--- "Bill McGee (bam)" wrote:

> And, of course, it's a bit silly. While I agree that a parallel course
> of action is to make the solutions idiot-proof, part of the problem is
> one of scale. The pool of folks who understand what's going on is being
> diluted by the growing influx of folks who haven't got a clue. So, while
> the number of competent practitioners out there is actually going UP
> (IMO), the general Security IQ has been going down (notice how the
> crowds at the security conferences seem to actually know LESS each
> year?) I would argue that we need to do MORE educating (including the
> establishment of an Advanced Degree in Network Security, but that's
> another discussion.)

Having just completed an advanced (M.S.) degree in Network Security
(Information Security and Assurance) from an NSA accredited CAE (Center of
Academic Excellence) and yet another big name popular infosec certification
after a 10 year career in infosec, I'd have to say I have a declining view of
education and/or certification. I did both because some organizations value
credentials more than they value skills (which are hard to measure), and I
thought it would an interesting experience.

I have no doubt that everyone on this list has had the experience of working
with blithering idiots who have walls full of impressive credentials, people
who are earnestly honest when they say things like deny rules and STIGS
(federal security standards) are "a good idea, a nice guideline, but not really
practical." I'm almost ashamed to admit I have the same security
certifications as some of these alleged professionals.

Marcus has an interesting approach in the "throw the bums out" initiative, and
it actually has started happening. On the DoD side of the federal house every
information security risk must be signed off on by a single individual, pen to
paper, and those people are increasingly being held accountable, and even
thrown out, when it hits the fan. Admittedly the federal government has the
distinct advantage of being able to send people to jail when they do egregiusly
stupid things, something that certainly helps people think twice.

There are no easy answers or silver bullets to the question of how to identify
and empower cognizant and responsible security professionals. I do think that
implementing a process of formal risk acceptance by the CxO, something that
they know will be in front of the board when everything goes wrong, with their
pretty little signature at the bottom, is an excellent first step. Some level
of truly challenging certification may be usefull as well, but they seem to
keep failing. There are many reasons that the CCIE is the gold standard, but
it is also testing a set of skills that are inherently testable and not
memorizable. Security is not purely technical nor is it (yet) truly a science,
and quantifiably judging somewhat of an artform is arbitrary at best.

I think that the CCIE truly succeeds beause it's damned hard to get, yet it's
accessible enough that you can self study and pass. It has the rote
memorization aspect, but the real challenge is the one day, in person, in your
face, blood, sweat and tears, full contact demonstration of skill, thinking,
and ingenuity. It might not be fair to the timid, but the purpose of a hard
certification is not to be fair, it is to clearly identify professionals who
have proven their capabilities in the face of adversity.

Enough sidetracks, I didn't even get to my joyous classroom experiences, like
"network security" (I'll give you a hint - the "correct" answer is always
cryptography). Accountability is paramount. There are very real damages being
caused by lapses in information security, both in the public and private
sector. "Sign on the dotted line" risk acceptance goes a long ways towards
making risk takers think twice. It's much easier to dismiss responsibility
when some thing was "approved" than when the nasty consequences are clearly
spelled out above your signature.


"It's Friday, I may be short on sleep and tall on coffee..."

firewall-wizards mailing list