Wednesday, June 13, 2007

Why Digital Security?

Today I received the following email:

Hi Richard,

(Sorry for my bad English, i speak French...)

I'm one of your blog readers and i have just a little question about your (Ex) job, Consultant in IT security...

I'm very interested by IT security and i want to get a degree in this. In France, we have to write "motivation letter" to show why we are interested by the diploma. That's why i write to you to know a few things that you do in your job, what is interesting and what is boring ??


I figured I would say a few words here and then let all of you blog readers post your ideas too.

  • Likes:


    • Constant learning

    • Defending victims from attackers -- some kind of desire for justice

    • Community that values learning (but not necessarily education -- there's a difference)

    • Working with new technology

    • Financially rewarding for those with valuable skills


  • Dislikes:


    • Constantly changing landscape requires specialization and potential loss of big picture

    • Most attackers remain at large, meaning as a whole "security" never improves

    • Learning is being increasingly rated by the string of letters after one's name

    • Family system administration, especially for user applications on Windows that I have never seen; "But you work with computers!"

    • Charlatans, especially with letters and/or security clearances, rotating around the Beltway making lots of money without delivering value beyond a "filled billet"



What do you think?

4 comments:

Alex said...

Richard,

Enjoyed your thoughts, wanted to add a dislike:

Sometimes security restricts ease of use/administration/etc. leading to debates with others who have a less security centric point of view. While these discussions are important, as they push for the refinement and evolution of security practices and usability development, it can be a pain to repeatedly have to justify the need for proactive security thinking within IT.

Obviously this is not an ideal environment, but I believe one that many find themselves in.

Alex Raitz said...

Richard,

I appreciate your point about the difference between learning and education. I often notice peers that claim to be "educating", when in fact they are facilitating the "learning" of incorrect or incomplete information.

-Alex

jbmoore said...

There is a difference between being educated and being intelligent. Many educated people are not always "intelligent" and the converse is true as well. There seems to be a lack of intelligence gathering. People depend upon vendors for their information about what is going on rather than deploy honeypots and test their AV software against their captured malware samples. You harp on a similar problem with not capturing network traffic and knowing your site's traffic patterns. Also, with any deeply technical field with its jargon and such, there's a communications barrier to be overcome in educating one's audience so that they "get" it. The audience can be family, friends and superiors. The field could do with some rigorous statistical analysis and more openness in the form of peer review of techniques and disclosure of failures. Instead, entities clam up about their losses unless they are forced to disclose them by law (security via obscurity). Until these things happen, security will be as much art as science or engineering. This is not how applied science is conducted.

http://www.architectsban.webs.com said...
This comment has been removed by a blog administrator.