Lies can take on a form and function that is beyond the first utterance and deeper than the lasting effect. “I’m from the government I’m here to help you”, “the check is in the mail”, and “trust me” all come to mind. If you say something often enough and with enough conviction others just might believe you. Even if the proposition of the statement is so utterly ridiculous you would be castigated for it at any other time. One of these is the profit motivated and ill-conceived notion that all cyber warriors are going to be drug addled, t-shirt wearing, hyper sensitive, teenagers with deep seated oedipal complexes. If you brush across the surface of information security and spend most of your time at Black Hat or DefCon conferences you might think that was the case. Yet there is a lesson here in government procurement, social stigmatism, and the professionalism of information technology security practices.
Now, what we’re going to do here… We’re going to take the heart of your information and knowledge age organization, we’re going to turn it over to a group of immature, slovenly, likely hostile individuals, who have criminal records. You’ll be able to identify them readily. They’ll be wearing jeans, t-shirts that say “got root?” or “1337 h4x0r”. Now, don’t worry because these individuals are highly competent as defined by your human resources department. They were seen to program a VCR that was blinking “12:00”. Better yet. They have a list of certifications from “for profit” vendors who have spent many hours indoctrinating them into specific technologies and how to sell them to you as internal agents provocateur. These new employees who are handling your most sensitive corporate secrets with “god like powers” of system administrator logins are hostile to your corporate goals, and will require special care and feeding as they are spoiled beyond belief.
We as enterprise level managers or corporate information officers accept and wail about these types of trade-offs. The fact that there are few individuals in this arena though is another lie. They just aren’t being targeted correctly or the very individuals we as leaders would target have drank their own awesome sauce. Worse. This pseudo youth worship has disenfranchised hordes of senior programmers and administrators who based on their age seem to not be able to get a job. Even worse, the abject failure of human resources staff to gain a clue is still rampant in the annals of high-tech hiring practices. In 1999 I remember being interviewed for a C# programmer position with “10 years experience”. The language was still in beta.
The mainstream media is partially to blame. A recent Reuters article compared Bradley Manning to being a cyber-warrior. The article talked about rampant burnout, criminal activities of people who apply for these information security positions, and other scary behaviors of the mentally deficient cyber warriors. Of course, it appears that the industry collective has governments back, and will provide it’s tamed versions of these cyber operators stealing a page from the EDS commercial space they will “herd cats” . There is a lot of money in portraying skilled technologists as lazy incompetent buffoons who need special handling. Unfortunately many skilled technologists never think about the ramifications of buying into the “special” category. Some revel in the notoriety and engage in serious self-worship. That leads to the question of since when has being considered by society to be a mentally deficient, border-line sociopath, with delusions of grandeur been a “hacker” trait? Since when did the multi-disciplinary task of information security mean you had to be a silo’d technologists of such limited skill?
Information security and cyber security (they’re really not the same thing) is a multidisciplinary large scale effort involving the cognitive human processes supported by the extensive stack of transmission, storage, and processing technologies in various states of rest and dynamic representation. Whew. Cyber is a lot bigger than a Linux kernel, or Windows root kit.
The neo-cyber-punk sans professional attitude may be a fashionable corporate statement today, but it is an inherently flawed, and risk increasing strategy. Most security professionals I’ve dealt with are more interested in being treated as professionals (not socially awkward teenagers), being properly resourced for the tasking they are given (salary at 80 hour work weeks is highway robbery), and want to see a promotion path that is reasonable. Unfortunately the technology centric idiocy of corporate information vendors and the rampant “Information Week” buying frenzies of boutique and fashion purchasing harm security too. This is where CIO’s (CSO’s) read something in a free periodical supported by vendor advertising and need to buy something because they read it there. These problems are growing faster than the ability for security professionals to knock the pins out of the logical fallacies that are so prevalent.
A caveat. No. I am not a hacker. I have never been a hacker, nor do I make claims at hackerdom. I like to play with the technology and investigate the intricacies of how technology makes peoples lives better (lots of stuff on this blog if you want to read it). I like to fix things that are broken. I don’t wear silly t-shirts. I don’t worship a youth long gone, or hair long absent. I don’t think “hacking” is cool. I do like the manipulation and technology in ways nobody expects. Professionalism is much more than simply wearing a tie, but merely being young and able to program a VCR (who has those anymore HR?) is not enough to claim “1EE7” skillz. I’m am incensed that the various hacker conferences aren’t the safest information environments on the planet. If all those leet hackers weren’t trying to “out cool” each other they’d be saving their took kits for the proceedings and not hacking each other into insolvency. Breaking things is trivial. Building them isn’t so easy. Neo-hacker meet the Sistine Chappel. Where is your art? Yes, I realize to most hacker types, corporate environments are mud huts with a great coat of paint.
If you’re a corporation looking at hiring people for security positions don’t buy into the hype that some cyber-punk with a criminal record is your best bet. Better yet, don’t buy into the vendor hysteria surrounding technology. Most information technology assets can be exploited if the threat and vulnerability connection is made. It is breaking those points of opportunity that should be your main goal. Since technology inherently is as flawed as the creators. It then becomes important to separate the threats from the vulnerabilities that can be exploited. Vendors inherently sell you more technology to fix technology already in place without mitigating the threat factor. Is it any wonder we haven’t solved these problems?
More to the point. If we can show that intentional and unintentional insider threats are the primary contributors to incidents how does hiring people with criminal intent play? There is another element here too. Much of the media attention is on “hacker” types and less on security types. Few are going to have the wide swath of knowledge in various attack strategies that might be considered hacking, plus the knowledge of how to secure against those attack strategies, plus the acumen to source & provision those resources in a corporate environment, and then maintain anything close to a relatively balanced life. Whereas, the computer security professional, or information security professional will eschew the extensive attack strategies for the minimal needed to test systems and lean on the principles of data protection instead.
Meh, teh lulz interwebz. l337 fail.