The truth about the information security industry
The information security industry is in doldrums. If it is not, it probably should be.
For the past decade, there has been no change in the basic way we operate. For an industry that is reasonably new and supposedly at the cutting edge of technology, it has not done anything different. Don’t get me wrong here. We have improved out tools. We have dutifully automated stuff. We have created more glamorous reports and siphoned of truckloads of money from unsuspecting customers. BUT, there is no change that we bring in the VALUE that information security adds to the industry.
Ask any infosec consultant who has been in the industry long enough. He or she will definitely squirm in his or her chair before answering the question, “What value does information security bring to your industry?”. Again, don’t get me wrong here. We mumble platitudes that help us retain our jobs. “Information security is protecting all your information. We ensure that you don’t get hacked. We put in systems to prevent a major loss due to information security breaches. We help you understand and mitigate risks. Etc. Etc.” What we don’t tell you is the fact that we can do only 2 things. One, we can run our tools on your IT setup and tell you what a hacker will find if he or she runs those same tools instead of us. Better us than him. Two, we can setup an elaborate labyrinth of documents that masquerade any real problems you may have and get you a darn certificate (an ISO 27001, or a PCI-DSS or any one which you like). Of course, we also bring up ‘audit issues’ and ‘recommendations for improvement’, but then we do not want to take credit for that. What will the audit team do if we start taking their credit, eh? We perform the key role as a general pain-in-the-neck (notice the age friendly ‘neck’ and not…) and try to tell IT how to do their job with esoteric ideas of reviewing a million user accounts. We won’t do it for them, but we want it done anyway.
Oh, wait! I forgot to mention about the IT tools that we use. We set up data leak prevention (DLP) software and scrupulously monitor traffic that goes in and out of the network. No one ever told us what to look for though. So, we end up either blocking relevant stuff or just watching things go by. We set up security incident and event monitoring (SIEM) tools that look at all the logs of different IT devices to search for malpractices. Here, we do know what we are looking for. Of late, to keep our jobs and also say that we are doing new things, we tout BYOD as a major threat and try to implement tools for that too. We call them mobile decide management (MDM) to make it sound all nice and classy. It is no different from regular device management, but we want to use new terms.
We just cannot provide a justification of why we need those tools or those processes or systems in place. Watch us during budget discussions! Somewhere along the way, we forgot that we have to add VALUE to the business. We like to believe that we add value by identifying key risks. Imagine the chairman of the board of a huge conglomerate. He sits for a discussion with the entire board. The issues he needs to discuss are as follows:
• dropping sales due to market downturn
• competitor product that seems better and cheaper than ours
• cash flow for the quarter
• sudden regulatory changes that may require them to shut down operations in a country
• possibility of being hacked due to improper patching of the active directory (Critical Risk as per the infosec idiot out there)
You get the point? Of course, I am exaggerating a little, but just a little bit!!
We don’t need a quick-fix, if you ask me. We need a complete overhaul of the industry. Here are a few problems that we, as an industry, are facing. Feel free to add your own in the comments:
• We lack business experience
- Most information security guys have either come from an IT background or have been in information security throughout their careers. We really don’t know the business well enough to be able to comment on security requirements of the business. We solve this problem by providing general recommendations. “Where is your fire exit? Why are your systems not patched? How do you manage incidents?”. If we knew the business, we would be in a better position to ask the right questions. We add to it by having fresh trainees work on projects and provide recommendations. The solution
- Let the CISO be a business guy who is trained in the basics of information security and not the other way around. Also, no fresh trainees to be passed off as professionals.
• We work in silos
- We know either IT or we know standards. We do not know both. Hence we cannot come up with reasonably good recommendations. The results of a switchover are sometimes hilarious. You have someone recommending the closure of port 80 on the web server, or you have someone who wants an incident report for a patch update. The solution
- All information security professionals should be cross trained to know the basics of every aspect of infosec. We are ‘Information Security’ professionals, not ‘IT security’ or ’Security Compliance’ professionals.
• We do not experiment
- Academia has been doing many things about information security. They have many ideas and are testing many hypotheses. It has not boiled down to anything useful for the industry or professional. We are still doing the boilerplate stuff. The only new things we ever try out is when some product companies with buckets of money create a product and then use their marketing muscle to tell us that it is the next best thing since sliced bread. The solution
- Look around. Experiment and learn. There are so many things that an information security professional could adopt. Right from Monte Carlo simulations for risks to global incident databases there are so many things that the industry could add to make itself more relevant!
I know this does not read well, especially if you are in the information security industry. I think this is the truth and we need to pull up our socks or become irrelevant!