Back to Insights
Beaver: Infosec Pros Know Everything We Need to Know, But that’s Not Enough
June 20, 2017 | Security Policies and Strategy
By Kevin Beaver, IANS Faculty
The late James Martin, a former IBMer who was one of the pioneers of the IT industry, wrote a book called “Security, Accuracy, and Privacy in Computer Systems” that has a ton of great information on pretty much every security topic, from threats to policies to auditing. It even covers topics like cryptography. It contains all the stuff we work (and struggle) with daily as IT and security professionals and, arguably, has answers to many of today’s security challenges.
But here’s the catch: it was written in 1973. Yep, more than four decades ago, James Martin wrote 600 pages worth of information security wisdom that can still help us today – but only if we’re willing to let it.
Why am I bringing up a book that’s probably older than the average information security professional? Because it shows us why we still struggle with security today. You know, challenges like:
- Unenforced policies that merely exist to satisfy the busy work of auditors and lawyers
- Management assuming IT has everything under control with security because it’s a “techie computer” thing and they don’t want to hear the details
- Software that was purchased to help solve a specific security challenge that has since become shelfware or is otherwise “under-implemented”
- A lack of security standards across enterprise systems and applications that fosters a hodge-podge of controls
- Users making more security decisions than they should be
- IT and security professionals not receiving periodic and consistent training to keep up with the latest threats
- Little to no visibility into what’s happening on the network
- Minimal accountability or sanctions when security-related gaffes do occur
- Continual chasing of vendor security “solutions” that promise to fix every possible security challenge
Technologies certainly change. That’s the core of IT – being able to evolve and scale to meet the latest business technology demands. Security, however? Not so much. The core principles have been around since the beginning and they’re probably going to stay the same, yet we keep making the same mistakes.
We Need Discipline More Than New Technology
Based on my experiences as a security consultant, combined with what I hear from friends and colleagues in the industry, I can safely say we don’t need more of anything. We already know what needs to be addressed. We know what documentation is needed. We know what technologies are needed. We know what needs to happen culturally and politically. Yet, we continue down the same path, and so-called “network events” and publicized breaches keep happening.
I firmly believe that professionals who have spent only a handful of years in IT know everything they need to know about security. The problem? They’re not doing it! Author and professional business trainer Jeffrey Gitomer once wrote that “people who are cocky and arrogant say, ‘I know that’ and move along. People who are confident and positive ask themselves, ‘How good am I at that?’ and seek to improve.”
Instead of just buying something shiny and new or moderately groundbreaking, we need discipline. That is, the discipline to acknowledge our risks and barriers to security. Hint: they typically come with hair on top.
We also need the discipline to stand up and not only push for what’s right in terms of security, but to see it through to ensure our risks are properly addressed. If you’re struggling to get the proper traction with security initiatives in your organization, do what you can to change:
- Look inward and change your own attitude about security.
- Study as much about sales and leadership as you do technical IT and security topics.
- Build up your credibility.
- Foster positive relationships.
- Think about security from the perspective of outsiders.
- Go to your boss with proposed solutions rather than asking him or her to fix your problems.
- Get feedback.
Just know that every security challenge you face today has likely already been solved by someone else. You just need to figure out what that solution is and how to adapt it to your needs.
If you truly believe you’ve mastered these areas but are still struggling with security, then it may be time to look for another organization with leaders who can appreciate the value you bring to the table.
Kevin Beaver, CISSP is an independent information security consultant, writer, professional speaker, and expert witness with Atlanta, Georgia-based Principle Logic, LLC. Kevin has written/co-written 12 books on information security including the best-selling Hacking For Dummies (currently in its 5th edition).
Three Success Factors for SSH Key Management
APT28’s VPNFilter Malware: What You Need to Know
Adapt Threat Models to Thawing U.S.-North Korea Relations
OTT Messaging Apps: Know the Risks