Robert X. Cringley posted recently on the Cybersecurity myth.
"The Department of Homeland Security (DHS)said this week it will hire up to 1,000 cybersecurity experts over the next three years to help protect U.S. computer networks. This was part of National Cybersecurity Awareness Month and the announcement was made by DHS Secretary Janet Napolitano, who also said they probably won’t need to hire all 1,000 experts, which is good because I am pretty sure THERE AREN’T ONE THOUSAND CIVILIAN CYBERSECURITY EXPERTS IN THE ENTIRE FRIGGIN’ WORLD!!!!
...
Now I brought in the big gun — expert number four, an independent security consultant to foreign governments:
“My bet is that they are going to just pull the bodies from the Department of Defense and Department of Energy,” he said. ”DoD has established a number of credentials required to be classified as a security specialist like CompTIA Security+, CISSP, etc. None of this stuff has any practical application because it is hardware/software neutral.
“Even if a government agency, (over 550 or them) allows you to sniff their network, are they going to let you evaluate the applications for bugs? I don’t think so. Without scrubbing the software with products like Ounce Labs (owned by IBM), what is the point of evaluating the network?
So you will end up with 1,000 Security Managers in the government with Sec+, and CISSP certifications, talking to cisco, Juniper, CheckPoint, Tipping Point, Microsoft, Oracle, Ounce Labs, etc. security professionals at $300 an hour doing the actual work. That’s 1,000 jobs for window dressing, releasing reports that end up on Drudge Report listing the number of breaches in Federal Government Agencies.
First off, I agree that there are probably nowhere near 1,000 security experts and I further agree that in any large organization a huge percentage of the number will be eaten up by managers (Cybersecurity PMO anyone?); but I am not so inclined to knee-jerkedly throw this effort under the bus.
A friend of mine who is a software architect was in need of security architecture help for his company. When we started discussing over coffee what he really was looking for, he said "you know looking for security architecture expertise is just like looking for an Apache webmaster in 1994. You know you need these people, but you can't find them."
So given that, it may be even more absurd to look for 1,000 security experts, but there is one approach that could work. If you don't have any ripe veggies you can still grow 'em on the farm.
My approach would be to hire 1,000 people, the younger the better, right out of school (Big consulting firm-style), but then train, train, train them and grow as many as you can internally. Sign them up for as many courses as you can, build some skunkworks projects and throw em into the mix (heck pull a few strings have them intern as Microsoft, Oracle and friends). Even if 90% don't work out, you still have 100 functioning security people in a few years. Not a complete solution, but much better than status quo.
Why grow em, when we can just H1B'em from other countries. :)
Posted by: Fireverse | October 07, 2009 at 11:26 PM
I've done that, both. Basically, take smart security wise guys from (foreign) Unis, and bring them into a heavy security project. Dump all your knowledge on them. It works.
But it only goes so far as the leader who does the teaching. It works if you are you, or I am me. But it goes no further than what you or me know, and even if we assume we know enough, what is the leader at DHS capable of?
Posted by: Iang | October 08, 2009 at 04:17 PM
The reason DHS thinks they need these experts is that all they can think of to stop the bleeding is pile on extra layers of what's not working now.
If you keep adding increasing layers of complexity, of course sooner or later everyone from the janitor and up will need a black belt in IT security.
Posted by: Rob Lewis | October 13, 2009 at 11:20 AM