May 16, 2006

Freshfaced risks: Licensed to Secure, 007 seconds out of College, a Risky Future indeed!

Stanley Quayle on Risks raises the possibility that computer security work may require a licence:

> Some computer professionals will need to get a Private Investigator license > just to continue doing their computer work.

The Ohio law requires this already:

The business of private investigation is [...] determine the cause of or
responsibility for [...] damage to property, or to secure evidence for use
in any legislative, administrative, or judicial investigation or

> I imagine this will also apply to accountants and auditors

The law exempts, among other groups, lawyers and accountants.

> We will have to be asking suppliers of firewall, anti-virus, anti-spam,
> anti-spyware etc. if they have a PI license

Ohio law also exempts licensed professional engineers. Ask your supplier if
they employ professional engineers -- after all, your software should follow
sound engineering principles.

My signature line includes "P.E.", which stands for Professional Engineer.
Now I know why I got my license...

(The source is a bit obscured above, I don't have the original.)

I said earlier that Security is the market for silver bullets. Michael Spence says they pack silver bullets in Education. So if we look at the market for Security Education, we'd be surely loaded for vampire, right?

Now, CISSPs can be had at (US) college - just by doing some extra classes.

This fall, Peirce College will join Florida's St. Petersburg College as the second school offering classes tied to the domains of knowledge for both the CISSP and the Systems Security Certified Practitioner (SSCP). Combined with other college courses, a student can not only enter the workforce with either an associate's or bachelor's degree, but also having passed one of the International Information Systems Security Certification Consortium's exams. Due to experience requirements for both certifications, the candidate does not actually get the CISSP or SSCP designation until the experience has been obtained. This program will not be unique to these two schools, as the ISC(2) hopes to sign up as many as 100 colleges to offer its courses.

007 seconds out the door, students are licensed to secure, but only as Associates.

The good side to this run of bad news is that maybe this will be the nudge we need to get rid of the plague of security experts. First we flood the market with Junior CISSPs, Associate Black Hats, Lieutenant Hackers, PenTesters in Training, ... then we license them all? Then round them up, brand them and ship 'em off to the camps! Yeah! Cisspocide!

It's a natural progression from a truly disastrous year for security. E.g., convictions for due diligence, large companies being allowed to run rootkits without fear of prosecution, anti-virus companies not picking up said rootkits, security companies pricing exploit data to the highest bidder, a progression of laws on this and that, and that's only the headlines.... In the face of that, licensing and inexperienced security certifications are quite benign.

With all this, we might as well abandon the very word. Yet, what's a poor hacker to do? Chandler Howell, stalwart defender of risk management, rides to the rescue with the very definitions:

Short Form: Information Security locks up information to keep it safe, whether or not that’s the best thing to do with it. *Information Risk Managers* figure out the best way to preserve the value of the information, which may or may not include locking it up.

Go Chandler! Can we hold the line on risk management? Or is it only another decade or so before we need to be licensed to understand and manage our own risks? And we're all back to college to read books entitled "The SOX way to Risk-free management and fast retirement?"

Who knows, but let's close with his Slightly Longer Form:

Information Security is the practice of designing and implementing countermeasures and other preventative (usually technical) controls on information. Security experts tend to understand the nuances of their tools, but all-too-often fall prey to the adage that, “When your only tool is a hammer, ever problem begins to look a lot like a nail.”

Information Risk Management (IRM) is the practice of determining which Information Assets need protection and what level of protection is required, then determining appropriate methods of achieving that level of protection by understanding the applicable vulnerabilities, threats and countermeasures.

To practice IRM successfully means understanding not just the technologies that enable communication but also the business that the communication enables, the applicable regulatory environment, how information is utilized, the circumstances under which it might have value to an attacker, and how to balance those variables based on the risk appetite and cost-consciousness of the business.

Posted by iang at May 16, 2006 04:57 AM | TrackBack

Howard Schmidt responds:,289202,sid14_gci1189245,00.html

Posted by: Iang at May 19, 2006 11:24 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.