Home > Information Security, Musings > It is NOT time to “professionalize” information security.

It is NOT time to “professionalize” information security.

May 24th, 2013

AlDonaldsI recently read an article that was posted by my friend Brian Honan titled “Is it time to professionalize information security?” I know this debate’s been going on for a bit. I have a lot of respect for Brian (who supports licensing or “professionalizing” infosec), for a lot of reasons. If you’ve ever met the guy, and/or know of his accomplishments and track record, you likely do too. So to be clear, my opinions in this matter have nothing to do with Brian, and everything to do with what I see as a bad direction to take in our industry right now.

People – this is a “knee jerk” to the insanity that is information security. Things are chaotic, sure. Breaches, crime, national defense…all contributors to this mess. Top that off with a general distrust for vendors (with a perception of them selling “snake oil”), a disturbing number of “charlatans”, raging debates about certifications like the CISSP, drama at every turn, and constant cries of “we have to get better”. Sigh. I know, it sounds bad, right? But it really isn’t nearly as bad as it seems.

We are an “industry” in a very early stage, folks. I’ve said this before, I’ll say it again – we have a major, fundamental difference in infosec that makes it seem much worse – we have adversaries. They are working against us. When the Windows MCSE came out, it was a joke. Anybody could go learn a little about Windows, and become a “certified” Windows…, uh, person. But there was no diabolical Blofeld waiting in the wings to set Microsoft back, planning a global overthrow with Linux-wielding henchmen in an underground lair while he stroked his cat. Same for networking, whether Cisco or otherwise. Same for databases, CRM, enterprise middleware, and so on. Nope, only infosec has these shadowy lurkers who continually thwart our best efforts, stealing data and making the news.

We’re making progress. Really. Yeah, we have some idiots jumping on the bandwagon churning out Nessus reports as “pen tests”. So do we run to “certify” everyone so such an atrocity can never happen again? Really? You’d put us in a little box so that we can all feel safer? No. Here’s a better plan – those of us who are NOT clueless and DO provide quality work for clients or our businesses should work harder to educate people on this. That’s the problem. People are freaked out, they may not know any better, and they’re looking for solutions. Be it vendor or consultant or both, there’s ALWAYS a solution. Some are good, some are not. We’re falling prey to FUD, plain and simple. And if you get caught up in the daily whining on Twitter and elsewhere proclaiming that infosec is “so messed up” and that it “needs fixing”…well, you’re falling right into the drama-laden trap that plagues our industry.

The infosec industry needs creativity. It needs people who don’t fit the mold, who would rather set a kitten on fire than wear a tie, and who cannot help themselves from telling dick jokes, no matter when or where. Those people may not fit the “professionalization” scheme, but we would be SCREWED if we lose them. They think outside the box, they don’t look “corporate”, and they insist on wearing black T-shirts. I’m being purposefully stereotypical, of course. We’re a widely diverse crew these days, and we’re better for it. But thinking we’re failing so badly that we need to “professionalize” is silly. If that is the case, then why don’t we REALLY get to the heart of things, and professionalize programmers? It’s their shitty code that is causing a lot of the mess, there’s no denying this. While we’re at it, we should probably “professionalize” systems admins, network engineers, everyone. They screw up too, right? We should definitely “professionalize” project managers. Those people are a pain in the ass. Let’s make them certify!

C’mon. This isn’t the answer. Infosec is crazy, sure. But we’re not headed into doom and gloom as some would have you believe. We’re improving education programs all the time. I have met some of the college kids who are taking part in Red Team-Blue Team competitions, and some of them are crazy sharp. We’re trying to fix things like the CISSP, with guys like Wim Remes and Dave Lewis as our men on the inside. We’re having proper debates about “attacking back” and cyberwarfare (ugh), and so on. We’ll get there. But don’t react and put us in a little defined “program”. I don’t want to be a part of the Borg, not now and not ever. I have hundreds of happy clients who can attest to my work, and so do many of you. Let’s let folks like the Attrition crew smoke out the worst charlatans. And let’s try to keep our sense of humor AND reality along the way.

Categories: Information Security, Musings Tags:
  1. DB
    May 24th, 2013 at 04:54 | #1

    At last! A voice of reason in the midst of the whole FUD flood. I think part of the problem is that there are a select few infosec community members that have attained a certain level of celebrity through various means, be it blogs, vlogs, anything else ending in ogs, podcasts, deda deda deda ad infinitum and occasionally they feel they have to rock the boat a little if they detect they are not getting the attention they feel they deserve (I’m not necessarily lumping Brian Honan in this category, his post yesterday is perhaps a catalyst in bringing the whole thing to a head though.)

