North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: How to get better security people

  • From: Benjamin P. Grubin
  • Date: Wed Apr 03 11:43:53 2002

It strikes me that much of the focus seems to be people on one hand
wanting "deep security expertise", which is considered technical, and on
another finding it difficult to actually have that single person be able
to impact enterprise/network-wide security.  Since "deep security"
experts are a valuable commodity, it is unlikely that spreading them
throughout an organization is feasible.

What needs to change in this model is how one defines a "security
expert".  While some deep technical knowledge in security technologies
relevant to your environment is critical, that person should hardly be a
bottleneck for the security organization.  In fact, that person should
rarely--if ever--communicate outside his/her organization.  What is
needed is a someone capable of "creating" the pixie dust you spoke of,
Sean.  That dust has to be sprinkled, it's hard work, and a technical
professional cannot do it.  The problem is that when an organization
sees a need to focus on security, the first thought tends to be to get
an "expert" hired on.  In reality, this expert will have little effect
since he/she will not be able to stick a finger in every piece of pie
around.  Instead, getting the HR department to focus on a "strategic"
security manager should be the first task on the security checklist.
This person need not be a deep technical expert, though some level of
technical expertise is usually desirable.  Higher on the list is
communication skills, management by influence (as opposed to authority),
educational experience or talent, and a deep understanding of how to
promote security awareness throughout an organization.

Surprisingly, these people are both easier to work with and easier for
HR to target than your average "deep security expert".  If the goal is
to establish security as a priority for an organization, and ultimately
have far greater impact than a couple of security engineers, this is the
type to be looking for.  They don't need to have 20 years of security
experience.  People with *some* security experience and a whole boatload
of business, education, management, and political experience fit this
bill.  The profile of this person usually lines up with what would be
termed a CIO.

Once this person is in place, it becomes a lot easier to coordinate
security both within and outside of an organization.  The "community"
model for incident response has been shown inadequate by most
institutions which value their privacy.  I would think the ISP/network
provider companies would be less sensitive to this, and look for
meaningful ways to cooperate.  Having a person where responsibility for
this sort of thing would rest in each of the companies would go a long
way to getting it started.  "Deep security experts" are definitely not
suited for this type of work.

Just my $.02


> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On 
> Behalf Of batz
> Sent: Wednesday, April 03, 2002 11:03 AM
> To: Sean Donelan
> Cc: Christopher E. Brown; NANOG
> Subject: Re: How to get better security people
> On Wed, 3 Apr 2002, Sean Donelan wrote:
> :Instead of a neighborhood watch do we need a network watch?
> :While we need a few people with "deep" security knowledge, we also
> :need to spread a thin layer of security pixie dust throughout the
> :entire organization.
> The NIPC, CERT, OCIPEP(Canada) and other organizations try to 
> fill this role. The Incidents mailing list also
> tries to do this on a more ad hoc basis, along with the honeynet
> projects, and to a great extent Nanog. If ones definition of security 
> includes integrity and reliability, then Nanog has been performing
> that role since its creation. 
> The problem that exists with the neighbourhood watch model is that
> it assumes some sort of community and, despite a few exceptions, 
> there is no community of internet providers. 
> There are communities of network engineers and other specialists, but 
> the possibility of corporations getting together with a common goal, 
> which may temporarily supercede their individual competetive 
> advantage, 
> is just not going to happen. They can have industry 
> associations, lobby 
> groups, interest groups, and other representative bodies, but 
> community
> is not one of these, and thus any network watch program which depends 
> on community will be hampered. 
> So, the challenge is to find a model of information sharing 
> in which a 
> balance between effectiveness and the protection of 
> competitive information 
> that is slanted heavilty to the latter. This on top of providing value
> to the participants. 
> There are some private security alert services like this. I 
> can personally 
> highly recommend the securityfocus ARIS tool and their 
> commercial Threat 
> Management System. NAI's virus alert system is excellent, as is 
> a similar service from 
> The non-classified government briefings I have seen don't 
> really provide 
> value from an up to the minute threat analysis perspective. They might
> help an executive hold an intelligent conversation on current 
> affairs, 
> but they do little for people who are responsible for protecting the
> infrastructure.   
> Personally, I would like to see a mixture of the MAPS RBL and 
> available, where emerging hostile netblocks
> can be blackholed for short periods of time using attack information
> gathered from and coroborated by a vast array of diverse sources.  
> --
> batz