Why do you work in Infosec?

Wednesday, May 19, 2010

Javvad Malik

I was at a social event the other day and got chatting to a few people sat around my table. People are curious creatures, so the topic of conversation quickly moves onto what you do for a living. I tend to adopt a formula to determine if they are worth continuing having a conversation with. A lot of times people reply with "oh I work in banking". So I take a look at them, T.M Lewin suit, a Rolex watch and yes, they're either a trader or senior manager, definitely worth having a chat with. But if it's a suit from Next with a Casio watch, I put them in the ‘cashier' category and move swiftly on.

So at this table one guy mentions he's a police officer. My ears perk up, as a couple of other people around the table begin to take interest, knowing all too well that it's always useful to know a copper. I looked over at him and applied my formula, he looked around 50, overweight to the degree that he couldn't fully tuck in his XL shirt into his trousers and chewed his food loudly with his mouth open. It was clear this guy was probably just one of the office admins who spent his life fetching coffee and doughnuts for the others. This farce of a policeman lived off my taxes and people around this table were actually listening to his waffle.

Cynic mode set to stun. "I hear police end up spending most of their time filing paperwork these days" I said from across the table. 

"Well I co-ordinate armed units tactical responses so yes, you need to be aware of every shot fired, by whom and why." He retorted. OK so my judgement was slightly wrong, but I wasn't going to let this one slide.

Cynic mode set to kill: "So someone like you would document why it took 8 bullets in the back of the head from point blank range to stop an innocent Brazillian?"

"A person like me doesn't just have to document it, but we have to live with the decisions we make for the rest of our lives. Anyone can make a mistake, at least we know that for the most part we make a positive difference to peoples lives. What do you do for a living young man?"

At this point the eyes were on me. He'd won the crowd over with his inspirational "anyone can make a mistake" speech and was now trying to undermine my credibility. So I pulled out my trump card pre-prepared Infosec job description,

"I work in Infosec, you know when you go to hospital, the one who keeps your medical records safe, when you bank online, the one who keeps your money away from the bad guys, stopping hackers, organised criminals and" *pause for dramatic effect* "terrorists."

"Have you caught many terrorists lately?" PC plod enquired.

My mind was reeling. "Umm err well, not exactly, I mean I write policies that are really important and umm when auditors come in they raise audit points and I..."

All eyes were on me, I had to think on my feet.

"Umm excuse me, duty calls, I think that waiter isn't using a PCI approved PED."

Following my swift exit, it got me thinking as I walked home. Why did I forge a career in information security? Sure I wanted to make a difference, fight the good fight, but what have I become? Someone who writes a few policies, who creates pie charts for managers who don't understand security. Added words like ROI and strategy into my vocabulary just to sound impressive in meetings, know all about remediation plans and risk registers just to keep internal audit off my back.

With Infosec Europe 2010, "Europe's number one dedicated Information Security event" around the corner, security folk from across the land will converge in an event. The vendors will try and convince people to buy their products to secure data, professionals will go there to pick up freebies and check out the models handing out leaflets and the intellectuals will turn up at the keynote speeches in to catch a glimpse of the latest security "rock star".

But I say, we should all ask ourselves as individuals and as an industry, why do we do our jobs? Is it to simply pay the bills? Increase our bosses revenue? Or is it a stepping stone to other things?

We've lost our way, have different goals and objectives and generally have no clue what's going on. No wonder the hackers, crackers and script kiddies continually are ahead of the game. They've retained their original focus and stayed true to the cause. Tinker with systems, find exploits and break them. We're still debating if Dan Kaminsky could wear a ponytail better than Bruce Schneier.

But all is not lost

Salvation can be achieved, but forget the industry or any so called industry "body" helping you achieve this. Every professional must make it a personal agenda to improve security. Only a small army of maverick security professionals, ready to be despised by their bosses and willing to risk it all can make a difference. Here are some handy tips to get you on the way.

  • The next time your boss asks you to downgrade a risk for "political" reasons, slam your pass and your CISSP badge on the table and say you quit.

  • If you're pulled off a project that you're really worried about, take some vacation time, then work on the risk assessment on your days off. Eventually you'll uncover the underlying issues and be hailed a hero.

  • Go undercover as a hacker, infiltrate the seedy underworld community, empty out some bank accounts, cap a few people all in the name of getting to the leader.

  • If you know a department has security flaws but can't pin point them, plant some evidence like say tampering with the audit trails. This isn't being crooked, its about playing the system to make sure negligence doesn't pay.

  • After auditing a 3rd party, go back at night to stake the place out. They'll always revert back to non-secure practices once you've gone and you have to catch them in the act.

  • Next time an auditor comes poking his nose in your business, tell him he's out of his jurisdiction and he shouldn't return without a court order.

  • Having at least 4 disciplinary HR meetings a year should be part of your objectives.

  • Hanging a project manager out of a 10th storey window by his ankles is a far more quick and effective way of ensuring security is built into every stage.

  • Anytime you have a "hunch" you've uncovered a major flaw that could jeopardise your companies PCI DSS certification, don't tell your manager or even his boss, they're probably involved in the cover-up. Go straight to the CEO's office, ignoring the secretary who tries stopping you and tell him to his face that you got a baaaad feeling there's a mole inside his organisation.

Possibly Related Articles:
Enterprise Security
Humor Careers
Post Rating I Like this!
Taz Wake Brilliant. Certainly one of the funniest Infosec articles I have read in a long time - and it manages to ram home a good point at the same time.

Well done.

(Pedant note: You might want to check the calendar, Infosec 2010 was 3 weeks ago... :-) )
Javvad Malik @Taz, thanks, appreciated. Yeah, the article was written a few weeks back so was accurate at the time of going to print on the infosec cynic website, it just took it's time swimming to the Island. :)
Ian Tibble The timing of this couldn't be better. I was just flamed on another blog post for rudely suggesting that today's IT security departments speak only in the language of CISSP and ISO27001 and are mostly out of touch with the practical world of IT, and therefore out of touch with IT and network operations. I guess the truth hurts.
This part "Someone who writes a few policies, who creates pie charts for managers who don't understand security. Added words like ROI and strategy into my vocabulary just to sound impressive in meetings, know all about remediation plans and risk registers just to keep internal audit off my back"...this sums up the vast majority of security activities in organisations these days.
Javvad Malik Thanks Ian, I'm glad you share the views. I'd take another step and say, it's not just about being out of touch with IT, but also being out of touch with business.

We recently conducted an interview with Bruce Hallas and he mentioned some great points around understanding the business needs for security and actually talking security in a language that everyone can understand.

The interview can be seen on www.infoseccynic.com as episode 4, or direct link here: http://www.vimeo.com/11790169

Ian Tibble Thanks for the link, this is good common sense stuff.
I agree with your point about understanding the business. I would say that an understanding of the information architecture and technological risks allows one to talk about the business. i don't think you can talk about one, without the other. They're highly interdependent. The business needs information which is stored on servers, connected with routers, and all that nasty stuff.
Infosec people need a whole different level of experience which would allow them to clearly understand the risks to the business in terms of the likelihood of the classic CIA, and then business risk can be derived from this.
So really i think the IT knowledge has to come first, before we can talk about business risks.
I've seen highly paid pros trying to explain things to the board before. It sends shivers down the spine. Without that solid foundation of knowledge, there will be a perceivable lack of confidence on the part of the security "expert". They have the buzzwords, but they know themselves they're talking nonsense. This is why seniors have reverted to jsut passing the audit, rather than actually caring about the issues.
Bruce Hallas mentioned "reducing the likelihood" the database theft. In real life how does that happen? This is where it all comes unstuck. Most security pros would use an automated scanner in this case which is a horrendous idea, for many reasons.

The industry is broken and we need to cultivate entirely new skill sets and professional certification "tracks". Back to basics as it were.
Javvad Malik Ian,
I couldn't agree with you more. It's broken, probably because it wasn't built properly in the first place.

"Only after disaster can we be resurrected"

Now where do we start? :)
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.