    I’m sure things will calm down after a while and once the toys have been placed back in their cribs and their pacifiers firmly shoved back in their mouths. Egos will get massaged and the tantrums will have stopped…until next time.

  2. admin
    May 24th, 2013 at 06:25 | #2

    @DB I would definitely say Brian is NOT in this category. But this is getting ridiculous.

  3. jphilput
    May 24th, 2013 at 11:52 | #3

    I don’t always agree with you Dave, but in this case, I think you’re spot on. With the type and number of adversaries we face, I don’t think it’s reasonable or practical to “professionalize”. In too many cases, I’ve seen that type of drive turn creative, intelligent people into hidebound zombies, and hidebound zombies can’t effectively protect anything, let alone a network.

  4. Rob Newby
    May 25th, 2013 at 00:08 | #4

    I think you and Brian are arguing different issues. Imagine it like a physical battle, with Generals and Field Marshals doing the planning, down to Corporals and Privates fighting the war. We need them all. The Generals need to be highly professional, cool, calm and strategic – yes it comes from experience on the battlefield, but you sure as hell want it tested every now and then! The privates need to be wild fighting machines, make sure they’re fit for the job, wind ’em up and let ’em go. Then there’s research into weapons and tactics, vital to stay ahead, and must not be constrained. I agree with you both, you are both experienced intelligent people, but context is king here. Yes we need structure, yes we need some professionalism, but let’s not become the sneering techies who set the bar so high no-one wants to join us. DISCLAIMER: Yes, I know Brian.

  5. May 27th, 2013 at 19:25 | #5

    Dave – you’re right, and for more reasons than you cite. Brian is onto the right problem but the wrong solution.

    The history of licensing for professions in the modern world is not pretty. (Nor the premodern world for that matter.) Way back in 1990, James Fallows wrote a book called “More Like Us,” which is worth finding and reading for those who missed it (or weren’t born yet). In it he analyzes the competitiveness of Japan vs. Europe vs. the USA, and he argues, convincingly, that the power of guilds in Europe reduced labor mobility, led to less efficient allocation of talent, and over the long term completely hosed the entire continent. At the time Japan was on top of the world, but he observed a similar lack of labor mobility there and predicted that it would be their downfall.

    Here’s where it gets relevant to the current discussion. At the time there was a lot being written about how the US should emulate Japan, which was eating our lunch. Fallows said that in fact we should be “More Like Us” – that is, optimize for the best allocation of talent, by removing unnecessary guilds and licensing boards that reduce labor mobility.

    His argument is a thousand times more powerful now, when we have the Internet with extreme transparency of information. Authors can publish on Amazon without a license; merchants can sell on eBay without a license; feedback from the community provides information on quality and trustworthiness.

    If you read Fallows you’ll see that there really is nothing new or special about the information security profession relative to all the others. This kind of debate bubbles up in every trade, and in every case “protection of the public safety” and “inability of the customer to distinguish between good and bad service” are touted as reasons to limit access to the profession. Yet the evidence for success on these objectives is surprisingly thin.

    The modern approach works. Let’s be more like us.

  6. May 27th, 2013 at 19:33 | #6

    By the way – there’s a language issue here too. If you frame it as “should the industry professionalize” a survey would get one result, but if you frame the same question as “should you have to have a license to do a penetration test” it would give a different result. If you don’t want to see the industry go this route, then you should always refer to it as a debate over licensing, not over “professionalization.” Whichever language takes hold will determine the outcome.

  7. June 3rd, 2013 at 05:14 | #7

    Sorry but from my point of view your friend Brian is absolutely spot on. Industrialization will move on and with that IT and Information Security as well. There are still a couple of open questions but not long tey will be addressed as well.

  8. June 3rd, 2013 at 18:49 | #8

    Well, seems to me that things are even worse than are painted in blogs. Almost as though there is this law of zen that says we cannot describe things as they really are. Personally I report on what I actually observe going off in large sized businesses. It IS bad, and it IS getting worse.

