Why Do You Work In Infosec?
I was at a social event the other day and got chatting to a few people sat around my table. People are curious creatures, so the topic of conversation quickly moves onto what you do for a living. I tend to adopt a formula to determine if they are worth continuing having a conversation with. A lot of times people reply with “oh I work in banking”. So I take a look at them, T.M Lewin suit, a Rolex watch and yes, they’re either a trader or senior manager, definitely worth having a chat with. But if it’s a suit from Next with a Casio watch, I put them in the ‘cashier’ category and move swiftly on.
So at this table one guy mentions he’s a police officer. My ears perk up, as a couple of other people around the table begin to take interest, knowing all too well that it’s always useful to know a copper. I looked over at him and applied my formula, he looked around 50, overweight to the degree that he couldn’t fully tuck in his XL shirt into his trousers and chewed his food loudly with his mouth open. It was clear this guy was probably just one of the office admins who spent his life fetching coffee and doughnuts for the others. This farce of a policeman lived off my taxes and people around this table were actually listening to his waffle.
Cynic mode set to stun. “I hear police end up spending most of their time filing paperwork these days” I said from across the table.
“Well I co-ordinate armed units tactical responses so yes, you need to be aware of every shot fired, by whom and why.” He retorted. OK so my judgement was slightly wrong, but I wasn’t going to let this one slide.
Cynic mode set to kill: “So someone like you would document why it took 8 bullets in the back of the head from point blank range to stop an innocent Brazillian?”
“A person like me doesn’t just have to document it, but we have to live with the decisions we make for the rest of our lives. Anyone can make a mistake, at least we know that for the most part we make a positive difference to peoples lives. What do you do for a living young man?”
At this point the eyes were on me. He’d won the crowd over with his inspirational “anyone can make a mistake” speech and was now trying to undermine my credibility. So I pulled out my trump card pre-prepared Infosec job description,
“I work in Infosec, you know when you go to hospital, the one who keeps your medical records safe, when you bank online, the one who keeps your money away from the bad guys, stopping hackers, organised criminals and” *pause for dramatic effect* “terrorists.”
“Have you caught many terrorists lately?” PC plod enquired.
My mind was reeling. “Umm err well, not exactly, I mean I write policies that are really important and umm when auditors come in they raise audit points and I…”
All eyes were on me, I had to think on my feet.
“Umm excuse me, duty calls, I think that waiter isn’t using a PCI approved PED.”
Following my swift exit, it got me thinking as I walked home. Why did I forge a career in information security? Sure I wanted to make a difference, fight the good fight, but what have I become? Someone who writes a few policies, who creates pie charts for managers who don’t understand security. Added words like ROI and strategy into my vocabulary just to sound impressive in meetings, know all about remediation plans and risk registers just to keep internal audit off my back.
With Infosec Europe 2010, “Europe’s number one dedicated Information Security event” around the corner, security folk from across the land will converge in an event. The vendors will try and convince people to buy their products to secure data, professionals will go there to pick up freebies and check out the models handing out leaflets and the intellectuals will turn up at the keynote speeches in to catch a glimpse of the latest security “rock star”.
But I say, we should all ask ourselves as individuals and as an industry, why do we do our jobs? Is it to simply pay the bills? Increase our bosses revenue? Or is it a stepping stone to other things?
We’ve lost our way, have different goals and objectives and generally have no clue what’s going on. No wonder the hackers, crackers and script kiddies continually are ahead of the game. They’ve retained their original focus and stayed true to the cause. Tinker with systems, find exploits and break them. We’re still debating if Dan Kaminsky could wear a ponytail better than Bruce Schneier.
But all is not lost
Salvation can be achieved, but forget the industry or any so called industry “body” helping you achieve this. Every professional must make it a personal agenda to improve security. Only a small army of maverick security professionals, ready to be despised by their bosses and willing to risk it all can make a difference. Here are some handy tips to get you on the way.
The next time your boss asks you to downgrade a risk for “political” reasons, slam your pass and your CISSP badge on the table and say you quit.
If you’re pulled off a project that you’re really worried about, take some vacation time, then work on the risk assessment on your days off. Eventually you’ll uncover the underlying issues and be hailed a hero.
Go undercover as a hacker, infiltrate the seedy underworld community, empty out some bank accounts, cap a few people all in the name of getting to the leader.
If you know a department has security flaws but can’t pin point them, plant some evidence like say tampering with the audit trails. This isn’t being crooked, its about playing the system to make sure negligence doesn’t pay.
After auditing a 3rd party, go back at night to stake the place out. They’ll always revert back to non-secure practices once you’ve gone and you have to catch them in the act.
Next time an auditor comes poking his nose in your business, tell him he’s out of his jurisdiction and he shouldn’t return without a court order.
Having at least 4 disciplinary HR meetings a year should be part of your objectives.
Hanging a project manager out of a 10th storey window by his ankles is a far more quick and effective way of ensuring security is built into every stage.
Anytime you have a “hunch” you’ve uncovered a major flaw that could jeopardise your companies PCI DSS certification, don’t tell your manager or even his boss, they’re probably involved in the cover-up. Go straight to the CEO’s office, ignoring the secretary who tries stopping you and tell him to his face that you got a baaaad feeling there’s a mole inside his organisation.