Sunday, April 22, 2012

5 Common Types of Security Professionals

Information Security is all about managing risk not scaring people!


Information Security Profession is a fascinating and an interesting field but we do have some interesting characters!


Today, I'll be presenting 5 most common types of security professional you will see/meet in your career. 


5 – The NO-MASTER


Have you ever been to a meeting that goes where security professional instead of listening to the business requirements and trying to meet their expectations with reasonable security controls, he/she cans the idea straight off the bat.


What happens next is simple: business escalating to the Executives who basically mandate/bypass all the policies(because they can). The NO-master just missed a great opportunity to make a difference, and position himself/ herself as a contributor, rather than a roadblock! 


Example:


So as part of our growth strategy, we are planning to have a company presence on Facebook, and also advertise on Twitter.


so… - No way! - Sorry Jimmy, did you say something? - Yes, I said no way we are opening Facebook for employees, nor publishing any company related information in it. But all the other companies out there are already.


What do you prefer? Being on Facebook or being hacked?


Ok, Security didn’t approve it, we are not going to use Facebook then.


4 – The By-The-Book Preacher


Here is another truth, if it’s written, it’s right! A typical scenario:


This machine needs to be patched right now! I know that this machine is not sitting in our external DMZ, but patching best-practice/our policy says that critical patches must be installed X hours after being released!


You will find hundreds of Information Security Professionals like this. There is no context applied, there is no risk profiling, it needs to be done because the book/policy say so. 


As a security professional, you are not paid to stick to a manual. You are paid to help the business to understand what the risks are, and the consequences of their (lack of) actions. 


Information Security is all about managing risk. In the real world, some rules need to be bent occasionally provided that you know what the risk is to satisfy an SLA or to meet a business requirement.


Asking your support team to bring down the whole payroll system on the 30th of the month because a critical Microsoft patch was released is not the way to manage risk in efficient manner.


This type of security professional goes hand in hand with the NO-Master. All those security professionals who fit in this type should apply your knowledge and use the policies and books and procedures as a reference.


They should understand business comes first and if a decision has to be made between security and being available, you going to lose credibility. 


3 – The Dinosaur


There is nothing he/she hasn’t seen before, there will always be a real life FUD story to back up their claims.


The dinosaurs are one of the hardest to fight against because they know it all. 


Their philosophy is simple: 


Everything boils down to access control. If people are not allowed to do something, you have nothing to worry about. I have to say I agree with this person to an extent, but to dismiss the fact that there are exploits out there that could give unauthorized user super privileges goes beyond access control. 


2 – The Technology-Solves-It-All


Setting up a firewall might take you a couple of hours, but teaching someone why they cannot download uTorrent takes years. And sometimes not even years will do.


But it doesn’t necessarily mean that technology will substitute the need to have well trained human beings with well-defined processes in place. The tool should exist to make the process viable, and not vice-versa.


Example:


Hey Adri, we have antivirus installed, the scan is set to run on a weekly basis, the signature files are being updated on a daily basis, why do we need to implement monitoring of our antivirus console?


You will notice, conversations like this happens every day


1 – The paranoid


These ones are the most dangerous and insecure professionals.


The paranoid sends you SMS at 3 in the morning about an article they read about a just-disclosed compromise in company X. They also call you to make sure you got the SMS. The paranoid asks you to send emails from your work e-mail, they don’t trust Hotmail accounts.


You could have met someone who is a little bit of all of the above, "NO COMMENT"!

3 comments:

Roger Halbheer said...

I had to re-use this post :-). I really like it: http://www.halbheer.ch/security/2012/04/23/5-common-types-of-security-professionals/
Roger

Shoaib Yousuf said...

Thanks Roger!

Anonymous said...

So, Yousuf, what type are you ? I hope there a people left out of this categorisation ?-)