Paul Proctor

A member of the Gartner Blog Network

Paul Proctor
VP Distinguished Analyst
10 years at Gartner
28 years IT Industry

Paul Proctor is a vice president, distinguished analyst, and the chief of research for security and risk management. He helps organizations build mature risk and security programs that are aligned with business need. Read Full Bio

Coverage Areas:

Set a Kitten on Fire? Excellent!

by Paul Proctor  |  June 4, 2013  |  10 Comments

I read the most excellent blog post from Dave Shackleford It is NOT time to “professionalize” information security.

He could not have been more right when he said “The infosec industry needs creativity. It needs people who don’t fit the mold, who would rather set a kitten on fire than wear a tie…” Dave was pushing back against this post from Brian Honan Is it time to professionalize information security? Dave is right, Brian is wrong, but they are both missing the point.

If professionalization means certification to avoid charlatans (Brian’s point) that is a complete waste of time (Dave’s point). All I have to say is “CISSP” and I pretty much feel the argument is over.

Security departments are in transformation. They have been splitting into security operations and governance/risk management groups who own the policy, authority, business interface, and most of the decision making led by a CISO or CRO. See the graphic to understand the relationships.

Risk Organization

Security ops is where kittens need to be very afraid. I want the smartest, craziest, out of the box thinkers on my ops team, but the evolving nature of infosec in large organizations REQUIRES people who at least own a suit. But forget the suit, they need to have the smallest understanding of their business.

This business alignment crap is not crap, although it has been treated as crap by generations of security professionals. Where do you think your funding comes from? If you said FUD, you would be right for the previous decade, but that can’t be the answer for the next decade.

Gartner data shows that 80% of the G2000 will require at least annual reporting to their board of director on the state of security and IT risk. This will require at least some understanding of the impact IT risk and security has on your business.

You don’t have to go to business school but you can’t remain ignorant of your own business.

There has been a major trend for more than 5 years now to hire CISOs with no background in security, but they have program management skills, an understanding of their business, and a track record of success in fixing problem areas in the enterprise.

This is one area I disagree with Dave. He implies that infosec doesn’t need fixing, and it desperately does. On that point, though, we are probably talking about two entirely different aspects of information security.

It is a good time to get into security and IT risk management, but that comes with some challenges that I have chronicled in this post: The Demand for Security Skills is not Improving Security Execution.

The bottom line is that it is very hard to develop a mature security program when you can’t find experienced resources that know program management AND security technology.

  • Consider hiring from within, someone who knows your company and IT, and a desire to learn the security skills.
  • Prioritize program management experience over technology skills if you’re looking for a security manager or CISO.

So the only person I completely disagree with is Brian. Professionalization (certification) is a distraction, plus we already have it and it already doesn’t work. But we do need more professionals in information security. Including some who can light kittens on fire.

Paul Proctor, CISSP, CISM

Follow me on Twitter (@peproctor)

 

10 Comments »

Category: Uncategorized     Tags:

10 responses so far ↓

  • 1 Andy Dockerty   June 4, 2013 at 5:22 pm

    More points I agree with than disagree with here. There is a desperate need for change, creativity and out of the box thinking in our discipline. I have held numerous certifications, and I see a little value in, for example, a network specialist studying for CISSP and being led into CBK domains which are normally out of purview. I do not believe, that there is any certification which could possibly cover the ground a security specialist needs to understand to be truly useful. More operational thinking, less reliance on assessing, acquiring and deploying here and a deeper understanding of the psychology and human factor issues would be a good start. I concur that being able to negotiate and navigate the complexities of an organisation in order to carry out an effective security programme of work, is a must-have. That does not come from any certification, only from experience (hard-won) and good critical thinking.

  • 2 Dwayne Melancon   June 4, 2013 at 6:34 pm

    Great post, Paul. This is part of an ongoing discussion we’ve been having for a while – I wrote about it recently, as well: http://www.tripwire.com/state-of-security/it-security-data-protection/cyber-security/five-ways-to-communicate-information-security-value/

    I believe “speaking business” is going to be a core hiring requirement for any successful information security management position.

