Thursday, June 10, 2010

"Untrained" or Uncertified IT Workers Are Not the Primary Security Problem

There's a widespread myth damaging digital security policy making. As with most security myths it certainly seems "true," until you spend some time outside the policy making world and think at the level where real IT gets done.

The myth is this: "If we just had a better trained and more professional IT corps, digital security would improve."

This myth is the core of the story White House Commission Debates Certification Requirements For Cybersecurity Pros. It says in part:

A commission set up to advise the Obama administration on cybersecurity policy is considering recommending certification and training for federal IT security employees and contractors.

The Commission on Cybersecurity for the 44th Presidency, which in December 2008 issued its Securing Cyberspace for the 44th Presidency report to Congress, is currently working on a sequel to that report, due sometime in late June or early July. The commission, made up of a who's who of experts and policy-makers, is debating strategies for building and developing a skilled cybersecurity workforce for the U.S., as well as issues surrounding an international cybersecurity strategy and online authentication...

[R]egulated entities, such as critical infrastructure firms, also would likely fall within its scope.


My opinion? This is a jobs program for security training and certification companies.

(Disclaimer: I still teach TCP/IP Weapons School four times per year for Black Hat, and I organize the Incident Detection Summit for SANS. I've also held the CISSP since 2001. Whether this makes you more or less inclined to listen to me is up to you!)

So what's the problem? Isn't training good for everyone?

In a world of exploding Federal budgets, every new spending proposal should be carefully examined. In the words of the article:

[M]andating certifications could be a bit limiting -- and expensive -- for the feds. "I don't know if the government has that kind of money lying around." Certification courses can cost thousands of dollars per person, for example.

Here's my counter-proposal that will be cheaper, more effective, and still provide a gravy train for the trainers and certifiers:

Train Federal non-IT managers first.

What do I mean? Well, do you really think the problem with digital security involves people on the front lines not knowing what they are supposed to do? In my opinion, the problem is management who remains largely ignorant of the modern security environment. If management truly understood the risks in their environment, they would be reallocating existing budgets to train their workforce to better defend their agencies.

Let's say you still think the problem is that people on the front lines do not know what they are supposed to do. Whose fault is that? Easy: management. A core responsibility of management is to organize, train, and equip their teams to do their jobs. In other words, in agencies where IT workers may not be qualified, I guarantee their management is failing their responsibilities.

So why not still start with training IT workers? Simple: worker gets trained, returns to job, the following conversation occurs:

Worker to boss: "Hey boss, I just learned how terrible our security is. We need to do X, Y, and Z, and stop listening to vendors A, B, and C, and hire people 1, 2, and 3, and..."

Boss to worker: "Go paint a rock."


Instead of spending money first on IT workers, educate their management, throughout the organization, on the security risks in their public and private lives. Unleash competent Blue and Red teams on their agencies, perform some tactical security monitoring, and then bring the results to a class where attendees sign a waiver saying their own activity is subject to monitoring. During the class shock the crowd by showing how insecure their environment is, how the instructors know everyone's Facebook and banking logins, and how they could cause professional and personal devastation for every attendee and their agency.

We need to help managers understand how dangerous the digital world is and let them allocate budgets accordingly.

11 comments:

Anonymous said...

Training the federal decision makers to listen to the certified security professionals they have hired would be a good start. Why is the federal government hiring so many security people when the federal decision makers already believe they know everything there is to know and move forward with their own agendas regardless of what the security trends or advice is? Most decision makers are looking for a product, an IT magic force field shell, that allows them to hit a green button of protection rather than changing behaviors that allow vulnerabilities to propagate. Even Tony Sager acknowledged at Black Hat 2006 (I think) that this would probably not be possible. However, the government continues to pour money into contractors, consultants, and new employees while established decision makers continue to ignore the information being given to them, or the information never gets there due to some other lower level of filtration because it is contrary to the established agenda.

Anonymous said...

I've been reading this blog for nearly 5 years and this is the first time I've been compelled to comment. And I simply want to say Thank You to Richard. It's as if Richard has been to my organization and diagnosed our insecurity issues. Sadly, as a front-line employee, I find it nearly impossible to align my manager's goals with my goal to improve security... as odd as that sounds. I suppose the best I can do is hope to be employed by an organization and manager that truly understand real security and support true improvement.

CG said...
This comment has been removed by the author.
Dave Funk said...

