Last weekend, at the ripe old age of 37, I finally graduated from college. This reasonably leads to two questions:
- Why did it take me 19 years to finish a 4 year school?
- Why did I bother after all this time?
Let's ignore the first, since it properly implies some emotional or mental failure on my part. But, to address the second, the reason, and the only reason, that I finally finished school is that they wouldn't let me in a masters program without finishing my degree.
Why a masters? I wanted to spend some time really digging in to the technical side of information security. I wanted to sit and think about the problems I feel haven't been adequately addressed and I wanted to work through the technical areas I haven't had time to work through in my professional life. I didn't want to waste time on risk management, policy, project management, psychology or ethics. I wanted to go hardcore. So I searched for programs that were highly technical in nature. And I searched. And I searched. And I searched. And I found...two.
Now, I'm sure I missed some somewhere. But if I wanted a masters in "Cybersecurity Policy" or, god forbid, "Homeland Security with information assurance focus" I have all the choices in the world. If I want to manage the paper shuffle that drives an organization's information security, I'm set (available with a dual MBA option!!). So, what is wrong with this? What is wrong with this is my wife is mad at me.
She is a manager inside a government agency and she said something to the effect that in order to get promoted on the high-end of the scale you had to make an impact on a management level. This triggered some level of agitation and a loss of self-preservation on my part. I said, "You know what is easy to find? Someone who wants to manage. Do you know what is hard to find? Tech people who really know what the hell they are doing." So...couch time for me and a good shunning for my father, who dared to nod wisely at my faux pas.
But this is the core of the problem: We're up to our eyeballs in risk analysis, risk informed policy, audits and people who want to manage because that is where the money is (or, worse, good tech people who now manage because that is where the money is). There is, speaking on a nation-wide scale, a famine of hardcore technical security specialists who really know what the threat landscape is, what their tools can do and how best to react to incidents. Even people who really want to go deep and be able to do more than update patches are, to a large degree, left to their own devices. Far too few have taken on the challenge of going it alone.
Even well known educational institutions are having problems. The university I've chosen, which you've probably heard of, has a class about reverse engineering and vulnerabilities. I indicated that this was a class I'd be interested in. I was told that "we haven't found anyone to teach that class yet". Color me baffled, I guess it's the thought that counts.
Academia must do better. Governments must do better. Vendors must do better. If we're really going to stand around and be terrified silly by cyberwarfare, APT, SCADA and cyberterroism, we all have to do better. Because the other side doesn't have CISSPs, change controls, people who watch green dots turn to red dots or audits. And they are kicking our ass.
Management personnel are part of the problem, or they'd have arranged to grow those technical resources. It's not a paucity, I know plenty of folks that can grok it, but they aren't welcome at the table. This stuff is "hard" and most (gross generalization) business and government is run by people that don't want to deal with "hard" problems. Until sunshine sucks it up, security will continue to blow. Management/tech or otherwise. I know companies that *do* do security right, and they rock, but they are few and far between, not because of capacity or capability, but because of intent. Hard work for no immediate reward is not on most people's radar.
ReplyDelete