Archive for the ‘General’ Category

Shrinking Training Budgets

Sunday, February 27th, 2011

One of the alarming trends that I have heard lately is that budgets for Information Security seem to be recovering from the economic slump, but training budgets are continuing to shrink.  We have always suffered from the artificial distinction between companies setting aside money for higher education that can’t be touched, versus money for training which is some of the first areas for cuts when times get tough.  I talk to a lot of young professionals who are frustrated because they can’t get money from their companies for training directly related to their job unless it is part of a degree program.  I have always been a proponent of higher education, but I have never really understood the chinese wall between funds set aside for college education and professional training.  Higher education isn’t for everyone, and professional skill development should never be discouraged if it is related to your current position.  Even many of the most accepted industry frameworks of Information Security emphasize keeping the skills of your team up to date.  Of course professional training courses aren’t always the answer, on the job training and other free training opportunities are available, but eventually you will want to invest in some commercial training courses.

Earlier this month at the RSA Conference I attended an interesting professional development session titled “The CISO of The Future: Building A Competitive Skill Matrix.”  The presenter, Lee Kushner, spoke about several aspects of the CISO position and how to position yourself for it.  The point that made the biggest impression on me was “If you do not invest in yourself, do not expect anyone else to.”  Although there might not be equal funding in organizations for professional training, you really do have to take your career into your own hands sometimes.  Just relying on your employer to fund all your training and certification options could end up setting you back several years in your career development plan.  Good technical training isn’t cheap, and maintaining certifications can also get expensive, but if you choose the right ones it will be worth it in the end.  The trick is making the most of your training dollars.  Look for options that don’t require travel and register early to receive discounts.  For example, the SANS Northern Virginia conference offers a wide selection of Security, Audit, and Management courses taught by some of the top experts in the field, and if you register before March 2nd you can get $400 off the normal cost.  Many conferences and courses will even offer discounts if you register with your co-workers as a group.

Another disturbing trend that I have seen is the “get a CISSP for everyone” mentality.  Imagine a Windows system administrator comes to you with an interest in information security.  That is a good moment, right?  What I am seeing is that everyone’s first reaction is to send them down the CISSP path.  What value does the CISSP have for a system administrator?  Sure it gives you a good management level overview of security domains, but it isn’t going to give that administrator one single skill that he/she can apply in their daily work.  I would really like to see more Information Security programs sponsoring targeted security training for staff outside of the security team.  For example, the Northern Virginia conference has a great course, Virtualization Security, which would be much more appropriate for a systems administrator than a generic CISSP.

The rise in the number of CISSPs is happening at an alarming pace.  For someone who specializes in information security, the CISSP is on its way to becoming the equivalent of a high school diploma.  Not having one raises questions, but having one doesn’t really prove anything about your abilities as a security professional.  With so many CISSPs (over 70,000) it is going to dilute the value of the certification eventually.  In a way this is good because it will open the door for more specialized certifications, but as a community we need to stop recommending the CISSP to anyone who shows an interest in security.  I would rather have my operational teams learning the skills that they can use everyday to protect our organization, than trying to memorize some esoteric details from ten domains of information security.

If you want to voice your own opinions about the value of security certifications, you might want to check out the survey being run by the Information Security Leaders website.  This survey seems like it has the potential to provide a good independent assessment of the value of certifications.

Future Security Leaders at the RSA Conference

Thursday, February 17th, 2011

Back in November, I mentioned my concern about the lack of educational opportunities for future security leaders, and I am thrilled to report that we have started to change that this year at the RSA Conference.  Anyone who has been to the RSA Conference before knows that it officially kicks off on Tuesday each year, but the number of pre-conference options has been growing each year.  This year they added a new session in the Professional Development track, Building and Managing a Successful Information Security Program, which was very highly attended (450 attendees, not bad for 8:30am).  As a speaker (and organizer for the morning series), I was surprised by the attendance, which validated the premise for the sessions: there are no formal educational forums for aspiring security leaders.  Basically when you get the position of leading a security program for the first time, you have to figure it out as you go.  Wouldn’t it be nice to learn from the mistakes that have already been made by past leaders?

I thought that I would share a few points that I found most interesting from the sessions.  When someone joins an organization as a CISO or CSO, the tendency is to jump right in and start fixing things, but the reality is that it is far more important to spend the first six months on the job listening and profiling the organization.  Sure you could make a list of the critical holes in the organization’s security program and start forcing change, but that is going to set the wrong tone for your program.  Instead, the advice from CISO’s is to get as much information about how the business functions and what their priorities are, before you try to change anything.  Observe and document to start.

Another important topic was how to promote (or evangelize) the security program, and ultimately affect the culture of the organization.  Of course this is going to require support from the top executives, but this approach needs to be combined with context from the bottom up.  All too often the most senior management will agree to security initiatives, but that gets communicated down the chain to execution with no context.  Without context, the folks on the ground are bound to go through the motions even if the activity provides no security benefit.  It is important to make sure that the engineers and administrators understand why they are performing a task, so that they are empowered to identify when something is wrong.  Otherwise they will diligently perform a task everyday, with no hope of achieving its original purpose.  So as a security leader, you need to focus on both approaches to security education and awareness.

I received a lot of feedback after the session about how organizations are trying or have tried to decentralize some of the operational roles of the security team into other business functions.  For example, firewall administration and maintenance doesn’t need to be directly managed by the security team.  A network administration team can perform this function with oversight from the security team.  However, someone pointed out that it isn’t as easy as just moving the responsibility to another group.  There needs to be a transition plan, complete with training and oversight.  This also needs to be a formal part of their objectives, not a best effort responsibility.  Many organizations have found it beneficial to even give up headcount to other groups to support them bringing security professionals onboard.  One of the side benefits of this approach is that a security engineer who is embedded in an operational group often isn’t perceived as the bad guy like the security sometimes can be.  They are often seen as part of that team, which promotes trust and cooperation.  This can really start help  expand the reach of the security team with no additional cost.

Overall, I think that this opportunity for attendees to hear straight from leading CISO’s what is important in their role, is an invaluable dialogue that needs to continue if we have any hope of preparing our future information security leaders for the demands of the job.

I have posted a copy of my presentation, Organizational Structure, What Works (PDF), with speaker notes on my website.

The Next Generation of CISO

Sunday, November 28th, 2010

One question keeps coming up in my discussions with other peers in our field, and that is where do aspiring Information Security leaders learn the necessary skills to run a mature Information Security program? There is really no professional certification or academic program that really prepares you for the in’s and out’s of building and running an Information Security program. There are certainly classes that claim to be for security leaders, but these are really geared more on security middle management, not the top positions. We are also starting to see some university programs starting to market their course towards the up and coming security executive, but from what I have seen most don’t have experienced leaders on staff. Rather they are just taking some computer science staff and throwing them together with faculty from the business school, and calling it a program. Certainly the CISO community is not enormous, but we need to find a way to educate the next generation of CISO so that we don’t keep making the same mistakes over and over. It is still way to common for another leader in the organization to get thrown into the top information security position with often little to no security expertise.

I was talking to colleague just the other day about the CISO of a major corporation, and he told me that this CISO had gone right from being an IT manager to the CISO position. How did he learn what was necessary to run a fairly complex security program and bring it up to current expectations? Well he learned on the job as he went. Imagine how much more effective and how much further along the maturity scale this program could have been if its leader wasn’t stumbling over all the same pitfalls that every modern CISO has already experienced. It seems like the best you can hope for these days is to find a great mentor to help you develop the needed skills for the CISO position and try to learn from their style and mistakes. I know that in my own career I have been fortunate to find some amazing mentors who were willing to give up their time and set aside their own agendas to help with my career development. In fact a big motivation for my last job move was to work under my current mentor, and I have seen my career opportunities grow and expand like I never imagined in that environment.

You can pick up a book and get maybe 20% of what you need to know to be a great information security leader, and if you are lucky enough to find the right mentor, you might be able to fill in the other 80%, but you really only get one perspective that way. What we need is a real structured executive leadership program for aspiring CISOs.

Not that it will totally fill this need, but I am happy to announce a new session at the RSA Conference 2011 that will hopefully inspire further development in this area. Along with some real all stars in the field, I will be participating in a professional development session on the first day of the conference titled: Information Security Leadership Development: Building and Managing a Successful Information Security Program. The idea is that the best way to create an effective crash course in security leadership would be to recruit existing leaders in the field to teach students the various topic areas needed to be a run a security program. The format will be several short modules throughout the morning, each presented by a different security leader. This will allow students to experience many different perspectives about what it means to be a security leader. You can see the full agenda on the RSA Conference website:

http://www.rsaconference.com/2011/usa/agenda/mondayevents.htm

We have organized this half-day session into modules focusing on a few of the essential security leadership topics:

  • Building Blocks of a Security Program
  • Making Regulations & Audit Work for You
  • Managing the Breach

If this session is successful, and really think it will be a hit, then I hope that we can cover some additional topics in future years or other venues:

  • how to base your security program on risk management principles
  • navigating the relationship between internal audit or external regulators
  • measuring the success of your program and communicating metrics to executives
  • presenting security to a Board of Directors or other senior management
  • how to influence and change the culture of your company to support security initiatives
  • how to align security initiatives with the objectives of the business
  • building a long-term strategy and short-term objectives
  • maturing your program to account for privacy considerations
  • ethical decisions and scenarios for security leaders

Getting to learn first-hand from real leaders and pioneers in the field is just such a great opportunity. I hope it will inspire even more learning opportunities like it.

