Improving the IT & Security Industry – A Top-Down Effort

The ever ongoing debate about quality IT staff once again received a nudge, this time by an article of J.Oquendo. In his article he takes another brutally honest stab at the Industry by pointing out that the new Shady RAT attacks aren’t that new and would have been easily caught by capable personnel. I agree with that view very strongly and would also like to point out that Shady RAT is really no different than Night Dragon in that both attack waves used techniques that have been known for a decade or more. Oviously someone is asleep at the wheel, but who?

In several articles I’ve seen about this topic, I have seen in-depth descriptions of the observed failures of the staff itself as well as the certifications that should have tested their skills. These seem to me to be symptoms rather than a cause, and one that I don’t see in many other industries. Most industries have some kind of self-correcting function built in. In the Medical profession there is a Medical Board that reviews its members and is able to punish shoddy work. Lawyers can be disbarred by the Bar Association in their district. A bad carpenter may well find himself nailed upside-down to a wall if he doesn’t pull his weight during a large construction project. All of these are examples of Peer Review. What makes the IT industry so different?

Two major differences immediately came to mind:

  • Cost of mistakes are hard to quantify (or even detect) in IT and;
  • Line- and Project management are much less skilled in IT than other industries are in theirs.

Cost of mistakes are hard to detect and quantify
Compared to other industries, mistakes made by IT personnel aren’t always obvious. Systems may keep on working and may even work properly when its poorly configured. If a system does crash, its often very hard to quantify exactly how much damage there is and what it has cost the company.  If a surgeon makes a mistake, the effect is often immediate (e.g. a patient keels over). If a construction worker makes a mistake, a building may collapse. In either case a problem is usually clearly visibly detectable and peer review takes place. Lack of visibility and immediate effects inhibit such peer review in the IT industry.  

Line- and Project Management personnel are not sufficiently skilled in IT to manage its staff
The fact that IT is still somewhat of an ethereal topic to most people is reflected in the poor choices made when hiring management personnel. You wouldn’t believe how often I’ve heard it said that ‘IT managers don’t need to know IT, they just need to manage the people’. This is just plain wrong. Yes they need to be skilled in managing people, but they also have to make regular professional judgement of the quality of work provided by the staff they are managing. Virtually every other profession does this better than we in the IT industry.

I believe this has a lot to do with the fact that there are less IT-savvy managers to begin with and so management accepts second-best as its defacto standard. There also seems to be less promotion from the ranks than in other industries. Maybe the stigma of IT personnel having less social skills (think Geek or Nerd) has its part in this problem, I don’t know and wouldn’t care to judge its veracity. What is evident is that there aren’t nearly as many well-educated (in IT!) CIO’s as we should have. We need those proper CIO’s to hire proper IT managers, who in turn hire proper personnel instead of the pseudo-specialists that are so often the topic of negative discussion.

Of course you could say that its up to the IT professionals to get themselves skilled, but we’ve tried that and it doesn’t work. And why would they? Many of them skate by excellently with a minimum of effort because of that ‘peoplemanager’ with the bachelor degree in napkin folding you thought would do just fine (and wasn’t he cheap!). As an organization, try the following:

  • Stop assuming that ‘any bachelor/master degree’ will suffice for an IT position. The higher up the manager is going to be, the more skill you can ask for the position. That includes the CIO position! Although their knowledge has to be scoped broader, it must still be present and relevant.
  • Promote from the ranks where possible. The pecking order in an IT department is established fairly quickly and its almost always based on skill and knowledge. Leverage that information in getting the right people promoted. If you choose right, they’ll be perfectly capable of hiring their own replacement.
  • When hiring technical personnel, have each applicant vetted by your best tech(s), even if it is a contractor. Listen to their advice.
  • Don’t let certifications dazzle you. Many certifications don’t mean much anyway. Look to match certifications with practical experience and you’ll fare better.
  • Remember: If you pay peanuts, you’ll get monkeys. If you don’t have money, find other ways to entice new personnel such as exciting projects or nice perks.
  • Recruiting agencies often play it fast and loose with matching your needs to their staff. Don’t assume their personnel is any better – verify! Remember: You’re paying a premium and deserve quality. Ask them about the training their staff receives. If they’re any good, it should be at least a periodically recurring thing. I know companies that demand an x-amount of study a year per employee.

PFC Parts’ Delectable Cyber Security Shopping List

Over the last two years I’ve seen several outcries over the supposed great shortage in capable Cyber Warriors. But what does this mean, in terms of required skills? Most articles seem to ask for quite a lot; their Cyber Warriors seem to be required to be able to defend their networks (CND in military parlance), attack their adversary’s network (CNA), engage in Cyber Espionage (CNE), reverse engineer malware and probably a bit more. I found it hard to get a single answer, but SANS seems to agree with the previous list. At least, they do if you go by their Cyber Guardian program, which is essentially a group of SANS certs stacked together. But realistically: Do you really need such heavily certified people at every position? And that’s not even going into the deeper issue of how capable these people actually are. After all, they may well have gotten through all these exams by just being really good studies (rather than actually understanding the material).

An article at NPR quotes a James Gosler who is, apparently a ‘veteran cybersecurity specialist who has worked at the CIA and the NSA’ though they don’t explain what standards they used in determining his skills. In the article Gosler states that the US would need between 20.000 and 30.000 cyber warriors. Its a number that keeps coming back, but its not really elaborated on in the article.

A study done by the US Center for Strategic and International Studies (CSIS) also speaks of a human capital crisis in Cyber Security and may offer some insights that can also be used outside of the US, though of course the numbers will vary. CSIS uses roughly the same numbers as the article but mention that there are a variety of people and skills involved. From the appendix in the report we learn that CSIS found a shortage in the following roles:

High Priority
Systems Operation and Maintenance Professionals
Network Security Specialists
Digital Forensics & Incident Response Analysts
Information Security Assessors

Medium Priority
Information Systems Security Officers
Security Architects
Vulnerability Analysts
Information Security Systems & Software Development Specialists

Low Priority
Chief Information Officers
Information Security Risk Analysts



Cyber Deterrence – Methods & Effectiveness

The term “Cyber Deterrence” is gaining traction lately, with regard to the act of deterring cyber attacks. I’ve seen at least one author (Richard Clarke) use it in his book about Cyber Warfare. In many cases the proponents of this term invoke existing Deterrence Strategies such as the MAD doctrine that was used to prevent Nuclear weapons during the Cold War, and use it as a model on Cyber Warfare.

As part of a Cyber Warfare course I am following, I was asked to write a research paper about Cyber Deterrence. In it, I was to research and analyze the proliferation of cyber capabilities and discuss cyber deterrence and their likelihood of success. I was to specifically address traditional methods of deterrence including trade sanctions, import and export restrictions and other economic sanctions. After I started seriously working on this paper, I realized that all the sanctions in the world weren’t going to apply to cyber warfare; a capable attacker would never give you a target to retalliate.

I changed direction and, because I didn’t want my paper to become a carbon-copy of Martin Libicki’s “Cyber Deterrence and Cyberwar” (RAND Corporation), I took a different approach that breaks Deterrence Theory in three parts. The assignment was very clear in the amount of data it was to contain, so it’s fairly brief, but it covers the salient points well enough that I decided to upload the resultant work here on Argent

Please find the Research Paper here: Cyber Deterrence – Methods and Effectiveness

UPDATE: Modified the paper at the request of the reviewer. Above link has been changed on Jan 13, 2011 at 11.00AM.