The immortals and mortals of information security

Dear readers,

We all know that the Internet presents you with thousands of websites talking about the latest security threats, breakthroughs and technologies. However,  it’s not easy task to find useful information about how to conduct our Information Security, Risk Management and Compliance careers to become better professionals. That’s the main reason why My Infosec Job was created: to be a reliable repository of information to govern your career through a successful path.

As such, your participation is paramount to enrich our knowledge,either by sharing your experiences and comments, or your perception of market trends and trenches.

Today I’m proud to bring you a new My Infosec Job section called “Be My Guest”, an open space for you to publish articles and share opinion with thousands of readers in more than 130 countries around the world, promoting a healthy discussion of your point of view and at the same time having a respectable site shining the spotlight on you. For more information on how to submit your article, please get in touch with us.

To open the Be My Guest section, we bring you an excellent reading by Denny Roger, an accomplished Infosec Professional from Brazil with several years of experience in the field (mere details about him at the bottom of the article).

Enjoy your reading, and don’t miss the chance to become one of our columnists!

-Adriano Dias Leite




The immortals and mortals of information security

Denny Roger

By Denny Roger

Every day I receive emails requesting information about information security courses and certifications. My answers by email or during a lecture are always controversial, especially when I am speaking at some university. Let’s understand what really happens.

I was talking with two colleagues about how to get a good job. One of the issues discussed was how the interviewer can evaluate your knowledge. The issue came up because many professionals hold positions in the information security without having what it takes to perform the function. The fault is not of the professional who is performing the function, but the person who hired the “professional”.

The person who is recruiting do not have the knowledge necessary to evaluate the professional profile. This fact occurs all over the world. However, the employer evaluates the candidate’s knowledge through the indication and certifications.

First of all, the indication doesn’t work because the candidate can provide the contact of a friend or relative as a reference. It is obvious that the friend or relative will provide good references. This happens very often.

Second, the company requires you to have certain certifications. If you want to get a job or increase your salary, just studying and pass in some exams (for example, CISSP).

Third, many professionals are certified because the company paid the required certification. Some times, the employer required that the employee has a certification.

There are many cases where the professional is certified in a particular technology but works in another area. For example, one of our co-workers recently achieved CCIE certification. However, this professional works with Windows systems. In other words, has experience in one area but is certified in other. This co-worker only “sought” the certification because the company requested.

Pages: 1 2

Filed Under: ArticlesBe My GuestMy career

Tags:

RSSComments (6)

Leave a Reply | Trackback URL

  1. Joe Muggs says:

    In my experience, the terms “mortal” and “dimwit” are apropos. Certifications supplement the mortal’s skills and substitute for the dimwit’s.

  2. One thing I would recommend to anyone that wants to get into Information Security is to start understanding the difference between InfoSec and Information Technology Security or Information System Security (i.e. IT or IS Security). This helps you prove to the business that you know the “business needs” for the technology security that you’re putting in place; they then accept the security rather then feeling you did it just to “get in the way”.

    I’d recommend that anyone interested in this get a good understanding of the ISO 27000 standard … and I agree with the comment earlier that the CISSP is out of date … it relies too much on technical knowledge. The 27000 standard covers the other aspects required: administrative controls and physical controls (along with the logical controls i.e. technology). Information is stored in many other places the on electronic systems: paper, microform, in our brains; if you haven’t secured these along with the technology then you don’t have “Information Security”.

  3. […] was to briefly outline the experience in the work carried (information security). Please visit http://www.myinfosecjob.com/2010/02/the-immortals-and-mortals-of-information-security/. Part of my presentation will cover the elements of […]

  4. Poison says:

    Denny, you hit the nail on the head when you say that the fault lies with the recruiter. However, to be fair to them, the alternative of getting folks who are recognized amongst their peers is also not an easy task.

    Firstly, someone who is certified is probably also a member of those professional forums, for instance a CISA will be a member of the local chapter and will be required to attend and even talk about their experiences to get the CPE credits. So its hard for an outsider to be able to tell who is really proficient in their area.

    Secondly, most recruiters are not members of the forums themselves and therefore are not aware of the standing of a member there.

    Thirdly and most importantly, most companies do not yet understand the importance of Infosec. Sounds wierd, yes, but its true. Look at the breaches happening around you. Unencrypted tape drives, laptops, USB sticks, etc… being lost resulting in data breaches!
    Unpatched servers, virus attacks, etc….!!!

    I mean, these cos are’nt even losing data to skilled hackers. They’re losing data due to their incompetence and stupidity. Are these small companies that cannot afford an Infosec team? No !!!
    Then why can’t they implement encryption on all storage media, disable USB access, patch servers, update AV dat files and push updates?

    The reason is clear, the managements of most companies still feel that Infosec is simply not important enough. They feel that the cost of a Security incident is less than the cost of investing in setting things right. I’ve seen numerous incidents wherein they pompously claim that they have accepted the risks, its a risk that has never materialized in the last few years, and therefore is unlikely to happen in the future.
    But having a CISO is imperative, cos clients will ask about the organizations Infosec initiatives, so these forward thinking companies hire a team of jokers with certifications who are content to be YES men, and tout them as the cure for all their infosec woes. Give them a lofty title and they will keep the clients happy. If only it was so easy though…..

    Oh, and if the clients are really insistent, then well go get the org certified too. ISO27001, SAS70, SOX et all…. Never mind that the consultant is so brain dead that he/she will sign anywhere you ask him to sign as long as the payoff is good.

    The real credit for success goes to management and the real blame for failure also goes to management. They’re also the real Mortals and Immortals in this story.

  5. […] Click here to continue reading The immortals and mortals of information security […]

  6. Albatross says:

    Having taught the CISSP bootcamp, I consider the content of CISSP training antiquated and out of touvh with what the industry needs or requires. Despite this, I always advise aspiring security professionals to get their CISSP. Because, as you rightly point out, the CISSP is the single most widely recognized security certification in the world. The CISSP is a success of marketing, if not securiity. IMO it would be VERY hard to sustain a Fortune 500 infosec career without a CISSP.

Leave a Reply