Firewall Wizards mailing list archives
RE: Going meta (was RE: Ok, so now we have a firewall...)
From: Chris Pugrud <chris () pugrud net>
Date: Fri, 3 Jun 2005 14:09:14 -0700 (PDT)
--- "Bill McGee (bam)" <bam () cisco com> wrote: [BIG SNIP]
And, of course, it's a bit silly. While I agree that a parallel course of action is to make the solutions idiot-proof, part of the problem is one of scale. The pool of folks who understand what's going on is being diluted by the growing influx of folks who haven't got a clue. So, while the number of competent practitioners out there is actually going UP (IMO), the general Security IQ has been going down (notice how the crowds at the security conferences seem to actually know LESS each year?) I would argue that we need to do MORE educating (including the establishment of an Advanced Degree in Network Security, but that's another discussion.)
Having just completed an advanced (M.S.) degree in Network Security (Information Security and Assurance) from an NSA accredited CAE (Center of Academic Excellence) and yet another big name popular infosec certification after a 10 year career in infosec, I'd have to say I have a declining view of education and/or certification. I did both because some organizations value credentials more than they value skills (which are hard to measure), and I thought it would an interesting experience. I have no doubt that everyone on this list has had the experience of working with blithering idiots who have walls full of impressive credentials, people who are earnestly honest when they say things like deny rules and STIGS (federal security standards) are "a good idea, a nice guideline, but not really practical." I'm almost ashamed to admit I have the same security certifications as some of these alleged professionals. Marcus has an interesting approach in the "throw the bums out" initiative, and it actually has started happening. On the DoD side of the federal house every information security risk must be signed off on by a single individual, pen to paper, and those people are increasingly being held accountable, and even thrown out, when it hits the fan. Admittedly the federal government has the distinct advantage of being able to send people to jail when they do egregiusly stupid things, something that certainly helps people think twice. There are no easy answers or silver bullets to the question of how to identify and empower cognizant and responsible security professionals. I do think that implementing a process of formal risk acceptance by the CxO, something that they know will be in front of the board when everything goes wrong, with their pretty little signature at the bottom, is an excellent first step. Some level of truly challenging certification may be usefull as well, but they seem to keep failing. There are many reasons that the CCIE is the gold standard, but it is also testing a set of skills that are inherently testable and not memorizable. Security is not purely technical nor is it (yet) truly a science, and quantifiably judging somewhat of an artform is arbitrary at best. I think that the CCIE truly succeeds beause it's damned hard to get, yet it's accessible enough that you can self study and pass. It has the rote memorization aspect, but the real challenge is the one day, in person, in your face, blood, sweat and tears, full contact demonstration of skill, thinking, and ingenuity. It might not be fair to the timid, but the purpose of a hard certification is not to be fair, it is to clearly identify professionals who have proven their capabilities in the face of adversity. Enough sidetracks, I didn't even get to my joyous classroom experiences, like "network security" (I'll give you a hint - the "correct" answer is always cryptography). Accountability is paramount. There are very real damages being caused by lapses in information security, both in the public and private sector. "Sign on the dotted line" risk acceptance goes a long ways towards making risk takers think twice. It's much easier to dismiss responsibility when some thing was "approved" than when the nasty consequences are clearly spelled out above your signature. Enjoy! Chris --- "It's Friday, I may be short on sleep and tall on coffee..." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Going meta (was RE: Ok, so now we have a firewall...) Bill McGee (bam) (Jun 02)
- Message not available
- RE: Going meta (was RE: Ok, so now we have a firewall...) Marcus J. Ranum (Jun 02)
- Message not available
- RE: Going meta (was RE: Ok, so now we have a firewall...) Chris Pugrud (Jun 04)