This story caught my eye a few weeks ago and I sort of brushed it off as a standard story of how the US is doomed unless we keep up with the programs of other nations who apparently have people far better at penetrating systems than we ever will, and the only way to keep up is to pump tens of thousands of people through training. I tend to dismiss these stories because although they often have a grain of truth to them, there’s usually more going on than people understand.
Before I get into this, I want you to understand that I am not disagreeing with the need for more InfoSec pros and definitely the need for better training. We see the need for it all the time when we see breaches happening that should never have happened. Sure, there are going to be those that happen because someone found a serious 0-day and slipped in before anyone knew it was a problem. But most of the time, probably closer to 99% of the time, these things happen not because of a new attack but because the existing infrastructure wasn’t protected properly against current attacks.
John Strand, a Senior Instructor at SANS and host of PaulDotCom’s Hack Naked TV (for those who haven’t seen it, he’s not actually naked in it, or at least not visibly so), had a counterpoint in Episode 39 (go to about 3:48 in) where he said that instead of 20,000 to 40,000 trained professionals called for by Dark Tangent, John would rather have a “smaller number of highly trained and competent security professionals” than simply throw a lot of people at the problem. I’m not going to disagree with John, either, because I think both are right. But as I hinted before, I think there’s more to this than many people realize.
Think about a military force. For ease of reference, let’s take the US Army. You have different levels with different abilities. From a relatively simple perspective, there’s the basic infantry, trained to do a job and to to it well enough that we can rely upon them to consistently do so. Moving up through the levels, you find the Rangers and then the Special Forces, those trained to progressively higher degrees and provided more responsibility and held to higher standards. They also have different jobs that have some overlap but are unique enough to stand out.
This analogy can be applied as well to information security. We need those people trained in the basics, and trained well enough that they can do a job that is not always easy to do. But we also need higher tiers of people capable of handling the more difficult jobs. These will necessarily be smaller groups as the requirements get more difficult. Not everyone can get an intuitive understanding of return-oriented programming, but they don’t need to have it to catch most of the attacks that actually occur. Knowing how to interpret intrusion alerts, firewall logs, proxy blocks, and plain old packet captures and when something doesn’t look right will go a long way toward securing the infrastructure and without incurring as much cost as some fear.
In the meantime, those who do understand the trickier attack mechanisms and subtleties in how their defenses work are there to mentor, encourage, and provide leadership to those who are still working their way up. Those responsibilities to those who are still working their way up are in addition to the daily technical responsibilities of research, response, pen testing, and so forth. They’re what keep people in this field excited and passionate and eager to advance. That strengthens and replenishes the senior levels and provides a template for how those new to the level should treat those just coming into the profession.
On a related note, this is one of the reasons that training courses are opening up tailored to people who are either not directly in infosec. The mail server’s sysadmin is probably going to know its behavior to far better degree than the company’s incident handlers. It’s important to get that sysadmin trained to understand when to raise the flag that something might be occurring.
Think of the sysadmins as the equivalent to local police. The police have their beats and they get to know them well. They do a job that the military is not really intended to do. The military can do it, but the cops do it better. Similarly, the sysadmin knows the servers and desktops better than the infosec admin generally would because that’s not what the infosec people really concentrate on. Without getting into the politics of it, an occupying military force comes to rely upon the local police to let them know when something is off. Sometimes it’s obvious and probably would have been noted anyway. Sometimes it’s subtle and requires years of experience to spot.
We’re still a long way from where we need to be. Becoming a competent security professional takes more than a few weeks or even months of training. It requires passion, it requires dedication, but most importantly, it requires time. The sooner that is realized, the more time can be dedicated to putting in place the skill sets necessary to safeguard the infrastructure.