Q&A: Bruce Schneier on joining IBM, IoT woes, and Apple v the FBI Security guru Bruce Schneier is a regular at shows like RSA and his talks are usually standing-room-only affairs. Schneier has written some of the definitive texts for modern cryptography teaching and his current book, Data and Goliath, examines the perils and solutions to government and corporate surveillance of internet …
I have been in and around the topic of IT security in one form or another for close to 30 years, and there has been one constant: good security people do not come from courses, and that's not just because of the quality of some courses which are more designed as tickbox revenue generators and as means to bypass frankly hopelessly overtaxed HR staff.
Security is IMHO an attitude. There are a few aspects to security staff that signal that you may have a live one:
- an "always on" attitude. Security is not something to switch off as you come home, pretty much because the threat doesn't and you, family and friends also live in that dangerous world that you see.
- responsibility. "Pure" IT people lack this empathy sometimes, but your job is ultimately not cranking the handle on processes, although this is what management sees as security. Your actual job is to protect people from electronic danger, which also means taking into account that you're working with people - you should have already dealt with the IT angle..
- curiosity. Having a hacker attitude and aptitude matters, because you're in an arms race. The words "that's funny" should make you interested, because anomalies is where ye wiley hacker has screwed up and enables you to unearth an APT. The hacker attitude should enable you to increase the number of traps in the system.
- strong but direct character. Security people often have to say "no" against overwhelming odds called "budget" and "management". It takes a certain personality style to cope with that, and still get meaningful results. Understanding political dynamics in a company is important, and knowing the difference between making a difference and being set up to be the fall guy (not getting the required resources is a hint) is vital :). Good security people have leadership skills (and usually a fairly developed, slightly dark sense of humour).
- IT skills, and by that I don't mean the ability to use MS Office. Security may be a process, but it also relies on knowledge to direct people. IT security means knowing about IT at at least a structural level (you don't need to be able to quote opcodes for the 6502 CPU).
As for recruitment, I go back to a hacker adage that is at least 2 decades old, if not longer:
it takes one to know one
Any HR staff who doesn't involve security people in the final screening process is not only wasting their time, they are actively endangering their company. The good news is that the bigger companies are indeed doing that now.
Now, how do you GROW a security person? I have audited many companies in London, and I started to take along IT colleagues. Some picked it up and became good security consultants, others were more comfortable remaining behind a screen, but in one instance I was consulting alone at a rather large law firm when the question of recruiting security staff came up (and from what I found it was an urgent requirement). I told them they probably already had the resources in house if they were willing to grow them - during the building walkthrough I came across the Tripwire security exploit poster (sadly no longer available from their website) which was a good hint that whoever sat at that desk had the required interest. On examination, I was right. In another instance I found the right person in a large stack of CVs marked "no" left behind in a HR desk (movers had brought it to our floor without checking) - reading between the lines I saw all the signs of someone with the right aptitude but HR came up with some "would not culturally fit in" story when asked. Turns out he was indeed *perfect* for the job, and thus got recruited.
I've built full government networks, done M&A audits, worked in finance, in the military and even in manufacturing: the above continues to apply. You can't manufacture security people with courses and certificates. Sure, there is a certain skill set that is essential, but the aptitude to *deploy* those skills is what can lift security above the "bad to average" level I found in many organisations.
Last but not least: there is also the matter of budget. Good people cost good money. If you're not prepared to pay that, you should not complain about the results...
Comments?
"Comments?"
I have to say, AC, that it is a breath of fresh air to finally see someone acknowledge the fundamental basics of a good security bod, most especially the attitude.
I have had occasion to train engineers of various levels over the years and I would take someone with decent intelligence and a good attitude over a genius with a poor attitude.
Security people, like security itself, are most effective when built up in layers. Each layer based on experience of ways to do things (and often, more importantly, how not to do things). I didn't start out in Security as a 'leader' or have a large number of qualifications to point to, but the leadership aspect has grown over time and I can point to a lot of successful projects as my qualifications.
The most challenging aspect of the work these days, for me, is the lack of authority. I can recommend, I can point out the pitfalls and costs - but ultimately I am not working on my own networks but someone else's. If they want to ignore all the warnings there isn't much I can do and that can be frustrating - especially when the project itself is worthwhile and important to society as a whole.
As for money, they seem to think I cost them a lot - but in reality they are getting a bargain. I've saved them over £300k in unnecessary equipment costs already on this latest project, not that anyone takes any notice :)
The most challenging aspect of the work these days, for me, is the lack of authority. I can recommend, I can point out the pitfalls and costs - but ultimately I am not working on my own networks but someone else's. If they want to ignore all the warnings there isn't much I can do and that can be frustrating - especially when the project itself is worthwhile and important to society as a whole.
It's one of the reasons I started consulting, until the bigger consultancy I was with wanted me to game customers by not being quite as efficient (experience speeds things up). I work on trust, and I was pressured to break that trust for profit. Well, they can play that game with others, but not via me, so I went independent. Their problem is now that I know how consultancies milk their customers so I can stop that before it even happens. It saves my clients a lot of money :).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