  • 3 Shack   June 4, 2013 at 7:48 pm

    Paul, thanks for the post and feedback. Just to be clear – I don’t view the *concept* of business alignment as crap. Of course not. I got an MBA just so I could understand the language, motivation, and workings of business better as a security professional, and this was a good decision for me, professionally.

    However, worrying so much about “business alignment” only makes sense if you’re at odds with it to begin with. You shouldn’t be, really. Security people are advisors. Make yourself heard, explain the risks, and be willing to accept the business’ decisions. Sometimes, those decisions end up being wretched, and we have failures that make it to the news. A lot of our innate angst in the infosec community comes from this cognitive dissonance – “but, but, I TOLD them!”. If you told them thoroughly and truthfully, then you’ve done your job. Go home. Sleep well. Security failures are likely to be the norm for a decade to come, as we work through all the paradigm shifts technology has wrought on us.

    So no, I don’t think a lot of infosec needs “fixing”. It needs better adaptation skills, and a healthy dose of reality versus unicorns and rainbows, really.

  • 4 Mario Lacroix   June 5, 2013 at 8:42 am

    I guess I agreed of all your points here and I’d like to add my point of view from a historical perspective.
    If we look back to the 80-90’s, when CPU, Memory, Networking were really expensive (BBS and modem noise were the network by that time!), you could probably find a handful of people with business and tech skills at the same time. It took ~15 years to see network managers with PMI in most companies.
    The 00’s were the decade for visual interactions: CPU/Mem/Net was not news, people stop knowing their computer full specs (386 DX-2 66) and replace all this info for a ‘quad-core, 21” LED Display’… At this point the UI designers were the hippy stereotype. And again it was hard to find a good designer “wearing a suit”.
    This two areas (technical and user interface) directly affect everyone’s life, so it was natural to find in the profession development tech-business persons.
    What about the decade for the “security area”?
    Security is not as tangible as the other 2 axis I mentioned before, so the evolution is based on law enforcements, and not in people demanding to get it. Take the personal data loss example: people complain not because they are afraid of you losing their personal data, but because they saw in the news that a “site lost people’s information causing a damage of $$”… But they keep giving the credit card for the waitress, the SIN number to any employer and personal check to the gas station without any worries of data being copied or not.
    So it is difficult to find a security-business person? Yes, it is. And is it easier to train a manager to understand security or the other way around? It depends on the case and the person in question. No thumb rule here, but if you have a manager that can interact with the security people, use him. Or if you have a security person that likes to explain what’s going on and as director you can understand him… well use him! This is going to be the interface between Business and Security and this interface needs the run smooth for the sake of the company.
    Last thing: Certifications are important to understand the technical and business language you can use. If someone knows CISSP or not, terms like “risk” or “biometry” can have different meaning and implications. Same goes for PMP.
    Talking to a security certified person assure you can keep up the security terms without being misunderstood. But it doesn’t help: if you are in a meeting with directors your terms and concepts will need (at least) a small explanation using business understandable examples and language…
    …And a “suit” is a business card used by the security interface person to get directors’ attention and founds.

  • 5 Michael Barbere   June 5, 2013 at 1:12 pm

    I disagree with the vast majority of this analysis. The needs for a cybersecurity workforce are well known: professionals who can architect, implement, and manage reliable digital infrastructures and effectively identify, mitigate, and plan for asymmetric and blended threats.

    An ops team that is comprised of the “smartest, craziest, out of the box thinkers” are necessary at the DoD, NSA, CMU, and MIT, but these type of individuals are a recipe for disaster in working in cross-divisional settings and completing assigned tasks. The only place that I can conceivably think that a “set the kittens on fire” archetype to be useful in an enterprise is going to be on the SIRT postmortem analysis team or during penetration tests. The rest of the time, I would hide him in a basement and not speak of him.

    The reality of working in a large enterprise is the ability to create standards, procedures, and processes that can effectively be implemented without creating widespread animosity and derision aimed at the Security Department. This means conformity. This means adherence to industry and government best practices and using the already available research in ERM.

