@vmyths, otherwise known as Rob Rosenberger, notes on Twitter that
“3doz firms THAT EMPLOY COMPUTER SECURITY EXPERTS got whacked in a zero-day attack. How about some “education” for THEM, eh?”
Well, “computer security experts” is a somewhat fuzzy term, and a little pejorative: when the media use it, they usually mean themselves, or the company that supplied the press release they’re recycling. When they actually mean computer security professionals, it’s usually in the sense of “so-called security experts who can’t see what is absolutely clear to any right-thinking journalists.” A somewhat similar mindset, perhaps, to those denizens of Security-Basics who believe that anyone who has letters after his name has to be a blithering idiot with no actual security experience. No, I’m not getting into that argument again…
But let’s assume that Rob means the same group that I probably would, if I couldn’t avoid using the term: information security professionals not necessarily working within the security industry. (I know there sometimes seems to be far too many of us who are in the industry, but most of us are OK, honestly.)
A group, in fact, rather like the subscribers to the first incarnation of AVIEN: people with a wide range of job titles, skill sets and responsibilities, from independent researchers to experienced managers and system administrators to people who suddenly found themselves landed with (some) security responsibility for their company. (Yeah, me too…)
Well, it’s true: if you’re going to make people responsible for security, you do need to ensure that they already have some experience and training, or that they at least receive some training to jumpstart them into the role. Especially if, like me, you believe that part of the security professional role is to take some responsibility for the education of others. (Yes, I know that there’s a sizeable section of the security community that believes there’s no mileage in trying to educate the end-user - http://www.eset.com/download/whitepapers/People_Patching.pdf - but I’m not getting into that argument right now, either.
Before we start blaming everything (yet again) on lazy, incompetent, uneducated security experts though (and hopefully that isn’t what Rob meant), let’s remind ourselves of a few pertinent facts.
- As my colleague Aryeh Goretsky has pointed out, banks with security guards are not immune to bank robberies. “Mitigation of risk != elimination in its entirety.”
- When a company hires security professionals, it doesn’t necessarily mean it listens to those professionals. Especially when listening to their advice entails spending significant sums that could be better spent on upgrading the catering on the Executive floor.
- The corollary to assuming that employing security professionals (even competent individuals with exemplary support from the Boardroom) is enough to eliminate risk, is that if some malicious actor does get through, someone has “failed” and needs to be fired. That’s just lazy thinking: not so different to giving the bank janitor a uniform, a revolver and six shells, and saying “Hey, you’re promoted: now our asses are covered.”
Let’s not forget Spaf’s first principle of security administration:
If you have responsibility for security, but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong.
That observation by Professor Eugene Spafford is as accurate now as it was when I first read it nearly twenty years ago…
David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET