Archive for February, 2011

Shrinking Training Budgets

Sunday, February 27th, 2011

One of the alarming trends that I have heard lately is that budgets for Information Security seem to be recovering from the economic slump, but training budgets are continuing to shrink.  We have always suffered from the artificial distinction between companies setting aside money for higher education that can’t be touched, versus money for training which is some of the first areas for cuts when times get tough.  I talk to a lot of young professionals who are frustrated because they can’t get money from their companies for training directly related to their job unless it is part of a degree program.  I have always been a proponent of higher education, but I have never really understood the chinese wall between funds set aside for college education and professional training.  Higher education isn’t for everyone, and professional skill development should never be discouraged if it is related to your current position.  Even many of the most accepted industry frameworks of Information Security emphasize keeping the skills of your team up to date.  Of course professional training courses aren’t always the answer, on the job training and other free training opportunities are available, but eventually you will want to invest in some commercial training courses.

Earlier this month at the RSA Conference I attended an interesting professional development session titled “The CISO of The Future: Building A Competitive Skill Matrix.”  The presenter, Lee Kushner, spoke about several aspects of the CISO position and how to position yourself for it.  The point that made the biggest impression on me was “If you do not invest in yourself, do not expect anyone else to.”  Although there might not be equal funding in organizations for professional training, you really do have to take your career into your own hands sometimes.  Just relying on your employer to fund all your training and certification options could end up setting you back several years in your career development plan.  Good technical training isn’t cheap, and maintaining certifications can also get expensive, but if you choose the right ones it will be worth it in the end.  The trick is making the most of your training dollars.  Look for options that don’t require travel and register early to receive discounts.  For example, the SANS Northern Virginia conference offers a wide selection of Security, Audit, and Management courses taught by some of the top experts in the field, and if you register before March 2nd you can get $400 off the normal cost.  Many conferences and courses will even offer discounts if you register with your co-workers as a group.

Another disturbing trend that I have seen is the “get a CISSP for everyone” mentality.  Imagine a Windows system administrator comes to you with an interest in information security.  That is a good moment, right?  What I am seeing is that everyone’s first reaction is to send them down the CISSP path.  What value does the CISSP have for a system administrator?  Sure it gives you a good management level overview of security domains, but it isn’t going to give that administrator one single skill that he/she can apply in their daily work.  I would really like to see more Information Security programs sponsoring targeted security training for staff outside of the security team.  For example, the Northern Virginia conference has a great course, Virtualization Security, which would be much more appropriate for a systems administrator than a generic CISSP.

The rise in the number of CISSPs is happening at an alarming pace.  For someone who specializes in information security, the CISSP is on its way to becoming the equivalent of a high school diploma.  Not having one raises questions, but having one doesn’t really prove anything about your abilities as a security professional.  With so many CISSPs (over 70,000) it is going to dilute the value of the certification eventually.  In a way this is good because it will open the door for more specialized certifications, but as a community we need to stop recommending the CISSP to anyone who shows an interest in security.  I would rather have my operational teams learning the skills that they can use everyday to protect our organization, than trying to memorize some esoteric details from ten domains of information security.

If you want to voice your own opinions about the value of security certifications, you might want to check out the survey being run by the Information Security Leaders website.  This survey seems like it has the potential to provide a good independent assessment of the value of certifications.

Future Security Leaders at the RSA Conference

Thursday, February 17th, 2011

Back in November, I mentioned my concern about the lack of educational opportunities for future security leaders, and I am thrilled to report that we have started to change that this year at the RSA Conference.  Anyone who has been to the RSA Conference before knows that it officially kicks off on Tuesday each year, but the number of pre-conference options has been growing each year.  This year they added a new session in the Professional Development track, Building and Managing a Successful Information Security Program, which was very highly attended (450 attendees, not bad for 8:30am).  As a speaker (and organizer for the morning series), I was surprised by the attendance, which validated the premise for the sessions: there are no formal educational forums for aspiring security leaders.  Basically when you get the position of leading a security program for the first time, you have to figure it out as you go.  Wouldn’t it be nice to learn from the mistakes that have already been made by past leaders?

I thought that I would share a few points that I found most interesting from the sessions.  When someone joins an organization as a CISO or CSO, the tendency is to jump right in and start fixing things, but the reality is that it is far more important to spend the first six months on the job listening and profiling the organization.  Sure you could make a list of the critical holes in the organization’s security program and start forcing change, but that is going to set the wrong tone for your program.  Instead, the advice from CISO’s is to get as much information about how the business functions and what their priorities are, before you try to change anything.  Observe and document to start.

Another important topic was how to promote (or evangelize) the security program, and ultimately affect the culture of the organization.  Of course this is going to require support from the top executives, but this approach needs to be combined with context from the bottom up.  All too often the most senior management will agree to security initiatives, but that gets communicated down the chain to execution with no context.  Without context, the folks on the ground are bound to go through the motions even if the activity provides no security benefit.  It is important to make sure that the engineers and administrators understand why they are performing a task, so that they are empowered to identify when something is wrong.  Otherwise they will diligently perform a task everyday, with no hope of achieving its original purpose.  So as a security leader, you need to focus on both approaches to security education and awareness.

I received a lot of feedback after the session about how organizations are trying or have tried to decentralize some of the operational roles of the security team into other business functions.  For example, firewall administration and maintenance doesn’t need to be directly managed by the security team.  A network administration team can perform this function with oversight from the security team.  However, someone pointed out that it isn’t as easy as just moving the responsibility to another group.  There needs to be a transition plan, complete with training and oversight.  This also needs to be a formal part of their objectives, not a best effort responsibility.  Many organizations have found it beneficial to even give up headcount to other groups to support them bringing security professionals onboard.  One of the side benefits of this approach is that a security engineer who is embedded in an operational group often isn’t perceived as the bad guy like the security sometimes can be.  They are often seen as part of that team, which promotes trust and cooperation.  This can really start help  expand the reach of the security team with no additional cost.

Overall, I think that this opportunity for attendees to hear straight from leading CISO’s what is important in their role, is an invaluable dialogue that needs to continue if we have any hope of preparing our future information security leaders for the demands of the job.

I have posted a copy of my presentation, Organizational Structure, What Works (PDF), with speaker notes on my website.