Core Security Skills: What's Required in 2010?
In an exclusive interview, Kent Anderson, founder and managing director of Encurve LLC, as well as a member of ISACA's Security Management Committee, discusses:
Anderson is considered a leading authority on security, with more than 22 years of experience in the field.
He has held positions as SVP of IT Security and Investigations with an international business risk consultancy, as Director in the Dispute Analysis & Investigations group of PricewaterhouseCoopers, and as the European Information Security Manager for Digital Equipment Corp.
TOM FIELD: What are the core security skills needed in organizations today? Hi, I am Tom Field, Editorial Director with Information Security Media Group. We are going to answer that question today by talking with Kent Anderson, the Founder and Managing Director of Encurve. Kent, thanks so much for joining me.
KENT ANDERSON: Thanks for the opportunity.
FIELD: Just as some context for our audience today, why don't you tell us a little bit about yourself, your experience, and then your role now with Encurve?
ANDERSON: I have been involved in the security profession now for coming up on 24 years. I have done a variety of tasks, everything from investigation of computer crimes through development of security programs, and now through Encurve we provide a range of services to clients from the standard security management consulting, risk assessments, policy development, through strategic advisory services to CISO's and CSO's.
FIELD: So Kent, as you look to 2010, what are the information security trends that you are most tracking?
ANDERSON: Well, I think I am dividing the trends for the next year or two into probably three categories, and those are technology, business issues and let's call it just pure security itself. In the area of technology I think there are two very big trends occurring that are going to have a tremendous impact on security, and that is virtualization, which is things like cloud computing, applications as a service, those types of technologies. And the continued deployment and development of wireless and mobile technologies. Both of these areas are well underway, but they are showing the age-old problem that we have had in security from the very beginning, and that is that leading edge technologies are being implemented before we really understand what the threats and risks are, and before true security controls have been put into place to mitigate some of those. So from the security practitioner's point of view, these are going to be real challenges.
The other key think that these technologies are driving is the loss of the perimeter. Where, as the security practitioner, does our job begin and where does it end? That is becoming fuzzier and fuzzier with these types of technologies.
On the business side, again I am looking at probably two critical areas and two trends that we need to keep an eye on. First is the regulatory environment, and then second is just the continued economic pressure that we are going to face throughout 2010 as a follow-on to the economic downturn. The regulatory environment is in flux. Right now in the U.S., Congress is obviously focused on other issues, but there are several bills pending that could have significant impact centered around data protection, data privacy. And I think that we need to keep a close look on financial regulations stemming out of the previous crisis. It is going to be very easy to slip in small things that could have a serious security impact, very much as the Section 404 of Sarbanes-Oxley did.
And we have got to keep our eye on the worldwide regulatory view as well. It is not just the U.S.; the EU is very active in this space, and there is the risk that a lot of these regulations are going to be, if not competitive, at least maybe not very complimentary to each other.
On the core security aspects, the two trends that I think are going to be most important, of course, are the continued convergence of security and increased threats. In the convergence, I am talking about a little bit more than just the standard idea of physical and IT security coming together. I am talking about convergence of information security with all the various business functions. Legal, we have electronic discovery that is a huge area in that thing, and it is having a tremendous impact on IT and information security. HR, how we are hiring people, how we are outsourcing things, that is going to impact everything.
So it is a convergence of information security with all these other business functions that is going to really change the way we do business, and obviously the increased threats. We are going to see more and more serious threats, more fraudulent and profit motivated crimes, and I think organized crime is going to continue to grow in these areas.
FIELD: You know, you used an interesting term in that last answer, which was "core security." Now, you have described an organization that is in flux, an organization that to some extent is besieged, to meet the challenges that you have outlined, what would you say are the core security skills that organizations are going to need?
ANDERSON: Very good question. Because what today we are living in an environment, and I think the security profession, the information security profession, has some serious drawbacks, and probably the number one drawback is our myopic focus on technology.
