This fall, I’ve had the pleasure to talk with audiences about essential IT security skills in some pretty cool places; London, Dublin and San Diego. While I was in Dublin, I took the opportunity to take a walk around the ancient town of Glendalough, Ireland. The name of this town means “valley of the two lakes,” and it’s a beautiful place for walking. My wife and I took the “white route” trail and summited the cliffs around the lake. On the way, we heard elk calling to each other, crossed a waterfall, saw feral mountain goats and had gale-force winds blow us off the trail a few times.
On the way back, we walked to the ruins of a monastery that has existed since around the sixth century. One of the coolest parts of the ruined monastery was a special gateway designed to help monks separate themselves from the rest of the world. This gate is the only known specimen of its type still in existence, and was designed as a special entrance room. This room, as pictured, had a door to the world outside the city. Inside this door was a special chamber, and then a door to the inside of the monastery. In this room, monks would be inspected, and, if deemed suitable and separate from the outside world, they would be allowed to enter into the community.
As I stood in the gate and read the plaque describing this historic place, it occurred to me: “Wow, they used firewalls then, too.” Ireland really led the way with inspection technology, didn’t it?
Over the years, I’ve noticed that security folks are really good at stealing metaphors and approaches from other industries. How so? Well, we’ve taken the terms gateway and firewall from architecture, for example. It doesn’t stop there: The security industry has taken the terms perimeter and DMZ from the military. We’ve taken the term cloud from business and marketing folks who used that ancient little Vizio cloud icon to indicate the Internet or anything too overly technical that wasn’t important – at least to them. We’ve taken the term incident response and even first responder from the police and emergency response professions. The list goes on.
We’ve even taken the term hacker from the programming field. Back in the day, a resourceful, good, quick programmer was a good hacker. It was a complement. But we’ve changed that term to describe the bad guys. How many hours have been spent in classrooms worldwide differentiating between white and black hat hackers, or defining exactly what an ethical hacker really is? It’s ironic how the security industry is based on a history of linguistic theft.
So, back to Ireland. While I was at that monastic gateway, I turned my thoughts to the series of discussions I’ve been having over the past year about the skills that individuals lack in the security industry. A penetration tester at the CompTIA EMEA Member and Partner Conference in London this fall told me about how most security professionals are inherently reactive in their thinking, and that they rarely focus on how to properly parse network traffic, not just intrusion detection alerts. I thought about another security pro from Australia who told me several months before that too often people rely on traditional intrusion detection alerts, when it’s actually more important to listen to statistical and unstructured data.
Still another IT pro from the U.S. recently told me he has worked out how hackers use dynamic DNS to mask their activities. He told me that in many cases, if you simply analyze your log rules and look for uncommonly strong activity from DNS domains that have been created in less than 10 or 15 days, it’s possible that this domain was specially created to attack your organization.
Based on all this, I’ve concluded that the essential skill in security is properly reading and analyzing data. I then realized something while standing there at that primitive firewall in Ireland: It’s time to borrow another couple of terms; this time from the field of oncology and American football.
A few years ago, I got to know an oncologist– a cancer doctor. His name is Paul Robertson. When he told me he worked with cancer, I asked him, “So, are you a surgeon?” He said, happily, “Nope. Not at all.” I then blurted out, “Radiologist, eh?” Again, his answer was a polite “No.” Grasping for straws, I sheepishly let out the word, “Chemotherapy?” He shook his head.
“So,” I asked, “What good are you?” I asked this, because years ago, I got a doctorate in English, and am acutely aware that I’m one of those types of doctors that doesn’t really do anyone much good. I thought maybe that I had met my twin in Paul.
But he went on to explain that he is, in fact, a cancer expert. But what makes him important is that he takes a data-driven, consultative approach to fighting cancer. He spends his time analyzing reports from myriad sources about the condition of his cancer patient. After reviewing blood work, X-rays and other data, he then draws a conclusion and then reaches out to the right specialist to address the specific form of cancer. Sometimes, radiology is the answer. At other times, he needs to call a chemotherapist colleague.
Paul explained to me how 30 or 40 years ago, cancer specialists were surgeons or radiologists. This has changed over the years. Back in the day, if a surgeon was in charge of fighting cancer, this surgeon would be likely to waste significant time recommending surgery as a solution, when another approach to treatment might be more effective. Likewise, if the doctor was a radiologist, he or she would recommend radiology, rather than what the data suggests. So, over the years, Paul told me, the oncology field has adopted the American football quarterback or team captain approach. This person reads the data from the cancer, and then, like a quarterback or offensive coordinator, makes a plan or calls an audible and tells his team how to go about winning the game. This data-driven, team coordinator approach has been effective in oncology. We should apply this to IT security, as well.
Whatever term you want to use, I’m convinced that the team coordinator role of the security analyst or coordinator is increasingly vital. I did a quick survey of the websites Indeed, Dice, and Monster. I saw quite a few positions advertised out there looking for someone who can read data and make critical decisions. The NICE Framework has quite a few specialty areas and KSAs associated with it, too. It was fun talking about this last month in San Diego at the 2015 NICE conference.
I’ve found over the years that as the security industry has matured, we need more than what Tony Sager, chief technologist of the Council on CyberSecurity, calls “scruffy guys” to handle security. These guys are the rugged individualists who are true experts and walk around the Internet wasteland like Jamie Foxx in Django Unchained, Clint Eastwood in High Plains Drifter or John Wayne in The Searchers. Of course we need experts. But we also need team captains – the coordinators. Yes, it’s great to have pen testers, first responders, ethical hackers and forensics specialists. But, frankly, you need a coordinator to drive security for the entire industry. This coordinator isn’t the CIO. Why? Because this person is responsible for keeping the lights on, as it were. No, you need a quarterback – a security analyst and coordinator. This way, your organization can take a data-driven, team-oriented approach to security.
James Stanger is Senior Director, Product Development, Skills Certification at CompTIA.