The Professionalisation of Security
In its new Cyber Security Strategy report published on 25 November 2011, the UK Government says it will “Improve levels of professionalism in information assurance and cyber defence across the public and private sector.”The entire report is predicated on the assumption that the UK is insufficiently prepared to counter the current and imminently expected cyber onslaught from both organized crime and foreign nation states. Part of the solution, says the report, is to ‘improve the levels of professionalism’ in information security.
A good CISO
This begs the question: what makes a good and professional chief information security officer (CISO), and what should his (or her, which we’ll come back to) role be within the company?
Stuart Aston, chief security advisor at Microsoft believes a combination of business and communications ability is more important than a technical background. “Most particularly,” he says, “the CISO must be a good communicator, able to communicate the importance of infosec to all levels, and translate the needs of the board into actionable activities by the Infosec team.”
Amanda Finch, general manager at the Institute of Information Security Professionals, and herself CISO of the year in 2007, agrees on this hybrid personality. A good CISO “needs a strategic mindset to be able to look at the changing threat landscape, changes in technology and working practices and be able to interpret how this will affect the organization. Strong communication skills are paramount with the ability to influence at board level to ensure appropriate programmes are realised, but also to evangelise across the organisation at all levels to engender a strong security culture.”
The question then becomes are such people available, and if so, are they being employed? Tim Holman, the UK president of the Information Systems Security Association (ISSA-UK) thinks yes to the first, but maybe no to the second. “There are so many good security leaders I know through my work at the ISSA-UK, but they feel they would be taking a huge career risk by even considering some of the CISO roles that are on offer today. It’s as if boards just want somebody to blame – and that’s got to change.”
Perhaps then, the professionalisation of security, and the government’s efforts, need to be targeted more at companies than at individuals. Note for example that it was only after its security breaches affecting 100m customers that Sony began to take security seriously and appointed Philip Reitinger from the US Department of Homeland Security as its new CISO.
There is another pearl of wisdom in the security strategy report: the government will encourage the development of “a community of ‘ethical hackers’ in the UK to ensure that our networks are robustly protected.” Let’s not quibble about the original meaning of ‘hacker’; today it simply means someone who breaks into computers. So, in the process of professionalising security we should ask ourselves whether it is ever a good idea to employ an ex-hacker? Opinion is divided.
“No,” says Tim Holman pragmatically, “because all the good hackers are still in jail or are banned from using computer equipment. I know some ex-hackers that have learnt from their past experience, but would you ever really trust these guys?” “No,” agrees John Morrison, managing director of Sapphire. “They are wired the wrong way and have the wrong mindset.” But yes, says Mickey Boodaei, CEO of Trusteer: “Ex-hackers can give the ‘good guys’ an important edge in this fight.” “What better than turning the hunted into the hunter?” adds Steve Watts, Co-founder of SecurEnvoy.
Microsoft’s Aston summarizes the issues. “We need to distinguish between the guy who develops an exploit and releases it into the wild, and the researcher who develops an exploit purely as a proof of concept, without ever disclosing it irresponsibly. The second person here demonstrates two valuable characteristics: a technical understanding of infosecurity and a high degree of moral responsibility. The same cannot be said for the first. Since security is all about ‘trust’, you need to ask yourself which of these two people you would trust to protect your data. However, dismissing both categories automatically excludes a potentially valuable resource that could prove beneficial.”
Women security professionals
But let’s go back to the cyber security strategy report. Nowhere does it suggest that we are not sufficiently using a particularly valuable resource: women. Not all, but by far the majority of security professionals are men. Why is this? Are women really biologically unsuited to computers and computer security?
Amanda Finch believes that some historical family and education stereotyping is at play, left over from when the role was purely technical. But “the industry has changed over time,” she continues. “and has become more mainstream. The emphasis is now on protecting the information, and realises the value of risk management and user education to protect information. I think that this has helped to attract more women into the industry.” In this old stereotyping, men like doing and women like creating: men like tinkering with the technical workings of security while women would prefer to use security to create a better workplace and environment.
Bev Robb, an American IT consultant with a speciality in security and the online handle ‘teksquisite’, agrees with the historical stereotyping, and believes the solution, broadly speaking, lies in education. “Education begins in the home,” she says. “The next step up is schooling, then mentoring. Parenting should involve exposing children to all potential academic resources available, in order to give them myriad options to choose from. If the educational opportunities at home are minimal, then it is essential that opportunities at the schooling level become available. We also need more female mentors who are willing to offer their expertise to inspire eligible women candidates.”
One thing seems clear: whether the lack of women in the early days of security is down to biology or stereotyping, the evolving professionalisation of security is changing things. The new role of chief information security officer will attract more, and benefit from, greater female involvement.
So where is the professionalisation of security? It has come a long way; but there is clearly much still to be done. There are excellent security professionals around, but their role needs to be given more prominence within business. It is not so much the individuals that need training; it is companies that need to give more credence to the need for security and the security professionals they already have.
In other areas, judicious use of ex-hackers could increase the professional knowledge of the security team; but companies must think very carefully before bringing them into the professional management of security.
And finally, if business is ever going to treat security really professionally then it needs to take an axe to the glass ceiling and unleash the enormous potential of women in security management.