Create an Account
username: password:
 
  MemeStreams Logo

TaoSecurity: "Untrained" or Uncertified IT Workers Are Not the Primary Security Problem

search

Rattle
Picture of Rattle
Rattle's Pics
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Rattle's topics
Arts
  Literature
   Sci-Fi/Fantasy Literature
  Movies
  Music
Business
  Tech Industry
  Telecom Industry
Games
Health and Wellness
Holidays
Miscellaneous
  Humor
  MemeStreams
   Using MemeStreams
Current Events
  War on Terrorism
  Elections
Recreation
  Travel
Local Information
  SF Bay Area
   SF Bay Area News
Science
  Biology
  History
  Nano Tech
  Physics
  Space
Society
  Economics
  Futurism
  International Relations
  Politics and Law
   Civil Liberties
    Internet Civil Liberties
    Surveillance
   Intellectual Property
  Media
   Blogging
  Military
  Security
Sports
Technology
  Biotechnology
  Computers
   Computer Security
    Cryptography
   Cyber-Culture
   PC Hardware
   Computer Networking
   Macintosh
   Linux
   Software Development
    Open Source Development
    Perl Programming
    PHP Programming
   Spam
   Web Design
  Military Technology
  High Tech Developments

support us

Get MemeStreams Stuff!


 
TaoSecurity: "Untrained" or Uncertified IT Workers Are Not the Primary Security Problem
Topic: Computer Security 2:58 pm EDT, Jun 10, 2010

I really like Richard Bejtlich. He is one of the few security bloggers that truly gets practical infosec.

There's a widespread myth damaging digital security policy making. As with most security myths it certainly seems "true," until you spend some time outside the policy making world and think at the level where real IT gets done.

The myth is this: "If we just had a better trained and more professional IT corps, digital security would improve."

This myth is the core of the story White House Commission Debates Certification Requirements For Cybersecurity Pros.

My opinion? This is a jobs program for security training and certification companies.

Here's my counter-proposal that will be cheaper, more effective, and still provide a gravy train for the trainers and certifiers:

Train Federal non-IT managers first.

What do I mean? Well, do you really think the problem with digital security involves people on the front lines not knowing what they are supposed to do? In my opinion, the problem is management who remains largely ignorant of the modern security environment. If management truly understood the risks in their environment, they would be reallocating existing budgets to train their workforce to better defend their agencies.

Let's say you still think the problem is that people on the front lines do not know what they are supposed to do. Whose fault is that? Easy: management. A core responsibility of management is to organize, train, and equip their teams to do their jobs. In other words, in agencies where IT workers may not be qualified, I guarantee their management is failing their responsibilities.

So why not still start with training IT workers? Simple: worker gets trained, returns to job, the following conversation occurs:

Worker to boss: "Hey boss, I just learned how terrible our security is. We need to do X, Y, and Z, and stop listening to vendors A, B, and C, and hire people 1, 2, and 3, and..."

Boss to worker: "Go paint a rock."

Instead of spending money first on IT workers, educate their management, throughout the organization, on the security risks in their public and private lives. Unleash competent Blue and Red teams on their agencies, perform some tactical security monitoring, and then bring the results to a class where attendees sign a waiver saying their own activity is subject to monitoring. During the class shock the crowd by showing how insecure their environment is, how the instructors know everyone's Facebook and banking logins, and how they could cause professional and personal devastation for every attendee and their agency.

We need to help managers understand how dangerous the digital world is and let them allocate budgets accordingly.

I also like the fact that he frequently compliments my friends on their work. :)

TaoSecurity: "Untrained" or Uncertified IT Workers Are Not the Primary Security Problem



 
 
Powered By Industrial Memetics
RSS2.0