Security Profession blog

The recent PwC survey into the Global State of Information Security (http://news.zdnet.co.uk/security/0,1000000189,39809565,00.htm) is a timely reminder of the skills adjustment facing our industry. Despite maturing in its short 20-year history, disparate roles are emerging in the security profession: the traditional technical IT security requirement is decreasing while jobs with a managerial focus are increasing. Even the rise in specialist university education has tended to be technically focussed. Security people get passed over for management training and the recruitment process continues to be highly weighted toward the measurable technical skills.

The PWC Survey highlighted a clear lack of security management expertise that led to lack of records on where sensitive data was stored and lack of the bigger picture on security incidents. So why is it that hiring managers struggle to find people with the right skills? 80% in one of our surveys indicated that they are challenged to fill their roles, despite the current economic downturn creating a larger available workforce.

Advancements in technology and the online world have always been ahead of the related considerations for security, because people, IT and business leaders have yet to develop the skills to think securely. Tomorrow’s business leaders need to be able to instinctively strategise for secure business development.

The challenge of ensuring secure e-skills will be about far more than the information security workforce though; security should become part of the core curriculum across the entire education system, from primary schools to a broad set of university courses It’s interesting that the majority of computing-related courses do not adequately address security issues, yet we know that strategic decisions taken by IT, from the procurement and/or development of software to the adoption of cloud services, is having a huge impact on vulnerability levels when the security requirements are not built in at the outset.
Security should also be a core element of business education. Employee induction should include security with the systems training; and security responsibilities should be part of the employment contract.

John Colley, CISSP, Managing Director (ISC)2 EMEA

The most recent identity theft attack to hit the headlines (http://news.bbc.co.uk/1/hi/business/8206305.stm) was apparently the biggest case of identity theft in the USA. Like an increasing number of such attacks, it exploited weaknesses in web based applications by using the well known technique of ‘SQL injection’ to access and steal 130 million credit card numbers. Hackers understand that there have been significant investments made to protect network, database and server assets and have moved on to attack the application layer. Today they are less interested in causing corporate havoc, and more interested in stealing data. Their attacks therefore are designed to evade detection and move through the easiest door to get to the prize.

At a recent (ISC)2 Secure London seminar the keynote speaker from IBM Internet Security, James Rendell, said that IBM’s X-Force security labs had tracked a 30 x increase in ‘SQL injection’ attacks in the last six months. He suggested that cyber criminals liked them because it is easy to identify the targets, they are easy to implement and they deliver a high payoff—i.e. they don’t have to recognise the underlying operating system or even the database because they take advantage of the Web front ends that companies are applying to all of their applications.

Rendell also pointed out that more than half of all software vulnerabilities are web application based, however the issue here isn’t just about web application software, it’s a matter of the bad software architecture and design that is endemic in much software. Too often security holes are known vulnerabilities that just weren’t tracked properly in the development process. With patching becoming an increasing burden, wouldn’t the economics now warrant pushing the issues and costs back to the software vendors?
We know that software developers have yet to progress their profession with security in mind. They are driven by tight timescales, flexible and cost-effective development methodologies and an obsessive focus on usability. Security has been an afterthought, all too often introduced at the testing stage. But the time to change is now. Software teams need to establish more sound security standards and raise awareness among stakeholders across the software development lifecycle of the importance of addressing security concerns. While many argue that secure coding techniques have been developed, the approach is too limited. This is not an issue for software coding alone.

John Colley, managing director for EMEA of (ISC)2

I think we do – everyone from the private sector in particular IT and Information Security professionals – has a role to play. Not in the least because the UK Cyber Security Strategy requires a lot to be defined. It’s a starting point, albeit a good one, but it doesn’t offer much insight into how the eight work streams assigned to the new UK Office of Cyber Security are going to be achieved; and very little has been communicated on the budget requirements. So the next logical step is for us all to play a part, rather than sit back and wait for the government to define every detail of something that means so much to every one of us.

Those of us with the knowledge, the professionals who have dedicated our careers to tackling cyber security issues, have a critical responsibility to help the rest of society, which has a very steep learning curve to climb. It really is time to get involved: Efforts to improve security awareness are proliferating, with many reaching out to children, small business people and communities. (ISC)2 ‘s cyber security awareness portal is a good example. The Cyber Exchange uses videos, presentations, posters and more supplied by top experts in the information security field, our members, to help spread the word on the secure Internet use. It’s time to find an initiative or start one within your own community or workplace. Or consider lending your expertise within a consultation group directly linked to one of the defined work streams: Safe, Secure and Resilient Systems, Policy; Doctrine and Regulatory Issues; Awareness and Culture Change; Skills and Education; Technical Capabilities and Research; Exploitation; International Engagement; and Governance Roles and Responsibilities. I for one am looking forward to participating in working groups examining the skills and education situation in this country.

