Read on Twitter
Yesterday @UK_Daniel_Card started a good thread about the role of the CISO in organisations.
It got me thinking about a few things.
First, is "security" a respected profession in a meaningful sense (i.e. not just get paid to do it)?
Right now, I am not sure.
It got me thinking about a few things.
First, is "security" a respected profession in a meaningful sense (i.e. not just get paid to do it)?
Right now, I am not sure.
Before I go on, I need to caveat everything I am going to say (because $twitter).
First - I am not trying to add to the gatekeeping problems we already face.
Secondly - I don't think any existing certification is a solution. This is not a CISSP sales pitch.
First - I am not trying to add to the gatekeeping problems we already face.
Secondly - I don't think any existing certification is a solution. This is not a CISSP sales pitch.
So, what do I mean?
Compare security to another profession - let's say medical doctor or lawyer (solicitor or barrister).
Can you imagine going to a doctor who was fully self-trained? How about trusting your liberty to a barrister who learned by playing law games?
Compare security to another profession - let's say medical doctor or lawyer (solicitor or barrister).
Can you imagine going to a doctor who was fully self-trained? How about trusting your liberty to a barrister who learned by playing law games?
Now, some (possibly even most) of the best, most capable security people I know are entirely self-trained, often also with no recognised qualifications in the job.
But in most (all?) other executive professions, this is pretty unthinkable.
But in most (all?) other executive professions, this is pretty unthinkable.
I've added the qualifier there because I am conscious that there are practical professions where it's slightly different but most people even want their hair cut by someone who has been formally trained rather than self-studied.
Last year, I worked for a CISO who had no real background in IT Security. He was an engineer and a salesman by training. He had run a few startups and realised security was well paid. He passed CISSP and, through middle-aged-white-man confidence became a CISO. He was terrible.
However, he was a salesman. He sounded convincing, even when he was catastrophically wrong.
This created situations where experienced people would say one thing but he would think something else.
Not only does this cause conflict, it also highlights a major problem with the job.
This created situations where experienced people would say one thing but he would think something else.
Not only does this cause conflict, it also highlights a major problem with the job.
There is no objective reference to compare his "self-taught" ideas with those of people who have more experience. We don't have a standard entry test or even set basic requirements.
Is there a hospital, anywhere, where a self-taught doctor can over-rule properly qualified ones?
Is there a hospital, anywhere, where a self-taught doctor can over-rule properly qualified ones?
For an outsider (the board in this example) there is no objective way to know who is correct, so they fall back on "we hired X to be CISO, he must know his stuff", which is insane. But what else could they do?
Self-taught people can be awesome, but how can you tell in advance?
Self-taught people can be awesome, but how can you tell in advance?
6 years ago, I worked for a CISO with literally no security experience. They had an IT background but that's it. The org recognised this so paid a Big4 consultant to mentor the CISO daily for nearly a year.
The Big4 mentor was, as far as I could tell, entirely self-taught.
The Big4 mentor was, as far as I could tell, entirely self-taught.
As you can guess, this doesn't solve the problem.
It means crazy ideas are passing via word of mouth. We are a super technical industry where oral tradition appears to be a recognised way of learning. Really?
Anyway - this CISO had exactly the same problems.
They had ideas.
It means crazy ideas are passing via word of mouth. We are a super technical industry where oral tradition appears to be a recognised way of learning. Really?
Anyway - this CISO had exactly the same problems.
They had ideas.
They had lots of ideas.
The problem was most were stupid and lots were badly wrong.
Lots were ideas people had solved in the past, and if they'd had *any* formal training, they'd have known. But they didn't. Neither had their mentor.
The problem was most were stupid and lots were badly wrong.
Lots were ideas people had solved in the past, and if they'd had *any* formal training, they'd have known. But they didn't. Neither had their mentor.
This led to some insane situations like an IR exercise where they genuinely believed the IR team could "take Twitter offline" to prevent a leak. They also mandated that no one was allowed to take *any* notes during DFIR to stop it being discoverable. Nothing was to be recorded...
Now they sound almost funny, but they are the ones I *can* mention. Overall, the problem was that people who actually knew the job (formally trained or properly self-taught) spend half their working time trying to correct madness. Often trying and failing.
Could I wake up tomorrow and decide I want to be a surgeon? I've done basic first aid training and I can read Latin. So surely all I need to do is confidently get a job and have a mentor watch me for a year or so while I make critical decisions. Does that work?
I dont have a solution or answer to any of this.
I think we already have enough gatekeeping problems that saying "everyone in CyberSecurity needs a [thing]" is a mistake.
But I also think we aren't a profession while so much of what we do is basically a cottage industry.
I think we already have enough gatekeeping problems that saying "everyone in CyberSecurity needs a [thing]" is a mistake.
But I also think we aren't a profession while so much of what we do is basically a cottage industry.
