Thoughts on Latest SANS Whitepaper

I read about the new SANS paper IT Security Industry Changes: Trouble on the Horizon (September 2006) (.pdf) in this NewsBites issue. Here are some excerpts and my reactions.

Over the past six months, SANS Technology Institute's Stephen Northcutt has been gathering data and stories from security managers in more than 100 US organizations searching for patterns in job changes of security managers and the consultants who support them. The research was triggered by multiple emails from security managers who were facing reorganizations. His conclusions, albeit preliminary, paint a worrisome picture of job prospects for ill-equipped security managers, but also offer promise of some opportunities for success and advancement.

That's an interesting project. Let's read more.

[S]enior executives began to feel more comfortable voicing their frustration that they were wasting money paying for hugely expensive people and compliance reports that probably were not needed and that often had no impact on their ability to stop attacks or avoid disclosure of private information. The senior executives pushed back on budget requests, asking exactly what they would get in decreased risk from each of the expenditures. When they got answers they didn't like, they looked for ways to reorganize. Numerous security managers were pushed out as their responsibilities were moved to IT operations or audit or risk management groups.

Stephen continues by implying that these fired security managers lacked real technical skills and could not do much more than write reports. However...

Government is the one area where soft security skills, like policy and report writing, are still in demand, both in security staff and in consultants. The US Congress and the White House passed and implemented legislation (the Federal Information Security Management Act) that rates federal agencies less on whether their systems are protected from attack and more on whether agencies have written security evaluation reports for every system. Consulting firms have gotten rich writing those reports. One CEO reported that his firm had grown from three people doing security evaluations to 175 people writing FISMA reports, in just five years.

Does that make any else sick? It makes me ill.

Recent public disclosure of huge security failings, however, have caused government officials to review FISMA, particularly how it is implemented. Change seems to be in the air. That same CEO reported that 75% of his 175 FISMA folk today have soft skills and only 25% have solid technical security skills. He sees the need for that mix of skills to be reversed, within the next year or so, or the business "will dry up."

That is awesome. It probably explains why TaoSecurity continues to receive calls from firms inside-the-Beltway (and beyond) wishing to "team" to provide technical services to .gov clients, instead of just certification and accreditation.


Anonymous said…
"Does that make any else sick? It makes me ill."
The act or mask that is behind these reports and so called security measures isn't limited to IT security. Farce pervades government at every level. Performance evaluations, acquisitions, behaviour policies, training (with the exception of much military training), etc. The list goes on. You've been commenting on governmnet bureaucracy for a long time now.

Small anonymous government fish in a big Federal pond
Anonymous said…
Agreed! FISMA, DITSCAP(DIACAP), etc. must go. Maybe everyone needs a refresher on your football team analogy, Richard. In my organization too many resources are wasted on these false security blankets. My team monitors and responds to actual security incidents. I combat the status quo by providing situational awareness to senior leaders about what the bad guys are really accomplishing. Execs see that the real picture is not as sunny as C&A/FISMA reporting would have you believe but they must deal with the requirements nonetheless. We need the guidance/directive/policy makers to step back, look at reality, and adjust.

Popular posts from this blog

Zeek in Action Videos

MITRE ATT&CK Tactics Are Not Tactics

New Book! The Best of TaoSecurity Blog, Volume 4