    “Professional certification is a distraction.” The last 30 years of research in effective approaches to risk management is not a distraction. It is altogether necessary to understand the core concepts and demonstrate proficiency in their application.

  • 6 Dwayne Melancon   June 5, 2013 at 9:03 pm

    Great post, Paul. This is part of an ongoing discussion we’ve been having for a while – I wrote about it recently, as well (at tripwire.com/blog). I believe “speaking business” is going to be a core hiring requirement for any successful information security management position.

    Recently, I had the honor of chairing several boardroom discussions with about 40 C-level infosec executives to talk about the challenges and opportunities of communicating the value of security to other parts of the organization.

    One specific challenge has consistently emerged as a blocker: finding “translators” in their organizations who possess both technical acumen and the capacity to communicate to the business in a way that resonates. I believe this is becoming an essential skill for successful information security organizations, and one that will only grow in importance.

    In our boardroom discussions, we spent some time talking about where and how to add these skills to our teams. Here is a short list of ideas from the groups:

    1) Incorporate “security to business translation” into the skills you look for when hiring key roles. We often look for specific competencies when hiring people – why not look for this one?

    2) Teach an existing staffer. Budgets are tight – maybe you don’t have the luxury of hiring someone new. If that is the case, coach someone to develop this skill.

    There was some consensus in some of the group that it is easier to take someone with a business background and train them on the technology than it was to take a pure technologist and train them to ‘speak business.’ This seems consistent with what you talk about in your post.

    3) Find someone in a compatible role and repurpose them. We discussed where to find people who were well suited to take on this translation role, and found that there were a couple of places you can find them:
    * Internal Audit / IS Audit: People in this role are already well on their way – they have to deal with both technical and business people in the organization, and they understand risks and controls.

    * Bring in Marketing. Yes, Marketing. It turns out that one of the execs has found great success in leaning on Marketing to create Executive dashboards. They’ve worked with the reporting team to interview the executives who’ll consume the reports and used that information to develop crisp, clear dashboards that the Execs actually look forward to receiving. This was an unexpected surprise, for sure.

    4) “Be lucky.” This isn’t a repeatable practice, but a number of organizations just happened upon people who had these skills, and were able to leverage these skills to break through the language barrier. I’d rather think of this one as “Be observant and leverage the innate abilities of your team.”

  • 7 Brian Honan   June 6, 2013 at 5:22 am

    Some excellent insights Paul. Most people seem to focus on the certification/qualificaiton aspect of my post, but that was one of the aspects. However one thing that most people have overlooked from my post is the area of accountability.

    From my post “Another cause for concern is the lack of accountability for when the quality of work is not at the expected level. There is currently no helpful mechanism within the information security industry for individuals or companies to be held accountable for subpar or unfit products or services.”

    We need the kitten burners and the tie wearers within the industry, it depends on the context where they are needed. But what I feel is needed is a way to be able to hold each of those accountable for the quality of the work they deliver.

    So while certifications, qualifications and skills are important we also need to ensure that those who use the services of information security professionals can have confidence in the level of service they will get and have a vehicle from redress should those levels not be met.

  • 8 Paul Proctor   June 20, 2013 at 10:53 am

    Brian, I couldn’t agree more. The accountability aspect is critical. I just put certifications at the bottom of the list for quality assurance.

    Love your stuff on-line! Everyone should follow Brian on Twitter (@BrianHonan).

  • 9 Paul Proctor   June 20, 2013 at 11:05 am

    Michael, I don’t understand how you can disagree with most of this post when I agree completely with you. :)

    I think you picked up on me saying the kitten burners belong in operations, and I agree that can be problematic when you want people who can responsibly execute the policies and tasks they are given. However, I stand by the idea that researchers and out of the box thinkers have a place in large enterprises to create an edge for advanced thinking and extra protection.

    I may not have said that clearly enough. I was not trying to imply that you need to populate your operations team with out of the box thinkers. To your point, that would be a disaster. And all the kittens in IT would have to brush up their resumes.

    Paul

  • 10 Paul Proctor   June 20, 2013 at 11:08 am

    @daveshackleford, we could not be in more agreement.