If you view this from a technical, bottom-up POV, then yes.

Conducted by Frost & Sullivan, the 2011 (ISC)2 Global Information Security Workforce Study (GISWS) says new threats stemming from mobile devices, the cloud, social networking, and insecure applications have led to "information security professionals being stretched thin, and like a series of small leaks in a dam, the current overworked workforce may be showing signs of strain."

Patching madness, all the hands-on ... Yes I can see that even the octopoid whiz-kids are going to feel like the proverbial one-armed paper-hanger.

Which tells me they are doing it wrong!

Two decades ago a significant part of my job was installing and configuring firewalls and putting in AV. But the only firewall I've touched in the last decade is the one under my desk at home, and that was when I was installing a new desk. Being a Linux user here I don't bother with AV.

"Hands on"? Well yes, I installed a new server on my LAN yesterday.
No, I think I'll scrub it, I don't like Ubuntu after all. I'm putting
in Asterix. That means re-doing my VLAN and the firewall rules.
So yes, I do "hands on".  Sometimes.

At client sites I do proper security work. Configuring firewalls, installing Windows patches, that's no longer "security work". The IT department does that. Its evolved[1] into the job of the network admin and the Windows/host admin. They do the hands-on. We work with the policy and translate that into what has to be done.

Application vulnerabilities ranked as the No. 1 threat to organizations among 72 percent of respondents, while only 20 percent said they are involved in secure software development.

Which illustrates my point.
I can code; many of us came to security via paths that involved being coders, system and network admins. I was a good coder, but as a coder I had little "leverage" to "Get Things Done Right". If I was "involved" in secure software development I would not have as much leverage as I might have if I took a 'hands off' roles and worked with management to set up and environment for producing secure software by the use of  training and orientation, policy, tools, testing and so forth. BTDT.

There simply are not enough of us - and never will be - to make security work "bottom up" the way the US government seems to be trying   We can only succeed "top down", by convincing the board and management that it matters, by building a "culture of security".

Own view of Enterprise Information Security Ar...

One view of Enterprise Information Security Architecure (EISA) Framework.

This is not news. I'm not saying anything new or revolutionary, no matter how many "geeks" I may upset by saying that Policy and Culture and Management matter "more". But if you are one of those people who are overworked, think about this:

Wouldn't your job be easier if the upper echelons of your organizations, the managers, VPs and Directors, were committed to InfoSec, took it seriously, allocated budget and resources, and worked strategically instead of only waking up in response to some incident, and even then just "patching over" instead of doing things properly?

Information Security should be Business Driven, not Technology Driven.

[1] Or devolved, depending on how you look at it.

Related articles

Enhanced by Zemanta

IT AUDIT VS Risk Assessment – 2

Posted by Anton Aylward

We were discussing which should be done first and someone said:

The first has to be risk assessment as it is foundation of information
security. You first need to know where is the risk before putting up
any controls to mitigate that risk. Putting up adhoc controls will not
make the controls effective nor will it protect the organizations
against the risk.

While I understand the intent, I think that is very prejudicial language.

Donn Parker makes a very good case that we have the cultural context - read that sophistication and awareness of the baseline risks - to see that there should be a set of baseline controls. IAM, firewall, AV, backups and so forth. We don't need to leave the assets exposed to threats while we we wait around for a Risk Analysis to tell us that these baseline protective controls are needed.

Risk Analysis

You don't need to know the specific risks any more than you need to know the specific risks to have a lock on the front door of your house and close your windows.

I certainly wouldn't call this approach "ad-hoc".