Posted by: David Schneier
encryption, NPPI, PCI, Regulatory Compliance, Security, SOX
Ever since I first started blogging I’ve worried that there would be weeks when I would simply draw a blank when it came to finding a topic worthy of the audience’s time and attention. While I may have hit the occasional bump in the road with posts that weren’t of the “keeper” variety, I’ve been relieved that my day-to-day experiences have never left me short of ideas. But every once in a while I come across a nugget, a relatively minor kernel of an idea that while potentially interesting isn’t by itself enough to fill the page. And so I tend to keep a list on the side that I use to simply jot these things down and review every now and again.
So imagine my surprise that when I added my latest little bit of genius to the list a pattern presented itself to me that hadn’t been there even a week ago.
For those of you plying your skills as Information Security professionals, I need to warn you what follows is potentially inflammatory, insulting or validating; it all depends on how you look at your career.
I was stunned a few months back when I noticed on LinkedIn a new application called “TripIt.” The main idea of the application is to enter and track your trips, be they business or personal, including locations, dates and a general description and then post it on your LinkedIn page. The end result is that everyone who can view your LinkedIn profile can also see where and when you’re traveling. My first thought was that it was just a bad idea within the professional domain. It’s a common rule within the infosec space that you should never send email auto-replies to anyone outside your company indicating that you’re out of the office lest it provide hackers with an opportunity to try and hijack your account while you’re away. That rule also applies to voice-mail greetings for the very same reasons; it’s just too much information. The first five people who I noticed using it were, gulp, infosec pros.
Then two weeks ago, I was conducting fieldwork during which a tremendous amount of pomp and circumstance was placed around physical access controls that were designed and implemented by a group of security folks; they had followed a tried-and-true recipe in designing the related controls. From the outside looking in, everything looked great. From the inside looking out, there were more holes than on a golf course. While at a fundamental level their critical data was exposed to very little risk as a result, the amount of peripheral damage that could’ve been done elsewhere was substantial. I’ve been known to complain in the past about controls that look great but don’t work, but in this instance I was disturbed by how obviously smart people had simply followed a canned recipe without truly thinking things through and validating the effectiveness of what they’d done.
This week I’ve had the opportunity to review two resumes from people who are likely way smarter than I, both are information security consultants. Both individuals listed accomplishments and capabilities within the security domain that pretty much touched on just about every segment of the infrastructure. I believe I have a good nose for legitimate resources and both of these people presented themselves quite well at the bits and bytes level. But neither of them tied their experience back to solving business issues. With all of the well publicized work around mandates and regulations (e.g. PCI, data privacy, NERC, SOX, etc.) you’d think there would be some attempt to connect their experiences back to something someone in the executive suite would appreciate or recognize.
Maybe I’m over thinking things but shouldn’t people who advertise themselves as information security professionals be a little less binary and a bit more aware? While it’s important to have devices and software configured properly, isn’t it that much more important to be contextually aware and understand what’s needed to protect the business and its information assets?
This has become something of an issue for me lately as I’m working with multiple clients who are dealing with a broad range of challenges. I’ve become increasingly aware that there’s more than just a fine line between a security engineer and a security expert. One can tell you all about firewall rules while the other can tell you where to install them and why. One can work their way down a checklist ticking off to-do’s (think PCI self-assessment) while the other considers the applicability and risk of each item before so much as touching the keyboard. And yet both tend to present themselves similarly and they’re not.
If you’re truly an infosec professional you need to display that in how you make choices (restrict the personal information you share with the digital world), in how you conduct your work (design controls, try and break them and then close the gaps) and in how you decide what’s necessary and sensible (encrypt credit card data but also make sure sales people aren’t writing down non-public personal information on scratch pads). Don’t become an expert on tokenization and think that qualifies you to design a complete PCI security plan. Don’t advise your clients/users on proper security practices and then go out and fail to follow your own advice. And don’t ever think that because you’ve satisfied some regulation or framework that you’ve gone far enough to mitigate or manage risk.
In this day and age, with the threats to our digital assets greater than ever and with increasing pressure being brought to bear by government and industry regulations, it’s more important than ever that the right people be put in the right positions to help address these myriad challenges. And it’s more important than ever to understand that not all information security professionals are alike; decide who shall lead and who shall follow and be sure to chose carefully.
Next time out I have some interesting insights to share regarding NERC, so be sure to check back next week.