Are your security professionals qualified?

Several lessons have been derived from the recent iCloud security incident, but the most important for me is how it demonstrates the ignorance of many security professionals, an ignorance that calls their management into question.

When the iCloud hack started hitting the news, it generated a lot of discussions among security personnel. Many of them grasped the underlying concepts reasonably well. Unfortunately, though, some of the conversations demonstrated a clear lack of understanding of fundamental security concepts.

As is widely known by now, a hacker was able to compromise the Amazon.com and iCloud accounts of a Wired reporter. The accounts were compromised as a result of operational security flaws in the password reset processes of the respective organizations. The attack itself was rather involved, but at bottom it was a fairly straightforward social engineering type of attack.

One thing that is clear is that the strength of the account passwords was completely irrelevant, since the attacker simply needed the password reset. Why, then, would someone who is supposed to be a security professional argue that the attack would not have been successful if the passwords had been stronger?

When I read that comment from a self-identified security professional online, I had to wonder about his qualifications. I soon learned that he had been reassigned to the information security department from another department and had no formal security training before the reassignment. That isn’t the problem, though. The problem is that this person was not provided any training after the reassignment and did not seek it out.

This situation is not unique among Fortune 500 companies. Many companies have a hiring freeze, while also conducting layoffs. Frequently, that means that the security departments have to take whomever they can get. Even if there isn’t a hiring freeze, many companies have a habit of encouraging employees to rotate internally for professional development purposes. This has the effect of encouraging security managers to accept people whom they might not otherwise choose.

Neither circumstance would be a fundamental problem if proper training were required. Unfortunately, many companies don’t have an adequate training budget or an established qualification program in place.

This raises a couple of concerns, in my eyes. First, unqualified and untrained security personnel will clearly create poor security programs for their organizations. If they don’t understand the issues, then they can’t determine the most effective ways to secure their organizations.

Second, a lot of people ask security professionals for advice. If the professional doesn’t really know what he is talking about, you end up with a lot of bad advice. That proliferates insecurity. Just as bad, if it becomes obvious that the advice is wrong, that will undermine trust in the security profession as a whole.

It doesn’t have to be this way, even in an era of tiny or nonexistent training budgets.

I know one chief information security officer (CISO) who, upon being hired, immediately set out to determine which people on his staff had no real security know-how. He was able to remove those people from his department because he had obtained approval to hire at least a core team of competent staffers. What makes this story relevant for anyone pinched by hiring freezes is that the CISO did not demand “world-class” professionals, just tech workers with basic competence and diligence who could demonstrate that they were fundamentally security-savvy.

In another organization that I know about, the CISO implemented a training program that required his staff to read iconic security books and online articles. He also rotates the people through a variety of assignments and sends them to local security events. The level of trust placed in these people is commensurate with their progress.

Both of these CISOs make the best of the limited resources available to them and assume that any reasonably competent person is teachable. And the tools that the second CISO uses to educate his staff have minimal cost or none at all. Yes, formal training would be even better, but when that isn’t possible, there are affordable options that are worth pursuing.

In fact, the value of training on the fly shouldn’t be underestimated. I happen to believe that cybersecurity-specific college degrees are overvalued. In the absence of all other practical training, a specific degree program can be useful, but practical experience and relevant training are infinitely more valuable to a person’s role as a security practitioner.

In the end, I see this whole business of security-staff competence as a management issue. While fundamental training to develop a basic competency in security doesn’t have to cost a great deal, it does require planning on the part of the CISO or other responsible manager. It’s very easy to call out a security practitioner for not knowing fundamental security principles, but you really have to stop to ask who made that person a security practitioner in the first place and wonder whether that manager at least tried to instill a fundamental knowledge base.

Ira Winkler is president of Internet Security Advisors Group and author of the book Spies Among Us. He can be contacted through his Web site, irawinkler.com.