The Unhackbles — Surviving Infosec Professionals
Note: This will be the first part of a few upcoming blog posts, dealing with my take on how to manage and survive, the force of nature which are infosec professionals.
Part 1: From Thought Leaders to Insane Braniacs
We have many problems here in the Cyber realm. We have small budgets. We have people clicking anything that comes by email, whether it’s a message from deceased relatives or free essential *ahem* medicine. We have legacy technologies that cannot be patched. We have people like me whinging. We have people mostly not me using the term Cyber.
But one of the worst problems we have in the industry is people. And for once, I’m not talking about the idiots the click the links. I’m talking about our own professional personnel and how we recruit, train and progress them.
Let’s see how we prioritize treating the human factor rather than buy another cool box with blinking blue led lights.
Stop drooling, you can buy that box later.
The very first and perhaps the biggest issue we have is that we can’t even decide between us what are the various disciplines of our own profession. During the last couple of years I’ve seen multiple ways to define security professions such as:
- Security Implementer
- Security Engineer
- Security Analyst
- Security Architect
- Security Manager
- Security Officer
- Ethical Hacker
- White Hat Hacker
- Penetration Tester
- Cyber Defender
- Cyber Warrior
- Cyber Cyber (this last one I might have made up)
- and my all time favorites: SECURITY EVANGELIST, CYBER NINJA and THOUGHT LEADER.
But this slightly depressing list above is at least somewhat connected to reality (with the exception of the last two) whereas people not coming from the industry are using either completely imaginary terms or tend to batch all these into a single job description. It’s not untypical to see a job opening for “an information security person” or the all time favorite “an information security and communications expert”.
Let’s try to sort our own professional nomenclature:
First we get rid of the nonsensical ones: anything that have the word cyber as part of the job title, anything that says warrior, defender, war, conflict resolution, invasion from mars or any world war II reference is verboten. Why? because these are all pure hype, marketing nonsense. Cyber isn’t different than what Information Security was just a couple of days ago and any title that reference War and Peace is only there to boost someone’s ego.
Then we remove those of ideologists, philosophers and armchair generals. Anyone calling himself an evangelist, guru or a thought leader — isn’t.
And the job description for those would be doubtful anyway — we’re looking for a theoretician who likes to hear the sound of his own voice, wears tweed jackets and spends at least 90% of his time showing up in conferences talking to people who look exactly like him.
No. Let’s don’t.
Next we can consolidate and normalize semi-similar positions:
Manager and officer are essentially the same job, ethical hacker, white hat and penetration tester are doing the same thing (and we all know that all y’all never follow the ISC2 code of conduct, let’s be serious here) and engineer should only be used if you actually engineer stuff, you know? And no, changing firewall rules doesn’t qualify you as such.
So let’s conclude with the non binding completely personal non sponsored list of security professions:
Security Manager — the person that leads the security organization, takes all the credit and have his head constantly on the chopping board. The (technical) background of the head of security can vary but one thing is vital for whoever runs this function: he/she has to understand that they server at the pleasure of the business. If they don’t support the business goals, if they don’t understand the company they are working for — they are merely a nuisance and someone will, eventually, realize that and bid them farewell. All risk assessments, all professional decisions, all aggression and depression has to relate to the business goals. Otherwise, you’re not doing your job. It doesn’t matter if you’re a CISO, an officer, a manager, a team lead or a security chef.
If you head some sort of a security function — the above is valid for you.
Security Architect — I can’t stress this enough — a security architect is not someone who knows about design or heard about design or is a network architect that likes security design. These do not qualify you as a security architect.
Perhaps the most important position after the head of security — the security architect is someone that, hopefully, did a few years as an application security specialist, or infra, or both — preferably within customer organizations as well as professional services companies and then trained as an architect. These people are rare and expensive. Do your utmost to retain them.
Also, they don’t have a sense of humor, but that’s besides the point.
Application Security Specialists — if you drop all the fancy buzzwords, by the end of it all the hackers, regardless of their hat color and ethics (or lack thereof) are people that specialize in the security of the application layer. They know how to break it, and if they’re good at their job they know how fix it. There are several flavors of this profession as well, but we’ll leave that for another day. The tl;dr version of this profession: breakers-fixers of code, hopefully with actual coding and development background.
Infrastructure Security Specialists — though may will frown on the next thing I’ll be saying, those are probably “the old school” security professionals, or at least the veteran ones, that tend to frown upon the crazy application kids with their SQL injections and code reviews. Because, when you think about it — ask anyone about computer security and they will say immediately: it’s OK, I have an anti virus installed and my firewall is turned on. I’m totally safe.
I don’t know many people who will say — I have input validation setup on my website and ran static code analysis so I’m totally safe.
Yeah.
But don’t be mistaken, these people are the foundation of security. You get your website all nice and OWASPED, but your FWs are badly managed? Good luck with that.
You have your static code analysis tool hooked up to your development street and you never once patched your servers in the last 13 years? May the gods of security have mercy on your soul.
You totally rocked your penetration testing but your databases are Internet facing and you have a flat network? Turn the light off when you leave. Don’t bother coming back.
In this family you can typically find the network experts, the people who know operating systems (and their faults) back to back, the incident responders, the layer 1 to 4 people (some of them may even go up to 5!)
Just remember two things when recruiting them: no complex GUIs and no feeding after midnight.
Ever.
Security Analysts — with the rise of the SOCs and MSSPs in the last few years, this has become a more well defined and substantial position within security. Those are the paranoids that watch over your pew-pew screens and tell you what’s happening, where it’s happening and give you some generic advise on how to deal with it. While some people think that the analysts mostly look at SIEM screens and press button — for me it is one of the more foundation-like positions in security, being able to understand multiple sources of logs, correlate them and understand the root cause of the event — something which can be a daunting task. An analyst working for a good MSSP/SOC which invests in training can later on turn to other security disciplines and excel in them.
Incident Handler — consider him the L3 version of the person above. The one who knows how to reverse engineer malware, how to fix the issues dumped on his desk by the L1 above and how to avoid shouting nation state and it was the Chinese every time he sees a Zeus infection.
Forensic Investigator — diving into the root cause of what happened, how it happened and which military grade scrubbing software the perpetrator thought he was using to hide his misdeeds — this is the profession who can help. Reading the bits and the bytes (and understanding them), restoring evidence, mining data and making sense of it — and making sure it can stand up in court. If the organization isn’t big and the need to go to court on regular basis isn’t pressing — a good enough technical person can perform both the duties of the incident handler and the forensics jockey.
If you liked this article, you should go and check out The Unhackbles Part 2 — Recruiting Chaotic Good Wizards and follow me on twitter.
