No matter how many times the ‘experts’ tell us how to do things better, we don’t listen. Or that’s how it seems.
Work with the business, they say.
Communicate better and learn how to talk to the board, the scholars report. Security is not just about technology; consider people and processes too. Blah, blah, blah.
Surely anyone who has been in security for more than five minutes knows this already. So why are these same old, trite and tiresome messages are being repeated year-on-year at the biggest gatherings of infosec professionals on the planet?
The (ISC)2 Security Congress EMEA 2015 was held last week in Munich, Germany, sporting the theme of Secure Tomorrow Today.
(ISC)2 CEO David Shearer discussed the need for infosec professionals to, “develop their skills in dealing with people, processes and technology, because only a comprehensive approach will work".
He said we need to work closely with all functions of the business, engaging at all levels to help them understand the relevance and importance of security.
Adrian Davis, European managing director of (ISC)2, reiterated the point, arguing information security professionals should, “make information security more interesting and relevant by working harder at raising the awareness of executives”.
Now, I honestly agree with all of this. This is the kind of work we should all be doing, especially those of us in security management or senior architecture roles, where the business needs should always come first.
But these sentiments have been stated over and over again over the past few years - it's not new.
Not a day goes by when someone isn’t posting on LinkedIn or speaking at conference or on a webinar about the importance of engaging with the board. (ISC)2 itself has been writing about the importance of soft skills for at least four years if not longer.
So why are we still hearing that these are the areas we need to fix? Maybe it’s because businesses are unwilling to put in the effort to understand what a career in infosec actually means.
By using a skills and competency framework, such as SFIA or the IISP framework, you can properly define job roles and levels within a managed career structure, so managers can ensure the right training, mentoring and even job rotation is applied to the workforce.
Without this, security guys are seen as the techies who run the firewalls, and as such they are not listened to by the business.
What I’m pleased about is that while the rest of the world is still discussing these same old messages, a couple of weeks ago, AISA held its annual conference in Melbourne and demonstrated a progressive side that hopefully foreshadows what’s coming for Australia.
Panelists talked about advanced threats and methods for dealing with modern offensives from highly motivated and capable hacking groups, nation states, cybercriminals and hactivists.
We heard from the Australian government how it is putting plans in place to work closely with industry and how AISA itself will play a pivotal role in securing Australia a top spot on the global innovation stage.
Leonard Kleinman’s panel discussion was particularly refreshing - he explained how the ATO has the formula right for managing the careers of infosec staff.
"We make sure there's a rotation within the work. You might be a responder, and then do some threat intel, and then you might go over to tools and development where you need knowledge as a sysadmin or a coder,” Kleinman said.
By showing a clear career that infosec professionals can progress through - from technical, to management, from specialist to CISO - organisations can retain staff, make sure they are doing the work they need to keep them motivated and happy and ensure that they have the skills and levels of competency to both speak to the board and trace an attack.
It’s really heartening to see the ATO get it right, here in Australia, and maybe the rest of the world will soon see Australia as a leader in cyber posture rather than being behind the curve.