What should a security practitioner be?
Over my years in the security field I often get asked, by people trying to get into security, what a security “person” be. I also get told, by people who are in the field, what they think a security “person” should be. I have never really written a post on it, but I have given my opinion many times. So what should a security person be?
Smart - Security practitioner should be able to adapt quickly and be able to learn on there feet. It is said statement, but most administrators are not fully verst in there system and a security person most know how the architecture of those systems work so they can advise and write policy.
A good verbal communicator - Most business people do not speak geek well at all. It is up to the security professional to be able to translate geek speak into real business terms. This will go along way in gaining points with those that can help you make your environment more secure by giving you there support.
Teacher - You must be able to educate people on why they should not do the things that will increase risk. And the phrase “or Hackers will get you!” does not work. For example, most people do not understand the real reasons they should chose a strong password so they need someone to educate them.
Social - Being social helps avoid the “unapproachable geek” syndrome.
There are some people that believe that people need to be programers, authors, accountants or various other things that they are interested in. I would like to take a few moments to give you my opinion of these issues.
programer - It is nice if your security person can read code, but they really do not have to be programers. I understand where this comes from with buffer overflows being a common attack, but it is not really needed. What they must be able to do is understand what they should put in policies to be audited against. Also if you do not develope your own programs in house you will put the secure coding requirments in contracts, but that does not mean you need to be a lawyer. See Smart from above.
authors - I believe this stems from the fact that security professionals need to be able to educate and communicate. While this is noble it is not necessary but is a nice to have. What is important is at least a decent written communication skill set.
accountants - This is one that I really do not understand. I guess it has to do with accounting and auditing practices, but I do not see this one as necessary either.
Keep in mind that these are just my opinions and they are open for debate. I would be interested in hearing yours.
Excellent post, Ken.
I think all four of your main points are spot on as far as being ingredients for a high quality security practitioner — especially smart and social. I almost feel like if you are intelligent, open-minded AND social you can master almost any field — including infosec.
As for the second part, I think it’s important to differentiate between “needing” to be a programmer, or “needing” to be a world-class writer or a CPA, and having it be highly beneficial. In other words, I think it’s well known that most security professionals are not super-geeks with social skills. And most security people aren’t good enough programmers to pass a Google Information Security interview. Most security people also can’t write well enough to get a book published.
But those people who are NOT those things are also 99.9% of the security people who have jobs. They ARE the security people, so these things are obviously not requirements.
In my mind, being a CPA with with a masters degree and a CISSP who has published two books and can impress Google or IBM or Microsoft with his coding skills is the ideal. It’s something to strive for. It’s the best of the best (assuming they also have the four qualities listed in the OP, of course).
The people that have ALL of these exceptional characteristics are pretty much fictional. It’s an ideal for my ideal security guy as far as tangible benchmarks, not a standard by which to measure being a security person at all.
Most who are awesome writers aren’t great programmers. Richard Bejtlich isn’t a programmer. Paul Graham is a great programmer and a great writer, but could he secure my enterprise network? Marcus Ranum is a programmer AND a writer, but could he work in the corporate world and be social? I don’t think so. I don’t think he could tolerate the bullshit that’s part of the job.
So to me the übermench is mostly fictional. It’s something to reach for. I do think world-class verbal and written communication ( social) is VERY important to elite security people in the CORPORATE security world, and I think that adding programming to the mix would improve your ability to succeed even more, but I don’t think any of these things are “necessary”.
I think it’s possible to lack any one of these (or even two if you’re exceptional in one or two) and still go very far in security. Plus it all depends on what you think being “successful” in security is. Does that mean being an elite tech guy who stays locked in a lab (because he scares people) but makes 120K/year? Cliff Stoll is a genius but I’m not sure he’d do so well in a corporate setting. Or does “successful” purely mean rising up the ladder to CISO or CSO?
The bottom line for me is that if you master the first four you’ll go a very long way — possibly to top engineer or top executive (depending on your definition of success). There’s little doubt about that. Adding the writing level of being a book author or programming skills that can get you hired at a big company, or a masters degree, or a CPA, or a CISSP — all these things just raise your desirability and marketability that much more. And that’s what I like to consider my standard — the unnecessary ideal. It helps me feel pressure to grow.
Thoughts?
@Daniel
I agree they are ideals, but how much time should you devote to them? My point being that unless you only eat, sleep and breath security and reaching them are they obtainable? Most people have lives out side of work and do not want to spend every waking minute trying to reach these lofty goals.
I also feel that trying to get there is more detrimental then helpful. I think that a security person that focuses to much on the these things actually becomes detached from what his main goals should be. That is securing the enterprise and reducing risk. They should be more focused on understanding than doing.
I hope that makes sense. I am interested in your thoughts.
I think whether or not pursuing these things is detrimental depends on one’s own personal goals and ambitions.
If one desires to be an expert in penetration testing, for example, I don’t think it’s a waste to spend time pursuing highly technical networking and programming knowledge. And if someone wants to be a CIO later it’d probably be a good idea to get an MBA or whatever.
In other words, if someone has clear goals and is pursuing them I think it’s hard to say that it’s detrimental to what they “should” be doing. I definitely think there’s still a place within information security for highly technical skillsets, and if someone wants to master some particular facet of that world I think that’s fine.
There’s always going to be a need for this level of expertise in various subjects, so whether companies get it from inside or through outsourcing it still has to be available when you need it. As such, I don’t think there’s anything wrong with wanting to be one of elite providers of that knowledge.
Thoughts?