SANS surveyed over 1,800 computer security experts and found that the worst mistake a company can make that leads to a breach is to place untrained people in security roles. Recent surveys show a clear trend – elevate and/or create security staff over the next 1-5 years. CISOs will report to the CEO or primary stakeholders instead of farther down the management ladder at a company. This means they will have more influence, directly, upon risk management for an organization. As CISOs hire staff for emergent and growing security teams they will have a hard time finding security staff with experience. The staff most often hired will have x years as a sysadmin; or they have managed servers for a lifetime; perhaps they’ve rolled three generations of a hardware solution in their current job. These are all great IT experiences. However, for security proper the role and function is much more than traditional IT operations and there are few such experienced people applying for jobs these days.
What I’ve seen in various jobs and consultation over the years is maturation along the lines of “hello world” (it works) to IT management. Once you get things working pretty good and can recover with increased resiliency when there are issues (printer won’t work, email is down!) you start to optimize and/or audit your work. This is where most functional small and medium size business live and operate. Their concept of security is to google a SANS site or similar solution to run through a checklist of technical controls. This is thinking from an IT perspective, making things functional and then solving problems with technical solutions, largely focused on operational capabilities. Their concept of security is to perhaps run a vulnerability scan or pen test without any thought of Risk Management, governance, policy, procedures, threat intelligence, and a methodology for how to attack their most common IT based challenges that put them at risk. Such teams often fail to realize where their crown jewels are and how they are at risk, the birthplace of security proper for any organization. They tend to focus on tactical instead of also strategic.
Security, as sexy as it seems with jobs like “ethical hacker” posted online, is really the hard work of governance to lower risk across an enterprise. It involves much more policy, soft skills, liaison functions, and so on than it does uber ninja hacker activities. Historically it’s been an unpopular job that lacks precision in the industry – some put on the traditional auditor hat and/or play bad cop as they hammer down on policy, what is best, and how everyone is getting it wrong and things need to change. Did you hear that – yeah – lead balloon people approach there ;-D. Then there are successful – commonly seen in very large organization – security stud’s that have soft skills, know enough geek, and bridge the gap with key stakeholders. These individuals can do great IF they understand operational governance and how to best navigate that within the complexities of their own people and organization. And then there is the in-between type shop or small shop that has a do-it-all security stud, but in today’s world if that individual is any good at being a ninja of all things cyber they’ll be working a better job for a more well funded company in the near future.
Staff working their way up into security these days have a really tough challenge. As SANS pointed out in their survey, trying to take an IT guy and have him do a security job, is the biggest mistake a CISO can make that will most likely lead to a breach. Really? Yes.
Do you have much of a choice as a CISO today, on hiring seasons security staff versus IT folks that you hope can be agile, adapt, and learn? Nope. Far too few people with cockpit time or real world security experience. If you do find them they’ll cost you an arm and a leg so you can’t build out your entire team with any such expert. But do this – hire at least one security stud with cockpit time fighting real-world fights against complex adversaries. This person can provide job shadowing and leadership in a variety of ways for all the IT and/or security analysts that want to become engineers or researchers over time.
I won’t dive into all that is involved in security, compared to IT, but will generally state that it involves more of an architect and strategy mindset while working the technical on advanced and/or optimized levels that is very different from traditional IT operations. It also involves a very new way of thinking and focusing efforts on counter-intel actions against threats and adversaries targeting your network. It’s warfare and it’s your job to defend your network; a very different reality from IT operations.