We tend to look at this as a technology problem, and we are struggling to find the technology solution for it, and that is just not the case. If you think about it, security awareness is at an all time high; organizations are hiring and spending more than they ever have on this; and as I said, legislation is coming out from everywhere. And yet despite all these efforts, every single statistical measure of securities performance is showing that the problem is actually increasing. That is the number of incidences, the amounts of losses, potential for downtime, all of these types of things are growing, even though we are continuing to put a lot of effort into it.
I saw a recent survey that said that over 80 percent of security professionals said that security risks were not understood, or not well understood, within their organizations. That is a profound statistic. I think that gets to the idea of the missing core security skills.
One of the most important core security skills that we need to develop is the ability to better understand, better analyze and better communicate risks and threats. This is probably one of the single biggest things that is missing today, and part of that is we don't look at--what we look at is what is the technology in place. We have kind of a knee-jerk reaction to certain solutions - a firewall, a VPN, we look at it in terms of that instead of backing up and saying 'What risks do we as an organization actually face, and what is the best control to put in place to mitigate that risk?'
There is also a concept that I call understanding of a security lifecycle. And that is that we are able to do those threat and risk assessments properly, that we can build and develop effective policies and procedures, that we can design controls that really meet our needs and mitigate risks, and that we can respond to incidences in a timely controlled fashion.
Unfortunately, what happens today is often we just apply technology controls without understanding those risks. We write policies after the fact, and those are usually then put on a shelf and ignored. And then when an incident does occur, our reaction to it is very ad hoc, very firefighting. And it is these core skills of policies, threat assessments, control design and incident response that I think are what we are missing today and how they play with each other, how they affect each other. Those are some of the real core skills that are overlooked and we need to look to develop.
FIELD: Where do you see organizations developing those skills? Are they doing it in-house or are they sending people off to professional bodies?
ANDERSON: Well, that is part of our problem. Unfortunately, I think most organizations don't understand this problem well enough to direct the development of good security skills. I sometimes get the idea that we are in a situation of the blind leading the blind.
If you think about it, certainly an HR department is not going to have the knowledge to understand our profession and the issues that we need to deal with it. And even looking within the security organization itself, too often I find CISO's, CSO's, they are too focused on the firefighting, the budget problems and everything to get ahead of the curve so to speak and start dealing with some of these issues.
So I think what is happening today is that most people develop these types of skills on the fly, on the job, without a formal thought or mechanism behind it. I think that is one of the things that we need to learn to work at as an organization is to define what these core skills are and what do we need to get them. I think at the end of the day it is going to be left up, in the short-term, left up to the individual to acquire these skills.
FIELD: Well, let's take a step back and talk about the challenges in meeting these demands. You sort of identified some skills here, and that is something that you can prescribe, but what are the obstacles to organizations being able to do this bit of self-analysis that you have described and be able to fill people into these roles?
ANDERSON: Well, I think first and foremost it comes down to the ability to communicate risk and what needs to be done about it. You know, when we look to finding these things, part of the challenge I am sure every one of your listeners has had this problem, if you look at the professional security training bodies that are out there, they have large catalogs of all the technical courses, how to configure firewalls, how to do a penetration test, all of these type of things, and these are all good skills, and I am not criticizing them, but they lack those other skills. I don't want to say they are softer skills, because they are very practical skills for our profession, but they don't exist very concretely, and even when you see this as a title, when you look at the content again, they usually focus back on the technical aspects.
So I think one of the challenges is just finding formal training that addresses these types of needs within the information security profession. I think there are other professions that might be able to help us with some of these things.
But then the second challenge we are facing is that even if we had the course, we have that ever-present issue of budgetary restraints, just finding the time. Everybody suffers from that. How do I take a week out or two weeks out to take a training course? So I think those are the big challenges we are facing.
FIELD: Now you talked earlier about individuals taking on the responsibility to develop these skills themselves. For someone that wanted to do that, to take charge of their career, develop some of these skills and present themselves as sort of a more complete package - what advice would you give to them?
