5 Scary Types of Security Professionals You Will Meet in Your Career

Dinosaur knows-it-allHello everyone !

Information Security is cool. We all  know that. But…

I’ve been in the IT/Security industry for 18+ years now… which gave me the opportunity to meet the brightest security professionals around the globe, and also some who weren’t the “sharpest tool in the shed”. Far from judging, I’m just stating my perception.

But by being exposed to these “characters” I was able to build some profiles that distinguish them in the field. I bet you came across at least one of them!

These are the pariahs in the field… the ones who you spot from miles away in any convention and run away… Yes! You know I’m talking about the 5  scary types of security professionals you will meet in your career!

5 – The “NO” Master

Once upon a time in a meeting with the business:
– So as part of our growth strategy, we are planning to have a company presence on Facebook, and also advertise on Twitter so…
– No way!
– Sorry Jimmy, did you say something?
– Yes, I said no way we are opening Facebook for employees, nor publishing any company related information in it…
– But all the other companies out there are already…
– What do you prefer? Being on Facebook or being hacked? That simple.

CIO takes over:
– Ok, so if security didn’t approve it, let’s raise an exemption and get it done anyways.

Have you ever been to a meeting that goes more or less like that? Instead of listening to the business requirements and trying to meet their expectations with reasonable security controls, the NO-master cans the idea straightaway! What happens next is simple: the business requestor escalates the issue to the Executives who basically mandate that Facebook is opened (because they can/need).
The NO-master just missed a great opportunity to make a difference, and position himself/ herself as a contributor, rather than a roadblock!

4 – The By-The-Book Preacher

Brothers and sisters, we are here today to talk about the truth… and the truth is, if it’s written, it is right!

A typical scenario:

– This machine needs to be patched right now! I know that this machine is not sitting in our external DMZ, but patching best-practice/our policy (or whatever suits you) says that critical patches must be installed X hours after being released!

Sorry readers, but this one makes me laugh. And I have met hundreds of them.
There is no context applied, there is no risk profiling. It needs to be done because the book/policy says so.

As a security professional, you are not paid to stick to a bl***y manual. You are paid to help the business understand what the risks are, and the consequences of their (or lack thereof) actions. In the real world, some rules need to be bent sometimes provided that you know what the risk is to satisfy an SLA, a business requirement, or just to make your boss look good (troll face :D). Asking your support team to bring the payroll system down on the 30th of the month just because a critical Microsoft patch was released is not the way to go.

This type of security professional goes hand in hand with the no-master, sometimes with one leveraging of the other.

My tip for all those out there is to apply your knowledge and use the policies and books and procedures as the rule, but also by understanding that business comes first and if a decision has to be made between being secure and making a profit, 9 out of 10 you’re going to lose. Sad, but true.

3 – The Dinosaur

There is nothing he/she hasn’t seen before… there is always a real life FUD story to back up their claims. The dinosaurs are one of the hardest to fight against because they know it all.

Listen, I’m not trying to undermine your prestige or experience. It’s good to know that you have been exposed to all colors and flavors in your 350 years in the industry. What is not nice is the fact that you stopped challenging yourself a couple of decades ago, and in this ever-evolving world the requirements, technology and magnitude of problems have changed. A LOT.

Once I got myself in a hopeless argument with a dinosaur, which had his golden ages during the mainframe era, and his philosophy was simple: everything boils down to access control. If people are not allowed to do something, you have nothing to worry about.
I have to say I agree with this person to an extent, but to dismiss the fact that there are exploits out there that could give unauthorized user super privileges goes beyond access control. This is in my view the same as using a single medicine for all illnesses (and hoping it’s going to work).
No need to say that I went home spend the rest of the evening trying to clean my mind from such a rusty, archaic idea… It was hard though.

2 – The Technology-Solves-It-All

I bet you came across this one. There is no need for people. There is no need for processes. All you need is the latest tool and BANG, it’s all done!

To be honest with you all, sometimes I wish it was true. Setting up a firewall might take you a couple of hours, but teaching someone why they cannot download cracked software via uTorrent takes years. And sometimes not even years will do. But it doesn’t necessarily mean that technology will replace the need to have well trained human beings with well-defined processes in place. The tool should exist to make the process viable, and not vice-versa.
Another real life example from one of my discussions: Hey Adri, we have antivirus installed, the scan is set to run on a weekly basis, the signature files are being updated on a daily basis, why do we need to implement monitoring of our antivirus console?

Ahhh… conversations like that happen every day… I am starting to get bored… 😀

1 – The fear monger

Last, but not least. This one gives me goose bumps..

  • The fear monger sends you SMS at 3 in the morning about an article they read about a “just-disclosed compromise” in company X. They also call you to make sure you got the SMS.
  • The fear monger shrieks when you approve a security exemption requested by the business based on risk…. in their words, it’s just a matter of time for you guys to see what a big mistake you are making…
  • The fear monger looks forward to the day he/she can say: I TOLD YOU.

