Silicon Shecky

Infosec Practitioner

Connect

Have we lost sight of the future?

By Leave a Comment

The InfoSec industry is short handed, and we all know it. The question is what are we doing about it. Seriously, we have a community that is pretty welcoming. That is all fine and good, but have we not thought the process through enough. What happens when we are not here? With how fast things change, and come up, how are we getting people to want to get into our industry?

I look at our industry and am worried. We all know about the skills shortage, the amount of job openings, and how insecure everything is. We keep saying security is a process, not a destination and that is true. The issue though is we are focused on the here and now, at least most of us are. Those that are forward thinking, looking for the next issue, are only looking at technology. There is a bigger crises, and that is who will take over from our generation? Yes, we see people in their twenties at the conventions, but seriously look at how many there are. Who will take over from them?

The way I am seeing it, if we really want to be about security, we have to nurture the next generation. Think about it, how many times do people in our industry say it takes passion and a desire to learn to be part of the world of InfoSec? How many times do people in our industry brush off degrees, some of the certs, and say you need a cert that will run you $6000 and experience? How much of that can we actually impart on those that cannot afford a SANs class, or let alone a computer?

There are organizations out there such as Hak4Kidz who are aimed at the teen and pre-teen and are awesome about inspiring the next generation. Even with that though, how many slip through the cracks? How many do not have parents that can see it, or are able to pay for their children to attend these conferences? I recently talked with someone from Boys and Girls club and it got me thinking about all this. I was told how much these children loved it when they were being shown a little on how games were programmed. The interest in technology that they showed. Inner city youths who are poor, have to share a computer with the family if they are lucky, show interesting in the technology field. Now ask yourself, how many of these children will slip through the cracks, and how many innovations will be missed because of that.

We as a community need to start taking a long hard look at this. there are groups, Boys and Girls Clubs, Boy Scouts, Girl Scouts, Girls Inc., and many others that we can get in touch with and work out some sort of program. It might just be a one time thing, going in and showing them how to be a bit more secure, show them what some of the tricks are and how it can affect them. Sure we might only get a few per group, but think about it, that is a few more that will be interested in securing the future. The teen and pre-teens that show interest need to be mentored. If we really are about securing all the things, don’t we have to include the future? Isn’t that part of the scope, to make sure that we have enough people behind us for when we retire or are gone?

Get Over It…

By Leave a Comment

I turn on the tube and what do I see

A whole lotta people cryin’ “Don’t blame me”
They point their crooked little fingers at everybody else
Spend all their time feelin’ sorry for themselves
Victim of this, victim of that
Your momma’s too thin; your daddy’s too fat
Get over it” – Get Over It by The Eagles
     Some of the most true lyrics for these times. Everyone wants things fixed, no one is willing to own up to their mistakes. Security is an illusion.
     There is a group, that professes to be all about our security. We hate them. They have put up barriers, slowed us down, made us uncomfortable. They have shown that they can’t do their job, stuff gets through, we are not much more secure with them around. The watch us, scan us, stop us from having things with us that we feel we need. Still, we are no more secure. They limit access, have special lanes, and can be invasive all in the name of better security. Yet we are still vulnerable. It is a show, security is an illusion.
   Yes, I’m talking about the TSA in the previous paragraph, but think about it. I could very easily be talking about our industry, information security. We all know there is no way to make us 100% secure. so we posture, put out new products and still get pwned. We make the end users life more difficult. This world keeps accelerating, first to market is the thing. The end user doesn’t really care about security though. They want it, yes, but they don’t want to think about it. Instead though, products that might be superior security wise tend to not be popular. Why? Simple, first to market is first to market. Unless that first to market item has some super major usability issue to it (see Android 1) or is priced too high (the original Windows PDA phones), first to market is hard to dethrone.
   What do we, our community of infosec professionals and hobbyists do about this? We berate, we laugh, we joke and we act superior. Now we are even doing that among ourselves. We are the jerks, and that jerkishness doesn’t help, it hinders. We are not educating the end users. Yes it is their fault, but it isn’t. they shouldn’t have to worry about the security of computers, networks, IoT, and other devices. They have to though because of first to market. We have to educate them to care, and we have to figure out a way of taking our snark out of the process. to empower them to make the choice for the better, more secure product. Then we might start seeing companies trying to bake better security into devices from the start.
   I mentioned us being jerks to each other. that needs to calm down also. doing that is a good way to scare people away from becoming part of the solution. Who wants to work and deal with jerks? Yeah, we can snark, but we need to know when and where to use it. We need to be more welcoming for new people and more understanding of each other. As our industry becomes more and more compartmentalized, we need to work more and more on our soft skills. We need each other, because not a single one of us can know it all.
   Security is an illusion, yes, but we can make things more secure than they were. We just need to get our heads on straight and stop being the problem.

The forest or the trees?

By Leave a Comment

I was having an interesting conversation on twitter with Mr. Jeff Man this morning about the state of the infosec world. Mostly about our lack of true understand of risk, and how we have become one of our own biggest problems.

It all started with a tweet from Jeff, ” A vulnerability is one part of the risk equation, but not the only variable. Do we spend as much time on the other variables? #infosec“. Throughout the discussion we talked about understanding the variables in risk management, which in the end is what security really is.

We all know nothing will ever be 100% secure. We have learned about formulas for figuring risk. We realize that we have to use intuition on this formula at times. Do we really understand that upper management looks at the monetary figures more? In a different way, look at the credit card companies here in the U.S. They have lagged behind moving to chipped cards, and still don’t require pins for those chips, even though they are more secure. The risk equation to them points out that they save money by paying out for breaches, instead of requiring the higher priced safer technology. Don’t take the initial hit until you have to. This same principle I remember being described as Japanese manufacturing principle. Figure out what percent of items will not be at proper specifications (returned due to defect). Build in part of that cost into the price, and if the overall cost of returns becomes too high then worry about a recall and redesign. Don’t fix it unless absolutely needed.

Once we grasp this idea, and I mean truly grasp and understand it, we can work with it to our favor. It might take longer term projections, or showing how the brand could be impacted with bad PR (according to some in marketing no PR is bad PR). The issue with us grasping this becomes more cultural though.

The vast majority of us are techies. We are the geeks, the nerds and we love being that type of person. We hyperfocus on the hard problems and ignore or shove to the side the stuff we don’t want to deal with. This though not only affects risk assessment, but the future of the infosec community.

Our community is young still in some ways, but has been getting a lot more rigid lately. Look at what we deem good certs vs. bad certs. How we accept different ideas in, and how we learn. Each year I see more of a divide in certain areas. Training, top notch training, is affordable through your work, if you are lucky, but to do it on your own. $5,000 is a lot of money to shell out, especially for the new people in our line of work, or those looking to break into it. Yes there are things like Cybrary and ITProTV with lower cost, online training (both on demand and virtual classroom). But that $5,000 is in person, hands on, focused training. It is the GIAC, which is a great cert. It is how to get people up to speed and on the same page. It can be a barrier, to entry at worst, but to advancement at the minimum. We as a community have to help ourselves out better with training.

See how thick the forest starts getting? See how we keep looking at just a few trees? We are getting to a point that our lack of vision is creating the problems we are trying to solve. Where we are the problem. The question is, where do we go from here?