zaterdag 14 november 2015

of the CISSP, infosec licensure, and how we bring things upon ourselves

[Disclaimer: this post represents my personal opinion. It does not represent the opinion of any past, present, or future employers, clients, or associates.

I was looking forward to a quiet Saturday evening. I'm traveling tomorrow to be on site with a client on Monday. I did not count on Ed Bellis being active on the twitters and coming up with this jewel of a tweet :

CISSP certification requirements baked into contracts make me chuckle.

It put my brain in gear.

Straight out of the gates Ed makes 100% sense. Why would certain (security-related) tasks described in a contract require a CISSP? If anything, we know there are skilled people out there without any formal education or certification. We also know that there are some pretty unknowledgeable people out there holding multiple Masters degrees and dozens of certifications. Certifications do not guarantee knowledge. Why then would clients choose to require them in contracts?

The single question from Ed actually kicks a lot of hornet nests. More than he actually thinks, I believe. Ed, as far as I understand, is a bit shocked that he -as a known expert in our field- can not work on the contract he mentions because he does not hold a CISSP. He's probably as qualified as people holding the cert, if not more. Why would companies be so stupid to keep him out of the game?

I'm certain it is not personal, Ed ;-) Companies have been burned more than once. They have payed dearly on projects they awarded to players in our markets that promised them the world, and then horribly failed. Companies bring in inexperienced consultants, make junior people "learn on the job" (and the time paid for by their clients). We know it happens. We all hope it goes away. Obviously it won't. In the mean time, the clients play poker and they are cutting their losses.

Our industry doesn't, yet, have a form of licensure. There is no obvious way to tell bad players from good players. There isn't a real bar of entry. To save some of my Saturday night I will not debate whether licensure is a good or a bad thing and if a bar of entry is needed. I've had the privilege of discussing the topic of licensure with a diverse subset of my peers and I have not made my mind up yet. I'd encourage everybody to explore the topic and ponder on it for a while. I'd be happy to engage with you.

So here I am, putting myself in the position of the client. I need outside expertise for a security project. Let's say that 1 out of 5 of my previous security projects have failed because the partners I worked with under delivered, went over budget, etc. etc. I have payed dearly for that. The obvious choice is to go with a different partner, but how do I tell which is the good partner? I have no way of doing that. Do I roll a dice and dive into the deep with a new unknown? I don't want to take that risk. What are my options?

If I want to vet every individual consultant that is going to be on my contract, that is going to cost me a lot of time. I may still not be able to validate all their experience and don't remove any of the risk. Sure, there are capable people out there but my previous experience tells me to remain cautious. What else can I do?

There is an organization out there that validates the fact that their certificate holders have at least 4 years experience in the industry. That is awesome, because now I can just check for their certificate and I know that they've been around for a while. Do they guarantee success? No, but they are not straight-out-of-school theory monkeys. At least there is a bigger chance that in the 4 years they have been around, they have seen some things and done some things that are relevant to the work they're supposed to be doing for me.

Is there a down side? Obviously. I know that there are very smart people out there without the certification that I require them to have. I am consciously choosing to not have them on the contract. Is that stupid? From their perspective probably yes. But here I am, choosing between vetting every candidate myself or relying on that certification that comes with at least 4 years of experience. Economically, I win more by doing the latter. You can argue your competence until pigs start flying, but you can't argue economics.

Now, in closure, we have to consider why we have come this far. Our industry is full of solution and services providers that jump on every opportunity to "do security", and fail at the cost of our clients. The theory of the lemon market has been repeated ad nauseum in talks, podcasts, and discussions over the past ten years (if not more). Do you truly expect your clients to sit by and do nothing? This then brings us back to the discussion on licensure. Historically, licensure has been introduced in professions for various reasons. Often they are introduced by government, to push out quacks and charlatans. Very few professions have been able to successfully introduce licensure themselves. Is it time for our profession to consider an attempt at licensure? And, if so, what would that look like?

Our clients definitely think it has become worth it to value 4 years of validated experience over X years of self-claimed expertise. Whether you like it or not.

dinsdag 10 november 2015

The plans I have for ISC2, its membership, and the industry

[This post is primarily meant for ISC2 Members but it might be interesting for security people in general, as I think what we need to do is not limited to a particular organization within our industry. It is a fight we need to fight together. For better or worse.]

You can read about the general idea behind my campaign for the ISC2 Board of Directors here.

You can read about what I've already done in my first "tour" on the Board here.

