Full Disclosure mailing list archives
Re: IT security professionals in demand in 2006
From: "sk" <sk () groundzero-security com>
Date: Tue, 6 Dec 2005 02:13:08 +0100
Not everyone who gets involved in security gets there because it was the
primary objective. The implication I was trying to make was that some
people get pushed down the security road. If they actually go down that
road they will focus on practical security, and start to learn more, but it
takes something to push them down that road.
well ok then they are in the security field, but it doesnt make them "professionals". not everyone with a CISSP is a professional and its simply to show off to bosses and people which arent familiar with the IT security filed. I'm into security since +11 years, i surely know what i am talking about.
Yes, I do. At least to 19-21 year olds at community colleges. I regularly
speak to students about to head out into the field after taking courses to
learn about networking or information security courses to let them know
what the real world is like. I use the security guard analogy and it clarifies
alot of things. Most of the people in these courses recognize the lack of
respect for mall security guards they had only a few years earlier, and at the
same time the enhanced (generally speaking) respect a person has for
someone driving an armored car. It is not a perfect example, but as an
analogy it clarifies things fairly well.
ok fair enough, but you talk on a list where people have tons of certs and are security professionals, so no need to be so basic.
I disagree with this. Someone who is really interested in security who
does not have experience in the field, or at least knowledge of business
process will do more harm than good. At least to pass the CISSP you need
to understand the basics of networking and some formalized
knowledge. It is not a good cert, but there is a minimum 'you must have
memorized at least this much' threshold to finish the exam. i'm not talking about a complete moron. i mean someone who already understands the ins and outs of a network and is familiar with administration, but then goes into the security field and keeps learning. he soon will be way more skilled as anyone with a CISSP. someone whos not familiar with different operating systems,administrating those and a fair understanding of networks wont be able to go far in the security field anyway...
Compare that to someone who has read a few papers on security and follows
best practices (whose? why? etc). Small businesses can't afford to
hire expensive consultants, but they deserve better than budding hackers to
help them. Furthermore, if there is an incident the business can be held
liable for, pointing at a CISSP and saying he helped set it up can go along
way to proving that at the very least some due diligence was shown.
Pointing at timmy down the block who sets up wireless is not going to have
the same value from a business perspective. sure this makes sense, but i was not talking about some kid in the basement, but an professional administrator or even better a programmer going into the security field out of interest. then again, as i said, a small company will outsource security.
In the real world this can cost as much as $1000 CAD an hour, for a cheap
consultant. Ongoing support is unrealistic for many businesses. i know its not like i work on the moon you know :P but i dont talk about constant support. a small company doesnt need that anyway. once in a while, maybe once a year have a real security audit of the network. with good administrators this is enough as if they are told whats wrong with the network in first place (i.e. when the company starts) and then taking the advices and work based on those, a small company should be fine if they keep updating their software (what they will be told most likely by the security team that does the audit). well but this isnt the topic really so nevermind.
I know of a few that go out of the way to only hire IT guys that have a
security background. But they are definately exceptions to the rule. yes, surely they do as some boss will obviously look at certs, but thats where we come to my original topic, those certs dont proove anything so the CEO may think he hired a good security consultant and feels save, but his trade secrets go out of the network all day unnoticed as the security guy has no idea whats really going on as most of them sit on their certs and think thats it, but without constantly learning your going nowhere. they spend all their working time on their high paid asses and brag on some forums or mailinglists on how skilled they are.
Real world information security is about risk. It is an insurance policy.
You spend $X,XXX in the hopes that an incident that costs $X,XXX,XXX won't
happen. Until you convince business that ideal security (not perfect, as
we agree perfect is impossible) should be the objective, not risk mitigation,
businesses will not improve spending.
yes its about risk, but this 1,000,000 $ or more costs after a security breach only applies to very large networks. most of the time its just that expensive because companies have to hire expensive security professionals while the actual work wouldnt cost much at all.
To convince businesses that ideal security is better, we need to have
legislation that holds business owners accountable for security failures that impact
individuals other than shareholders.
most of the time you can only convince a CEO to pay more for security after they have been compromised, but thats life...
This is the unfortunate reality that security researchers and the talented
security professionals live in. This is not a world that hackers live in. Hackers
live in an academic world that lets them posit scenarios where SHA-1 breaks
are a legitimate threat (it will be soon, but it is not a realistic or credible
threat *right now*). Hackers, regardless of their motivations, live in a
world where the only limits are their imagination, dedication, and willingness to
overcome ethical 'challenges' to gain access to facilities and resources
they require to push the boundaries of security. well i agree somehow, but then again many many real hackers work in the professional security field and even sometimes hold such courses for certs as they know exactly that noone is a professional after such a cert, but they get paid for it well so why shouldnt they exploit that opportunity. i remember some text that vH from THC wrote "hackers go cooperate" or something ..might be a nice read for you :-) so well i just want to say that a security professional should be someone who is really professional and CISSP doesnt make you one. -sk _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- IT security professionals in demand in 2006 Ivan . (Dec 04)
- Re: IT security professionals in demand in 2006 sk (Dec 05)
- Re: IT security professionals in demand in 2006 wilder_jeff Wilder (Dec 05)
- RE: [lists] Re: IT security professionals in demand in 2006 Curt Purdy (Dec 05)
- Re: [lists] Re: IT security professionals in demandin 2006 Jason Coombs (Dec 05)
- Re: [lists] Re: IT security professionals in demand in 2006 InfoSecBOFH (Dec 06)
- Re: [lists] Re: IT security professionals in demand in 2006 Andre Ludwig (Dec 06)
- Re: IT security professionals in demand in 2006 wilder_jeff Wilder (Dec 05)
- Re: IT security professionals in demand in 2006 sk (Dec 05)
- Message not available
- Message not available
- Message not available
- Re: IT security professionals in demand in 2006 sk (Dec 05)
- Re: IT security professionals in demand in 2006 Andre Ludwig (Dec 05)
- Re: IT security professionals in demand in 2006 J.A. Terranson (Dec 05)
- Re: IT security professionals in demand in 2006 Scott Renna (Dec 06)
- Re: IT security professionals in demand in 2006 Buford T. Pisser (Dec 06)
- Re: IT security professionals in demand in 2006 wilder_jeff Wilder (Dec 06)
- Re: IT security professionals in demand in 2006 6ackpace (Dec 06)
- Re: IT security professionals in demand in 2006 wilder_jeff Wilder (Dec 06)
- <Possible follow-ups>
- RE: IT security professionals in demand in 2006 J. Patterson Wicks (Dec 06)