I tell you readers… this annoys the life out of me. Fear mongers are hard to deal with because they KNOW something is going to happen. Recently I had to argue with one of our auditors who were claiming that the fact that we didn’t have an access control matrix for application ABC was deemed catastrophic to the business, since there was no easy way to ensure that an employee who moves sideways within the company wasn’t retaining their access. Even though we had user regular audits of the user accounts.

Guys, I totally agree with the finding. I agree that an access control matrix would facilitate the identification of such users. But raising this risk as catastrophic to the business is unthinkable. If the lack of said matrix is “catastrophic”, how would you rank not having the access control mechanism at all? Armageddon?

Well, that’s it for today, I hope you enjoyed your reading and, I cross my fingers so that you don’t meet any of those for a period of time.

But if you do, don’t worry: I HEAR YOU 🙂

Filed Under: ArticlesFeaturedFrom me to youInformation SecurityJob MarketMy career

Tags:

RSSComments (11)

Leave a Reply | Trackback URL

  1. Amusing article.. The Dinosaur one made me laugh – I actually had a meeting with an ‘information security officer’ recently who trotted out the line ‘I have been doing this for more years than I can remember’ when I was trying to explain something to him!

  2. Steve says:

    Liked your article on “scary types”. Sometimes as professionals, we sometimes get too wrapped up in ourselves and talking all the time and not really listening or interacting. I liked how your article points out how dysfunctional that is.

  3. Michael says:

    Good article Adriano,
    I personally believe that irregardless of how we think and believe, it is 0ur job to find solutions. Business pays us to do exactly this. We need to know, and advise, on risks and dangers, but the bottom line is we are paid to react and to provide acceptable solutions. It is very irritating to hear NO being presented to business. I have to ask such EXPERTS if they plan to hold back the world and stop expansion. Business is going to move forward under nearly any circumstnce and it is our job to make them prepaired. And to be honest thats what makes this job so interesting nd fun to do.

  4. Randy Shaw says:

    Interesting article. You have a similar perspective to the 6 difficult types of people article posted here: http://psychcentral.com/blog/archives/2008/04/15/6-difficult-types-of-people-and-how-to-deal-with-them/

  5. MD says:

    Good article Adriano,

    As you indicated in article chances are you’ve met someone that posses all 5 mentioned qualities(personally i did) but yet to meet someone who posses both very deep hands-on experience mixed with theoretical ones-i think this is because security field is very large w/ so many domains. Maybe that comes with time on the job and some credentials(schools+certifications)…good reading though.

  6. Zman says:

    I defintely agree with the findings, I have met a few, and even been a few of these during my Infosec career, but the author hits the nail on the head that infosec needs to be more “in-tune” with the bussiness needs, its not about saying “no” its about getting to “yes” and that is going to take compromise, and some risk management and threat modeling of your processes and proceedures. Then you can better present the issues at hand to the business and make it palitable in their eyes and then you will probably see your security posture improve.

  7. Ian Tibble says:

    Good article, thanks.
    Infosec as an established business practice is only about 15 to 20 years old and we’re still learning. I think most of us look for a sense of balance but none of us know where the balance point is, plus – lest we not forget, security is complex. With all this we can easily say that nobody’s perfect and we’re also not in a position to say “i’m better than him [or her]”…because there’s no reference point.
    What criteria do we use to measure effectiveness as a security professional? CISSP? Ultimately we’re not in any position to pass judgment my friends.
    One thing for sure though, if we’re sat on a project board and we’re asked to make a call on risk for something like a new app deployment, I would hope that we actually have seen a command shell prompt before and had some fairly major IT experience (this is related to at least one of the categories mentioned here).
    Just my opinion – Analysts need to be tech-oriented to a heavy degree. It’s all about balance. We need some sense of business costs when we’re proposing safeguards, but hopefully our managers have a handle on that too. But as to how “tech” or how “businessey” we need to be…who can say?

  8. theman says:

    Obvious. I hope you got paid for writing this. Does it mean I can quit deciphering fw/router rocket science bug release notes and midnight reloads?

    Looks like I can just spend 20 minutes a day writing Dilbert stories about dysfunction in the IT Sec workspace and have enough money left over to hot-wax my Benz.

  9. David D says:

    What all of these five types have in common is in being categoric and absolute in promoting data security. Besides being simplistic it’s also unprofessional. Whenever I’m asked about whether specific IT practices and behavior should be permitted I always say that a risk assessment is first in order to see if there’s a possible business justification. This can entail a lot of work and the lazy prefer working off a check list.

  10. Sitaram says:

    Very interesting article. Nice to know.

  11. notorious says:

    I was expecting to read about 1337 hackers!

Leave a Reply