    “we have a major, fundamental difference in infosec that makes it seem much worse – we have adversaries”. No. e.g. …it doesn’t take incidents to prove that things are bad in 95%+ of live production business cases. Or at least it shouldn’t.
    “Yeah, we have some idiots jumping on the bandwagon churning out Nessus reports as “pen tests” Nessus again?! hahaha. There are other unauthenticated scanners. But anyway, The enemies working against us here are ourselves, not outsider bad guys. The folk who portray Nessus scans as quality pen tests are usually security “professionals”.
    “The infosec industry needs creativity.” this part I agree, but creativity can be assessed in professional certifications (e.g. evidence of programming ability always seemed a good indicator of excellent readiness for life as an Analyst).
    Brian’s high level drive was at generating trust for security professionals, as in an industry standard means of proving some level of competence, much like other industries such as Civil Engineering.
    Looking at all of the problems in infosec…take compliance as an example: how did we end up in this mess? Because have never been able to trust the messenger when proposals were made to focus on risk rather than compliance (yes, they are two different things).

    In infosec we need some way of getting our customers to trust us again after years of FUD. How are we going to do that without some means of professional accreditation that links Analysts to IT skills (ops/admin/DBA/dev), and Security Managers to time served as an Analyst?

  9. admin
    June 4th, 2013 at 04:20 | #9

    @Andreas No need to be sorry. I think you’re wrong, you think I’m wrong – no worries.

  10. admin
    June 4th, 2013 at 04:26 | #10

    @Ian Tibble Here we go again. I’m not sure if this is a geographic thing, but I do tend to hear a lot of discussion from other regions in the world about how infosec and IT should be equated to some sort of “engineering”. I just totally disagree with you. Infosec, and IT, is so damn far from civil engineering it’s not even funny. What IS funny is how we are just losing sight of so much in this idiotic dialogue. WE (the security people) are the only paranoid loonies distrusting ourselves. All it takes is for a CTO to read one hour’s worth of security blogs and our Twitter feeds to see us as paranoid, self-loathing, cynical, lacking in social skills, and very likely to implode at some point. We are our own worst enemy in almost every possible way. If everyone in this damn field would just shut up and try to secure some things, we’d all be better off, but we spend all our time being introspective to hell and back and talking about how we’re “burnt out”. And just for the record, I spend almost all my time in Fortune 500 companies too. It’s just not POPULAR in this field to be the least bit optimistic – so much easier to just mope and rant about how bad it all is. By all means, keep at it. While you’re doing that, I will be fixing problems for my clients, one day and issue at a time.

  11. June 4th, 2013 at 10:24 | #11

    Great post. I wrote my own in response: Set a Kitten on Fire? Excellent! http://gtnr.it/14sHG1E (I am not smart enough to make this a hyperlink in your comments)

    Security ops is where kittens need to be very afraid. I want the smartest, craziest, out of the box thinkers on my ops team, but the evolving nature of infosec in large organizations REQUIRES people who at least own a suit. But forget the suit, they need to have the smallest understanding of their business.

    This business alignment crap is not crap, although it has been treated as crap by generations of security professionals. Where do you think your funding comes from? If you said FUD, you would be right for the previous decade, but that can’t be the answer for the next decade.

    Gartner data shows that 80% of the G2000 will require at least annual reporting to their board of director on the state of security and IT risk. This will require at least some understanding of the impact IT risk and security has on your business.

    There has been a major trend for more than 5 years now to have people with no background in security, but have program management skills, an understanding of their business, and a track record of success in fixing problem areas in the enterprise. This is one area I disagree with Dave. He implies that infosec doesn’t need fixing, and it desperately does. On that point, though, we are probably talking about two entirely different aspects of information security.

    So the only person I completely disagree with is Brian. Professionalization (certification) is a distraction, plus we already have it and it already doesn’t work. But we do need more professionals in information security. Including some who can light kittens on fire.

  12. June 4th, 2013 at 21:29 | #12

    @admin Read my response first, before flying off the handle. Who’s saying Civil Engineering is like infosec? I would say you’re not alone in “try to secure some things” – thanks for questioning how i spend my time in my professional capacity while at work. Sufficed to say i did not write this while in my clients’ machine room yesterday.
    You know you just can’t complain about folks writing too much and not “doing” anything when you spend 248 words in compiling nothing more than an insult.

  13. admin
    June 4th, 2013 at 22:29 | #13

    @Ian Tibble I don’t think I was flying off the handle. If I was questioning how you do your work, which I know nothing about, I’d have been a hell of a lot more direct about it. If you feel insulted, bummer.

Comments are closed.