Soft Skills: The End is Nigh

I read the following in the latest SANS NewsBites:

The lead story contains an important notification by Major General Lord of broad-based US federal IT security failure. As senior officials discover how bad federal security really is, they have begun looking for solutions (some are also looking for scapegoats.)

The first and most important change they will make is to begin cutting budgets for policy and report writers, and transfer budget and responsibility to operational technical security projects and professionals who can actually protect their systems. The transformation has already begun.

If you have soft skills (policy writing, security awareness, risk assessment, C&A report writing, etc.) and want to have great, long-term job prospects in security, it makes sense to move quickly to add hands-on technical skills so you can lead the teams of people who will be needed to turn the tide against the attackers.

The "lead story" refers to this post.

Alan Paller continues in the newsletter:

Major General Lord is simply saying out loud what White House and DoD officials have known for almost three years; that's how long the hacking and data thefts are known to have been going on. What he did not say was that the same techniques (and attackers) have proven successful in penetrating DoD contractors such as Lockheed Martin and Raytheon, and penetrating many other government agencies including some you would not expect the Chinese military to care about.

The failure of federal agencies and contractors to protect sensitive information was instigated by misallocation of resources caused by OMB and Congressional metrics measuring the wrong things. It is time to revitalize FISMA and the C&A process.

If Government Reform Chairman Davis doesn't feel the problem is worth his time, he might consider transferring responsibility for FISMA and federal security to the House Homeland Security Committee where Chairman King's targeted subcommittee chairs have fostered real progress in improving security of critical infrastructure control systems.

I wonder how much of the "soft skills" comment is wishful thinking and how much is based on actual events.

If we're truly realizing that "hard skills" are needed for real defense, then maybe my prediction from January is materializing:

Is this [MBAs instead of techs] why companies continue to be compromised? Are the MBAs running around wondering why their self-defending networks are failing? I guarantee we will see a "back-to-basics" movement in the next few years, where "hands-on" tech skills will be emphasized again.

Here's hoping.


Martin Roesch said…
Geez, maybe they'll even decide intrusion detection is worth turning back on...
Anonymous said…
The failure of federal agencies and contractors to protect sensitive information was instigated by misallocation of resources caused by OMB and Congressional metrics measuring the wrong things.

Interesting, considering that before the metrics, these same folks were doing nothing.

The problem is that security isn't being addressed properly and taken seriously from the top down.

Most people might think that keeping customer data (be it personal data on individuals, or classified data from gov't organizations) safe is common sense, but come on...if it were, would we have to legislate it?
Anonymous said…
Not sure I agree with the conclusion here. If the reason federal security is failing is that the so-called "soft skills" aren't needed at all, and are just draining resources from the "hard skills," then fine. On the other hand, if the problem is that the "soft skills" just aren't being done *right*, then gutting that part of the operation isn't the solution.

Ask most of the "hard skills" people already on staff in government agencies, and you'll probably find them frustrated in doing their jobs for organizational reasons, not because of a lack of technical skills. Giving them more money is fine, but not if you get rid of the people who can figure out strategically where to spend that money for best effect.

Popular posts from this blog

Zeek in Action Videos

MITRE ATT&CK Tactics Are Not Tactics

New Book! The Best of TaoSecurity Blog, Volume 4