At the very minimum, each and every professional should have read the document by now and considered how well their own organisations are managing these areas. After all this is an opportunity to highlight them with management as well. But more than this it’s an opportunity to really influence a Secure Digital Britain. What are you doing?

John Colley
Managing director for EMEA of (ISC)2

(ISC)2 is a non-profit consortium that represents more than 3,000 information security professional members in the UK and 66,000 globally.

Last week’s IDG Research Services survey commissioned by RSA highlighted the lack of strategy in place in most organisations for outsourcing business services and information to the cloud. It is a reminder that offshoring and outsourcing present a real challenge to data privacy and data protection but is the risk any more than the risk of data that is not outsourced or offshored?

There are many risks associated with offshoring and outsourcing. The information security risk combined with operational risks including the risk of vendor concentration should determine the direction and pace of the offshoring strategy. Information security professionals must apply industry standard confidentiality (integrity, availability) principles in a risk assessment to ensure that corporate data is not exposed to unnecessary and unforeseen risk. For those professionals working in multi-national organisations, the topic of cross border data movement and data protection zones are not new. However, if data is made accessible to third party vendors or other combined legal entities (captives), the involvement of Legal professionals is paramount to understand processing and disclosure principles and policy.

The offshoring and outsourcing risk assessment may then reveal that existing cross border and service provider policies and standards are inadequate even for existing business processes. Thus confirming that outsourcing does not increase risk, but can actually reduce risk, by improving internal controls.

For Firms and organisations with a complex mix of environments and vendors, control “edge” solutions can be developed for the handling of data, based on “need to know” and “least privilege” principles, delivering sensitive data at the very last minute in the process, and linked to pre-defined and agreed data disclosure rules.

Offshoring and outsourcing programmes may increase the complexity of the environment, and can also increase the burden of supervision but do not increase information security risk. There is no hype with offshoring and outsourcing, rather basic control principles apply.

Alessandro Moretti, CISSP, Member of the ISC)2European Advisory Board and Executive Director, UBS Investment Bank, IT Security Risk Management.

I was in san Francisco last month for the 20th Anniversary celebration of (ISC)2’s formation. While there I was fortunate enough to have dinner in one of the city’s many excellent Chinese restaurants. At the end of the meal the proprietor gave each of us a Chinese fortune cookie. We all broke open our cookies and read the saying inside (actually we played a game which I better not go into here). The saying I had in mine was “Your investment in time now will lead to success later”.

It got me thinking about what a great saying it was. No matter what we do, we generally do it better by investing time into it before hand. This applies as much to information security as it does to any other profession. This is particularly relevant when discussing the value of security qualifications and certificates. Many of the arguments hotly debated focus on what the certificate covers and how good the examination process is. It ignores the fact that one of the main values associated with security qualifications is that they show that the individual has made an investment in time to study for and take a qualification.

This process does not stop there. Most of the leading information security qualifications require that individuals continue to invest time in continuing professional development and education. This is one of the most important aspects of professional qualifications. If a qualification does not require you to commit to making sure you keep abreast of new developments in your field then it probably isn’t worth having. We see this approach in many aspects of professional life. Airline pilots have to be regularly assessed and have to be “rated” for whatever type of aircraft they are flying. First Aid certificates have an expiry date on them (usually three years). Both the medical and legal professions demand continuing professional development.

In the current climate where recruiting the right individuals and, if you are looking for a new position, convincing a prospective employer of your value, the investment individuals have made of their time in obtaining and maintaining a security qualification is critical. When I was sitting on the recruiter’s side of the desk I would always ask a candidate what qualifications they had and why they had chosen specific ones. What criteria did they use in selection? How were those decisions made? Those that did not have any qualifications were not necessarily eliminated but were asked why they hadn’t got any. This was not to be critical of them but to find out how they had invested time in their careers.

So to quote an old Chinese proverb “Your investment in time now will lead to success later”.

John Colley, CISSP, Managing Director, (ISC)2 EMEA