Anton was kind enough to point out, re my mail header - "From: coolanonymousname @
supersecret .
net":
>Tell me, even though using an 'anonymous account' did you mean to give the 'back door' of >your real name and email, or is this a red herring? Lets see if it bounces...
Oops, I apologize for the "anonymous" name, I was just messing around with the "Identity" field in Netscape and I forgot to set things right (that step wasn't in my audit procedures manual). In any event, my laptop fried up Saturday morning and I'm typing this on the desktop using (egad) MS Exchange, so I have no idea how the message will actually appear...)
Anyway, thoughts on training (getting skills) and certification (a reliable independent means of ascertaining skill levels):
Most important: Full-time systems experience - sys admin, programmer, etc. - develops the sophisticated technical experience needed before you can reasonably be considered an "expert." Example: Cheswick and Bellovin. Their book is just an account of their job - administering the ATT Internet gateway (as opposed to some of the security books coming out now which are really just white papers that any intern could write by surveying the Internet and the whatever books are available),
Followed by: "Hacking" (in the "Steven Levy have fun in your free time messing around with technology" sense, not the "I have a c00l4n0nym0usn4m3 handle and a subscription to 2600" sense, though I'm guilty of all three). It's the "X rat" theory - from the sports term "gym rat," e.g. Larry Bird was a "gym rat" spending much of his spare time in the gym, shooting extra free throws after practice, playing pickup games, etc., while Steve Wozniak was a "hardware rat" who spent his free time tearing down and building up hardware. Goes back to my original statement of "Do what you love and you'll enjoy spending the extra time necessary to get good at it."
Followed by: Engineer oriented technical courses, like Cisco or Network General training. A week long class isn't going to make you an expert, and you could certainly argue there are better ways to spend a week learning, but it's still time spent doing "techie stuff," which adds up in the long run,
Followed by, in no particular order of preference:
"Classic" books (Cheswick and Bellovin, Comer, Schneier, etc.) and resources (RFCs e.g.),
Certifications such as CISA, CISSP, etc. I'm not trying to really put them down by placing them last - it doesn't hurt to know the material covered, and the act of studying for it and taking the test is a useful learning process. However, the act of actually (eg) installing and maintaining a firewall is light years better at teaching you the material than a paper test,
Giving technical seminars, e.g. at a SANS conference. Yes, people can fake it sometimes, but I'm not putting this at top priority,
Followed by:
Conference attendance - meet some like minded folk, learn a few things, doesn't hurt (but I'd rather spend my time in front of a keyboard, so I don't go to conferences much, which my boss doesn't seem to mind, given the high cost of attendance).
I'm often involved in interviews for hiring security folks, and I try to concentrate on the first two items - I want folks with a) admin or network programming experience (the later since I do Internet work mainly) and b) a real enjoyment for working with technology. For a starting staff person that means you know that "modem" isn't a word from Ebonics and you're really excited about spending the next (let's say) 5 years in front of a keyboard in a data center late at night debugging routing tables and firewall filters. Before the Big N-1 flamethrowers come out, I'm not in any way talking about "Hey, Bob can spell firewall, let's send him out by himself to do that firewall implementation." However, security skills can be trained, given basic technical knowledge, the desire to learn the security skills (as opposed to "I'll sit in front of a keyboard if you make me, and then only until I can get back to trying to get promoted to {Regional Sales Manager/Director of Security/Senior Manager}." My hiring process is aimed at weeding out the (many, many) people who enter the security field because "It sounds like a good career path and I'm bored with what I do now, send me to a class for a week where I'll take lots of notes BOOM I'm a security pro."
As a lawyer, I went through one of the more rigorous certification processes around, both in terms of the breadth and depth of substantive material I was tested on as well as background checking (when you fill out the background questionnaire for the Florida Bar, you know YOU DO NOT LIE, even when they ask you about, no fooling, your old parking tickets (sounds mundane, but that's a soft ball to weed out the people who are stupid enough to lie about something that mundane)).
The Florida Bar certainly weeds out a lot of bozos, and certainly lets plenty of others in, but I'm not advocating developing that sort of organization/exclusive monopoly in the IS security field.
Why? Continuing with the lawyer analogy:
1. If you're a big organization with the in-house knowledge necessary to interview the prospective lawyer in a sophisticated manner, the Bar certification is only of minimal value to you, because you know that plenty of bad lawyers pass the bar exam - you have to take the responsibility for yourself to determine competency using a thorough interview process
2. If you're a small organization, say a small business looking to retain a corporate lawyer, it would be nice to be able to rely on certifications to show competency, but the Bar exam is only a minimal bozo filter (even though you have to spend 3 years in school and then about 3 months full-time time prepping for it). You still have to take the responsibility on yourself to determine competency, it's just a lot harder because you can't just bring in some people from the another department to grill the prospect.
It's not that I think certifications (back to CISA, CISSP) are useless, it's just that it's just a minor part of the question. The organization looking for security talent needs to answer that question for themselves, so they might as well forget about the middle step ("Oh you have a CISA cert, that's nice") and get right to the questions that must be asked in order to do a thorough job in the hiring process.
It would be a useful exercise (perhaps the subject of a whole new mailing list) to come up with a list (say 10 general questions/aptitude tests about policies and procedures plus about 10 specific questions/aptitude tests for each of various platforms) that you could draw on when hiring security folks (the mailing list might have postings like "I used the 'make them load WinNT test' because the candidate said they had a year of NT admin experience, and I had the following result..."). (There is a possible liability issue there, as in you turn down a candidate and then they read about the hiring process on the newsgroup a few days later, then decide they don't like the way you handled it - d**n lawyers)
Since there are no easy answers to security (as a multi-layered problem which can never be considered fully solved, for which the implications of failure can even be life-threatening), it's no surprise that the security hiring process does not lend itself to easy answers. I not trying to disrespect ("I meant no disrespect" as the iguana from the Bud Light ads would say) the various attempts to create viable certification process, when I say I'm just not willing to outsource any portion of the decision making process when it comes to security.
>Michael Mucha
>Internet Security guy
I'm not speaking on behalf of Ernst & Young LLP>E
>Fort Lauderdale, FL
>mmucha @
ix .
netcom .
com
PS:
How about a security disclaimer like the Florida Bar requires for all ads:
"The hiring of a security professional is a serious decision, one which should not be made solely on the basis of this advertising. Please contact the Governmental IS Security Regulatory Department (GISSRD) for a colorful brochure explaining your rights.">
|
|
