The Difference Between Doing IT and Infosec

Wednesday, April 20, 2011

Robb Reck


Or, The Difference between Information Security Professionals and those Paid to Perform Information Security

Evidence of people performing accounting has been found as far back as Babylon (circa 4500 BC). We have records of a civil engineer from as long ago as 2630 BC. It’s fair to say that these are mature, well understood professions. The education and training for their practitioners has been thoroughly tested and documented. If you want to become an accountant you take some classes, learn your craft, and prove you’ve learned it by taking the Certified Public Accountant (CPA) exam. If you want to become a civil engineer, you do the same (only take the Professional Engineer exam instead).

Compared to those fields, IT and information security are fresh and brand-new. For many of us practicing now, there was no accepted path for entering the technical fields. We came from all over. We saw the wide-open opportunities that technology provided and we jumped on the bus. Students from business, engineering, history, chemistry, communications, engineering, and performing arts (not to mention many who never received any kind of undergraduate education) saw opportunities in IT, picked up some self-directed or on-the-job training, and became part of the IT industry.

This first group of IT pioneers had a lot going for them. They were the better innovators than your average group of CPAs, and they were much more willing to take risks than a civil engineer (and if you ever drive over a bridge or through a tunnel, you should be very thankful for this one). This led to great leaps and bounds forward in information technologies. Systems quickly became interconnected, and new functionality started sprouting up everywhere. Our lives moved from a paper calendar to our computers and then to the internet. We stopped writing checks and started paying bills on our computers. Our IT innovators were changing the world.

The same people who gave us world-changing innovations also gave us system crippling vulnerabilities.

Unfortunately, while that our well-meaning innovators were adding new functionality they were also adding new vulnerabilities. You see, civil engineers are taught early on that they must account for all potential vulnerabilities in their structures. Wind, floods, earthquakes, unexpectedly high usage, all of these possibilities need to be factored into their designs and their risks considered. But our first generation of IT staff had no formal education, and so they continued building new functionality and leaving massive holes. And when these holes were identified they would stick a Band-Aid over it and move to the next innovation, because that’s what paid the bills.

Somewhere along the way (probably around the time that we started trying to do our banking and shopping online) we realized that these vulnerabilities really needed to be addressed. Considering the track record, it obviously couldn’t be the IT departments who had been baking these vulnerabilities into the systems. Thus information security started getting budgets and staff. When these new information security jobs opened up, where did the folks come from? Yup, most of us came directly over from the IT world.

The skills that make for a great IT professional are not the same that make for a great information security professional

The primary issue is that the skills that make for a great IT professional are not the same that make for a great information security professional. IT professionals manage systems, information security professionals manage risk. IT pros spent years learning that when they run into a problem they should make or buy a new technical solution. But information security pros are learning that more technology is almost never the solution to a security problem.

The IT mindset is that problems are to be overcome by driving forward, innovating and creating new solutions. But often in information security the correct answer is to go backward, look at what we’ve done, and determine whether we did it right the first time. Instead of sticking on another Band-Aid we should be crafting secure systems from the ground up.

I am certainly not suggesting the IT professionals cannot be successful information security practitioners (if that were the case, I’d be out of a job myself). But some of the attributes that made us good in IT are opposed to those which will help us succeed in information security. We still need to be responsive, analytical, courteous, and solution oriented, but we can no longer afford to value speed over quality (don’t forget, security IS quality), and focus on technology instead of business.

Risk management is not system administration. You don’t get an error message when things aren’t going right. And there’s no Google search that is going to help you figure out what the problem is. Information risk management requires you act and think like a business-person. It’s only secondarily that your technical skills will support that mission.

Cross-posted from Enterprise InfoSec Blog from Robb Reck

Possibly Related Articles:
Enterprise Security
Information Security
Risk Management Careers Information Technology Information Security Infosec Professional
Post Rating I Like this!
Don Turnblade I largely agree. Security is larger than quality but it definitely is at least quality. Security defects per thousand lines of source code is a quality metric, and one of the fountainheads of new vulnerabilities.

I would say that adapting Six Sigma Black Belt training to both compute the cost of quality and move toward reducing systemic sources of defects rather than inspection and firefighting really does give me tools to lead.

- Specialized Business Impact Analysis, CISSP Domain 3, can become cost of quality estimates.
- Life-Cycle management approaches to identity, access, software development, system development, data processing are related to the full product lifecycle approaches of Six Sigma.

I would say that the leading edge for Security is the Design For Six Sigma discipline. Firewalls can only dream of having the defect rates that low. Web Application Firewalls are a band-aid approach that already bit Barracuda. A Six Sigma design of experiment approach would have substantially reduced their level of testing risks and potentially avoided that breach.

But Security is more than Quality. Security is business strategy also. We will win the Security game on the day that Information Security is part of the Cost Of Goods Sold. When InfoSec is measured in cents of security per transaction, because the value in the eyes of the customer is correctly paid for in the design of the product features of which Information Security mechanisms are on that list. Security will not be an IT function. It will be an MBA function.

Two of my favorite about security came from a West German business leader. Question, "What is the difference between a security event and a security incident?" Answer, "100,000 Marks."

"Breaks allow cars to drive faster." Security is not about stopping business risk taking, it is about enabling it.

When I worked in IT, my job was summarized as "Turn it On, Make it Work." When I joined Information Security my job changed to "Turn it On and Make it Work for the Good Guys Only."

Don Turnblade The History of Data Security: An Abacus is an ancient computer. Tracing the fate of accounted for money is as old as money itself. Since the day Fraud was invented, Fraud prevention and mitigation strategy has been in play. I am not so sure that information Security is all that new. But, its name is new, and its application to electronic assets is newer.

But, as a thought piece, remember Blaze Pascal and the physical computing devices in France like calculators and programmable looms? Our word for Sabotage comes from that time, because technologically displaced staff through their shoes, "Sabu" into the automated looms. Also, accounting fraud schemes exploded in France because of the wide spread use of calculators enabled computing fraud.

Perhaps the 18th and 19th Century is new, but some how, what is going on is not all that new. It is dejavu all over again.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked