Who Will Educate the Educators?

@vmyths, otherwise known as Rob Rosenberger, notes on Twitter that

“3doz firms THAT EMPLOY COMPUTER SECURITY EXPERTS got whacked in a zero-day attack. How about some “education” for THEM, eh?”

Well, “computer security experts” is a somewhat fuzzy term, and a little pejorative: when the media use it, they usually mean themselves, or the company that supplied the press release they’re recycling. When they actually mean computer security professionals, it’s usually in the sense of “so-called security experts who can’t see what is absolutely clear to any right-thinking journalists.” A somewhat similar mindset, perhaps, to those denizens of Security-Basics who believe that anyone who has letters after his name has to be a blithering idiot with no actual security experience. No, I’m not getting into that argument again…

But let’s assume that Rob means the same group that I probably would, if I couldn’t avoid using the term: information security professionals not necessarily working within the security industry. (I know there sometimes seems to be far too many of us who are in the industry, but most of us are OK, honestly.)

A group, in fact, rather like the subscribers to the first incarnation of AVIEN: people with a wide range of job titles, skill sets and responsibilities, from independent researchers to experienced managers and system administrators to people who suddenly found themselves landed with (some) security responsibility for their company. (Yeah, me too…)

Well, it’s true: if you’re going to make people responsible for security, you do need to ensure that they already have some experience and training, or that they at least receive some training to jumpstart them into the role. Especially if, like me, you believe that part of the security professional role is to take some responsibility for the education of others. (Yes, I know that there’s a sizeable section of the security community that believes there’s no mileage in trying to educate the end-user – http://www.eset.com/download/whitepapers/People_Patching.pdf – but I’m not getting into that argument right now, either.

Before we start blaming everything (yet again) on lazy, incompetent, uneducated security experts though (and hopefully that isn’t what Rob meant), let’s remind ourselves of a few pertinent facts.

  • As my colleague Aryeh Goretsky has pointed out, banks with security guards are not immune to bank robberies. “Mitigation of risk != elimination in its entirety.”
  • When a company hires security professionals, it doesn’t necessarily mean it listens to those professionals. Especially when listening to their advice entails spending significant sums that could be better spent on upgrading the catering on the Executive floor.
  • The corollary to assuming that employing security professionals (even competent individuals with exemplary support from the Boardroom) is enough to eliminate risk, is that if some malicious actor does get through, someone has “failed” and needs to be fired. That’s just lazy thinking: not so different to giving the bank janitor a uniform, a revolver and six shells, and saying “Hey, you’re promoted: now our asses are covered.”

Let’s not forget Spaf’s first principle of security administration:

If you have responsibility for security, but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong.

That observation by Professor Eugene Spafford is as accurate now as it was when I first read it nearly twenty years ago…

David Harley [Formerly FBCS CITP CISSP]
ESET Senior Research Fellow



2 thoughts on “Who Will Educate the Educators?

  1. Rob Rosenberger

    You deduce correctly, David! I fault Twitter’s 140-char limit: it doesn’t offer me enough room to pontificate. 🙂 Now if I may continue where I left off at character 141…

    Goretsky’s “bank guard” comment is perfectly valid. Sadly, though, it fails when you try to use it as an analogy to computer security guards. It fails for a subtle yet profound reason — namely, bankers set budgets for security personnel & technologies based on some very well-defined risk calculations. Competent experts actually believe they know the “ROI” for their investments in banking security.

    On the other hand, those three dozen “whacked” firms employ computer security personnel & technologies for reasons not associated with ROI. CIOs end up listening to people like Dan Erwin, who teaches computer security experts to fool their bosses with exaggerated stories and to cite a steady stream of flawed “statistical” reports that Mich Kabay & I & others have railed against for years. Competent experts actually don’t believe they know the ROI for their investments in computer security.

    (I worked on computer security in the brokerage industry in the 1990s, for those of you who question my insights to the financial world.)

    It takes more than 140 characters to propose we educate CIOs, not their computer security managers. See http://Vmyths.com/column/1/2005/1/3 for my CIO “special ed” program…

  2. Pingback: Educating the CIO « The AVIEN Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.