The past is the past. Between November 16th and November 30th, ISC2 Members vote for 4 new directors and they will have their work cut out for them. As much as you may believe that being a board member is a job without responsibility and a token position, it definitely is not. To my own detriment, I take this uncompensated responsibility very seriously and I want to make a difference. First and foremost for the membership, but also for our profession and our industry.

1. ISC2 needs to represent our interests. Left, right, and center.

I've said this before and I'll say it again : In all the important debates about information security - whether they are held in Washington DC, in the European Parliament, or anywhere else - ISC2 is absent and silent. As the organization that represents the largest amount of security professionals in the world, we can not afford to leave our voice unheard. On topics such as securing the Internet of Things, Export Control, and other legislative issues involving information security, we need ISC2 to be vocal and taking the responsibility to inform all parties without bias.

How can we do that?

The first step is engaging the membership. ISC2 will need to leverage the active membership it has to keep a finger on the pulse on all things information security around the globe. This can happen through a closer relationship between the organization and the chapters. The structure we built through the chapters is our biggest asset to create one voice that represents members, and industry, globally.

Secondly, ISC2 needs to strengthen its relationships with peer organizations in the industry. This has happened over the last few years, but I strongly believe we can do more. At this moment our profession is represented by "cavaliers seuls" and does not have the credibility it should have.

Third, we need to engage individuals outside the membership to weigh in on topics that ISC2 doesn't traditionally have a lot of credibility in so the organization can represent a balanced opinion, educate policy makers, and positively influence society.

One of the topics at hand is security research related to exploit development and export controls. Here I call for the immediate creation of an advisory council that has the ability to help the organization form the language on much-needed global education on the topic. The members of this council do not necessarily need to be ISC2 members. They need to be recognized experts on the topic that are willing to devote their time to doing the right thing.


2. We need to define what Security Engineering means.

[I understand that Engineering is a term some people are passionate about. I am not trying to find an alternative to the formal engineering science. I am open to suggestions to replace engineering with a better term.]

Some of my friends have heard me talk about this topic for a while now. It is something I wanted to kickstart in my first term on the Board, but that didn't happen because there were other priorities. I want to make it a priority in my next term, if allowed.

Security today is no longer a tale of firewalls and antivirus. As we build and use technology that influences our very lives, security is present on every level of those technologies. Starting at the hardware level, over the network and operating systems, through to the database and application technologies.

Saying that a single certification covers all of those areas is a lie. Fact is that we have no way to identify and recognize the security engineers that organizations so sorely need.

What I want ISC2 to build is a certification track that is aligned with engineering principles to provide certifications that allow us to educate, train, and certify those security engineers.

This will not be a certification that you can go to a bootcamp for and pass. The people that go through the whole track, eventually, will be the people organizations can rely on to build a secure IoT, secure vehicles, secure web technologies, secure ICS environments, etc. etc.

It is something we are missing, and it is something we sorely need. I will make it my priority from the moment I rejoin the board.

3. Make a more efficient Board of Directors

Without a doubt the most frustrating part of my first term on the Board of Directors was the significant amount of time we, as a Board, spent on managing ourselves. This Board's time should be spent on the strategic issues affecting the organization and its membership.

Currently the Board has 13 members while the ISC2 Bylaws prescribe a minimum amount of 7 members. There is no way for the members to evaluate the effectiveness of the individual Board members and make an informed decision on whether they are representing their interests. From my personal experience, not all Board members contribute to the common goals and in many cases the number of uninformed opinions actually detract from the tasks the Board has.

There are 3 things I want to achieve here :

1. I want the Board to reduce it's number of members to 9 over the next 3 years. That is 2 more than the Bylaws prescribe and 4 less than there are now. This will considerably lowers the cost related to the Board by itself. It will also force the Board members to be active because in a larger board, there is more room to hide in the shadows of those that do the work. Additionally, it forces the Board to rely on other members for the committees. This also feeds the leadership pool that the Board draws from, which is needed with the new and stricter term limits.

2. I want the Board to develop transparent communications about the performance of the Board in general and individual Board members specifically. Just like you know about how your representatives in government perform (absence, voting record, involvement in committees, bills proposed, etc.), ISC2 members have the right to know what their Board and its members do (or don't).

3. I need the membership to become more engaged with the Board of Directors. With 100000 members, we have a lot of brainpower, great ideas, and unlimited motivation to do positive work in our industry. Without the contribution of the membership, the Board can not be efficient. If I make it back to the Board in 2016, I will do my utmost to bring the Board to the membership and the membership to the Board.

I hope you are with me, because I am going all in on this one.