DoD set up certification requirements, and that increase my market value. I have no problem with that result. Additionally, bunches and bunches of guys went out and studied and got certifications. I'm having a hard time seeing the down side of that also. Did the certs make them all of a sudden qualified. There is obviously lots of room for disagreement there. But I think the fact that a bunch of them (perhaps not all) did a bunch of studying is a good thing. I think that so many government managers don't want to have the certs as a requirement for federal employees (contractors is a different story) is probably the best reason to do it.
Training is a different story. I have always believed that for a professional, training is an personnal responsibility. An employeer's willingness to assist with training is a significant benifit up there with how many days of leave, but for the employer it is a benifit. Personnally I have two major certs (CISSP and CISA) with no Boot Camps, all individual study, (and I walked ten miles home from school in the snow!), more reason why I don't see where the employeer picks up the requirement for training for certs. Phase in time to train and test, yes; responsibility to pay for training, not so much.
On the other hand "Train Federal non-IT managers first." This is not really professional training but propaganda (not a bad word, really!). It is already a requirement in the federal world. And it is done universally and poorly. So we have all these professional IT Security Managers running training programs for the organization and not getting results. My solution. Require them to get real certs. Most of the worthless ones will not pass. Most of the good ones will now have letters after their names. Again I'm failing to catch the downside. Yes, it is a crude way of seperating the wheat from the chaff, but right now the method is equally crude but unfortunatly we keep mostly the chaff.
P.S. Organize, train and equip is a service responsibility. For soldiers, absolutely. For GS-15s not so much. They get the position because of a claim of professional compentance. Show me your master piece.

Keydet89 said...

This harkens back to the military, where highly trained special operations forces (ie, snipers, etc.) are not nearly as effective as they could be and not used to a militarily devastating effect against the enemy, due to senior officers who do not understand what such forces can do for them, nor do they support their use.

Anonymous said...

Dave Funk:

The debate isn't about whether or not certifications are a good thing for some or even most people, the debate is about whether all security professionals should be required by law to obtain them in order to work with governments or critical infrastructure. Certifications may work out great for some people, but there are many professionals who do not maintain them and there are many contexts in which they are not absolutely required even if they are preferred. Many of us in this industry do not want to be bothered sitting through regular retests of material or tracking hundreds of CPE credit hours when our professional experience and accomplishments speak for themselves. I'm glad your certification has worked out well for you but I do not want to be forced to do the same thing and I don't see the value in it. My time is not free, and that is the downside.

Dave funk said...

Anonymous:
Unfortunately the problem is not what is good for you, but what is good for the government. What we have now is a disaster, painfully close to where fixing the watch with a hammer might provide a better result. Too many government requirements are set up not to solve the problem at hand, but to solve another completly unrelated problem. At least the question of required certs addresses the question at hand. For you perhaps not in the best possible way.

Jack Whitsitt / jofny said...

Hum. Rich, you should go a level or two higher: It's not even "managers" that are the problem. Entire organizations - from executives on down - do not have risk management programs (operational or otherwise) which effectively cope with "cyber" issues. Training and educating middle management does nothing to affect the priorities to which they're beholden and accountable - the priorities of the organization and the metrics of senior, executive leadership. We need to stop classifying the threats that are being seen and transparently provide a basis for organizations to correctly assess risk and possible consequence (to the organization as well as the leadership). Then, we need to force organizations to incorporate robust RM programs which deal with cyber and which have been socialized and are enforced at every level. Until then, no amount of education of certification will fix a thing.

RonB said...

I sat in a CISSP bootcamp where approx 19 of the 20 attendees where gov't contractors or US military. Three days into the course a few started to complain amongst themselves that the instructor was actually teaching security which they didn't care about - they only wanted to learn what was necessary to pass the exam!

Anonymous said...

FYI worth the read...

http://www.wired.com/dangerroom/2010/06/dhs-geek-squad-understaffed-with-no-juice-and-no-plan/#comments

Ray and Carol Letteer said...

As one of the initial developers of the DoD certification effort, the approach was to provide a mechanism whereby a professed security professional could be validated as having the requesite skill sets. We had too many former "runway-lightbulb-changers" trying to move into system security with no experience. I provided some of the first platform classes on Operational IA, and saw some of these folks trying to get a piece of paper for resume fodder.

I agree that having a certified IA force is not the silver bullet. However, we do need some measure for our security/IA workforce. We intended the DoD certification to be coupled with a maturing process, where the candidate had to grow into the positon that required a commerical certification.

We also developed standards and certifications for those non-IT managers. Unfortunately that part of the program didn't take off.