ANDERSON: Well, first you need to take a step back and think about what you want as a career and what you envision your career path to be. In other words, we kind of have to answer the question of 'What do we want to be when we grow up?' There are some people, they want to stay technically focused. They like the technology and they want to keep that focus. They truly see that that is their lifetime career plan. I think that is fine. We will also need technologists who understand that and can work.
The issue, though, that I think people need to realize is that as this profession matures and as it becomes more and more integrated with the business, and the businesses become more and more dependent on it, that the strict technologist is going to become more and more of an isolated role.
Career paths and career progression, I think, will decrease over time if you keep solely a technical focus, and I think that the people that do that risk suffering a lot more churn in that these are the types of jobs that I think in the future we are going to see are more subject to layoffs, will be outsourced more often. So you know, while you can sit there and say you want technology to be your major focus, I think you have to understand where the industry is heading with that. So the people that want to go somewhere else, I think, there are really two primary paths. One is -- and this is what I get form a lot of people -- how do I become a CISO? Well I think the core skill that a CISO needs today is business skills. They are the primary interface between the security organization and the business, and they have to be able to translate risks, security needs, those types of things to the business. They have to be able to speak the business language, so I think that if that is the career path you are looking at, you need the business skills to get you there.
But the other path that is certainly I think open and probably the one that is going to grow the most in the future is what we can call the core security professional. I think these will be senior positions of individuals who really understand how to apply these core security skills. How to do a risk assessment; how to do a threat assessment, and then take that information and relate it back to the business, relate it back to the various other organizational functions to be able to communicate to legal, be able to communicate to HR and the various business units and their leaders. And probably one of the biggest skills that they are going to require to do that is you have to do all of that analysis and communication probably with insufficient information and under severe time constraints.
So I think those are some of the areas that people need to look to decide where do they want to go. and then within each one of those areas look at 'How do I get the skills within that?' The core security skills are a little harder because we as a profession, because the information security profession is so young, we don't have a lot of that well defined yet.
So I think that people that want to go down that track need to look at are some of our related professions such as physical security, which has been around a lot longer. They still do very similar things. They do risk assessments, they have policies, they respond to incidences. Now it is a different flavor, but the principles between the two are the same. So I think if you want to stay in a core security position and stay in a senior position, you need to learn as many other things as you can; legal issues, hiring issues, business issues and then other core security issues as related for example to physical security and those types of areas.
FIELD: So, you have talked about for senior leaders, their entry point. For someone that is just getting into the profession today, I have got to think that as young as the profession is, the bar of entry has changed over the years. So for someone getting started, what would you advise them to do today as opposed to when you started in the industry?
ANDERSON: Well, I think first it is an exciting time to enter the profession. I think we are really on the cusp of some real changes and expansion to our profession. As I said, we are a fairly young profession, and I think it is just in the recent years that we are actually seeing it begin to mature into a profession.
My advice to somebody that is entering this profession is first, just learn; be inquisitive. Certainly when you enter the profession, you are almost always given a very specific task and you do need to develop some real core capabilities.
In most cases in information security these are technical capabilities. And you need to do that; you need to get a foothold and learn a portion of it. But don't be satisfied with just learning the core technology. Figure out and try to learn how does that specialty, whatever it is, how does it apply to the bigger picture? If you are doing something in cloud computing or virtualization, you know, how does that impact--try to ask questions of how is that going to impact the organization? How is that going to impact the business relationship between our organization and other organizations, the outsourcers, the providers? What are the security implications of those relationships?
So I think the biggest thing that you could do as an early practitioner is to keep an open mind and learn. It is an ever-changing environment and it is one that you are going to have to keep on top of and I think you have to take charge of that. Don't depend on an organization to necessarily develop your career for you.
FIELD: Kent, that is great counsel. I appreciate your time and your insight today.
ANDERSON: Great. I am just glad to help.
FIELD: We have been talking with Kent Anderson, the Managing Director of Encurve. For Information Security Media Group, I'm Tom Field. Thank you very much.