Modern Information Security Challenges

Sunday, December 6th, 2009

There are several challenges in our evolving environments that make it difficult to adequately protect our resources. Among these many challenges, I think the following are worth mentioning:

  1. Blending of corporate and personal lives — It is harder to differentiate between your work life and personal life as the work day has less of a distinct start and end. For example, employees use company email for some personal communications, and some employees may be issued a blackberry or cell phone that they use for limited personal use. Many people may not even have a home computer and use their company issued laptop for everything including running personal software, like their tax software. On the flip side, some employees may bring a personal laptop into the office and try to plug it in.
  2. Inconsistent enforcement of policies — Many organizations either haven’t enforced their policies in the past, or have done so inconsistently depending on the position of the employee. This causes many issues when a security function tries to crack down of violators. Hopefully you don’t have one of those organizations who have buried their security policies on some internal website that no one ever reads.
  3. IT doesn’t own and control all devices — I alluded to this issue above with personal mobile devices, but what if the organization doesn’t provide a PDA to the sales team, so they buy their own and start storing client lists on it and try to connect it to your wireless network in the office? What happens when you need to do an investigation on that device, can you?
  4. Blurring of internal vs. external — The edge or perimeter of the network isn’t as clear anymore. In the past we established strong perimeter controls to regulate access into and out of the network, but now that perimeter has been pushed out to partners with extranets, to third-parties with hosting services, and to employees homes with VPN solutions that can be used from a personal desktop. Where would you even draw the line now?
  5. Covert attacks, no longer obvious — It used to be typical for a virus infection to be big and messy causing a lot of damage and immediately being obvious when you were infected. Now, however, attackers are silent and stealthy. They don’t want to erase your data or take down your system, they want to slowly steal your data or use your computing power to attack other victims. They do their best to be undetectable with rootkits and backdoor trojans.
  6. Moving target — As we mature and get better at securing our systems, the attackers find new and creative ways to bypass our controls. As we close the easy ways in, they develop more sophisticated attacks. It is a never ending battle.

The threat landscape is constantly changing, and it can be easy to fall behind. Techniques and strategies that worked last year, may not be enough this year. I’m not a proponent of spending every day analyzing the slightest change in threat intelligence, but your security program does need to be flexible. Take advantage of threat reports and study the major trends, and adjust your approach periodically.

Just remember that very few weaknesses or attacks are really new. Old attacks get repackaged and new buzzwords are coined. In my experience, it is just applying the same fundamental attack strategies to new targets. We in the information security field have the habit of making the same design mistakes over and over.

What a Busy Month!

Saturday, October 17th, 2009

October is turning out to be quite the busy month.  I just finished a presentation for SANS on Digital Forensics at the Holyoke Community College’s first Internet Security Awareness Conference yesterday.  We even got a few seconds of local news coverage on Channel 22 in Springfield.  If you squint really hard during the news clip, you can see me on the stage (in the dark) presenting a slide on Mobile Forensic Arsenals.

Next week I am doing a webcast with SANS on how to use risk management techniques to better manage vulnerability remediation efforts.  This is my first webcast with SANS, so I hope that it will be well attended.  It is free after all.  I wrote a brief blog article for Akibia earlier this week to introduce the topic and stir up some more interest:  Improving Vulnerability & Patch Management.

As if that wasn’t enough for one month, I will be presenting as part of the Risk Management Summit at the CSI Conference in Maryland on October 26th.  I will be participating in the panel discussion and also presenting a short discussion about How to Build a Risk Management Program from Scratch.  It is essential for any security professional to understand how a risk model can become the center of a mature information security program.  Attendees will learn how to build a Risk Management Program from scratch and the fundamental components that are required for a holistic approach.  This session will also demonstrate how to successfully approach integrating it into your environment with minimal resistance.

That same week, I am organizing an evening of free sales training focused on skills for security consultants, A Crash Course in Security Consulting.  As part of SANS’ commitment to sponsoring free educational sessions for the infosec community, they will be providing some great speakers and a hands-on excerpt from their SEC 560 Network Penetration Testing & Ethical Hacking course.  If that isn’t enough, we will have some sales training experts presenting, and beer and appetizers will be provided.  You can’t get much better than free food and training!  I think this will be a very valuable session for aspiring and current consultants in the field.  Especially those of you who are going out on your own.

I think that just about does it for this month.  Luckily I am finishing up my class at Northeastern next week, otherwise I don’t know when I would sleep …