Information Security is cool. We all know that. But…
I’ve been in the IT/Security industry for 18+ years now… which gave me the opportunity to meet the brightest security professionals around the globe, and also some who weren’t the “sharpest tool in the shed”. Far from judging, I’m just stating my perception.
But by being exposed to these “characters” I was able to build some profiles that distinguish them in the field. I bet you came across at least one of them!
These are the pariahs in the field… the ones who you spot from miles away in any convention and run away… Yes! You know I’m talking about the 5 scary types of security professionals you will meet in your career!
5 – The “NO” Master
Once upon a time in a meeting with the business:
– So as part of our growth strategy, we are planning to have a company presence on Facebook, and also advertise on Twitter so…
– No way!
– Sorry Jimmy, did you say something?
– Yes, I said no way we are opening Facebook for employees, nor publishing any company related information in it…
– But all the other companies out there are already…
– What do you prefer? Being on Facebook or being hacked? That simple.
CIO takes over:
– Ok, so if security didn’t approve it, let’s raise an exemption and get it done anyways.
Have you ever been to a meeting that goes more or less like that? Instead of listening to the business requirements and trying to meet their expectations with reasonable security controls, the NO-master cans the idea straightaway! What happens next is simple: the business requestor escalates the issue to the Executives who basically mandate that Facebook is opened (because they can/need).
The NO-master just missed a great opportunity to make a difference, and position himself/ herself as a contributor, rather than a roadblock!
4 – The By-The-Book Preacher
A typical scenario:
– This machine needs to be patched right now! I know that this machine is not sitting in our external DMZ, but patching best-practice/our policy (or whatever suits you) says that critical patches must be installed X hours after being released!
Sorry readers, but this one makes me laugh. And I have met hundreds of them.
There is no context applied, there is no risk profiling. It needs to be done because the book/policy says so.
As a security professional, you are not paid to stick to a bl***y manual. You are paid to help the business understand what the risks are, and the consequences of their (or lack thereof) actions. In the real world, some rules need to be bent sometimes provided that you know what the risk is to satisfy an SLA, a business requirement, or just to make your boss look good (troll face :D). Asking your support team to bring the payroll system down on the 30th of the month just because a critical Microsoft patch was released is not the way to go.
This type of security professional goes hand in hand with the no-master, sometimes with one leveraging of the other.
My tip for all those out there is to apply your knowledge and use the policies and books and procedures as the rule, but also by understanding that business comes first and if a decision has to be made between being secure and making a profit, 9 out of 10 you’re going to lose. Sad, but true.
3 – The Dinosaur
There is nothing he/she hasn’t seen before… there is always a real life FUD story to back up their claims. The dinosaurs are one of the hardest to fight against because they know it all.
Listen, I’m not trying to undermine your prestige or experience. It’s good to know that you have been exposed to all colors and flavors in your 350 years in the industry. What is not nice is the fact that you stopped challenging yourself a couple of decades ago, and in this ever-evolving world the requirements, technology and magnitude of problems have changed. A LOT.
Once I got myself in a hopeless argument with a dinosaur, which had his golden ages during the mainframe era, and his philosophy was simple: everything boils down to access control. If people are not allowed to do something, you have nothing to worry about.
I have to say I agree with this person to an extent, but to dismiss the fact that there are exploits out there that could give unauthorized user super privileges goes beyond access control. This is in my view the same as using a single medicine for all illnesses (and hoping it’s going to work).
No need to say that I went home spend the rest of the evening trying to clean my mind from such a rusty, archaic idea… It was hard though.
2 – The Technology-Solves-It-All
To be honest with you all, sometimes I wish it was true. Setting up a firewall might take you a couple of hours, but teaching someone why they cannot download cracked software via uTorrent takes years. And sometimes not even years will do. But it doesn’t necessarily mean that technology will replace the need to have well trained human beings with well-defined processes in place. The tool should exist to make the process viable, and not vice-versa.
Another real life example from one of my discussions: Hey Adri, we have antivirus installed, the scan is set to run on a weekly basis, the signature files are being updated on a daily basis, why do we need to implement monitoring of our antivirus console?
Ahhh… conversations like that happen every day… I am starting to get bored… 😀
1 – The fear monger
Last, but not least. This one gives me goose bumps..
- The fear monger sends you SMS at 3 in the morning about an article they read about a “just-disclosed compromise” in company X. They also call you to make sure you got the SMS.
- The fear monger shrieks when you approve a security exemption requested by the business based on risk…. in their words, it’s just a matter of time for you guys to see what a big mistake you are making…
- The fear monger looks forward to the day he/she can say: I TOLD YOU.
I tell you readers… this annoys the life out of me. Fear mongers are hard to deal with because they KNOW something is going to happen. Recently I had to argue with one of our auditors who were claiming that the fact that we didn’t have an access control matrix for application ABC was deemed catastrophic to the business, since there was no easy way to ensure that an employee who moves sideways within the company wasn’t retaining their access. Even though we had user regular audits of the user accounts.
Guys, I totally agree with the finding. I agree that an access control matrix would facilitate the identification of such users. But raising this risk as catastrophic to the business is unthinkable. If the lack of said matrix is “catastrophic”, how would you rank not having the access control mechanism at all? Armageddon?
Well, that’s it for today, I hope you enjoyed your reading and, I cross my fingers so that you don’t meet any of those for a period of time.
But if you do, don’t worry: I HEAR YOU