Anna King has penned an article that I was interviewed for along with a number of other industry leaders here in the Seattle area about how we view information security, where it is going, and what the general approaches have to be for our industry, the information security industry to be successful. The good part is that I got to mention my favorite information security leaders, Clement DuPuis, Kees Lune, and Nathan Lambert along the way.

Seattle is really becoming a hot bed of how information is changing, not just here at CityU, but also at the University of Washington, the ISSA group, the Agora, Watcom Community College, and a host of other institutions. Beyond education, the collection of people and organizations that are addressing the real world educational needs of information security is slowly but surely changing for the better, from risk management to reverse engineering malware, to policy, networks, and general information security, the programs that are being built around the region to address all income and education levels are pretty outstanding. That is what makes this second interview so important, it really gave me an opportunity to address one of the issues that I think we have as an industry.

“Computer science is sexy. We no longer hold true to the older stereotype of an out of shape, Mountain Dew drinking, pizza eating nerd like you see portrayed in the popular media,” Morrill says. “Today’s computer science graduate is just like everyone else who follows their passion and wants to help protect people from cyber criminals. Our modern day leaders like Kees Lune, Clement Dupuis and Nathan Lambert are all smart, savvy people who live real lives and are changing the face of information security as we know it.”

What was also good was that Barbara and Karen also chimed in on the same views in the interview. Both Barbara and Karen are phenomenally cool people in the Information Security industry.

Globally, Worstell says importance of cyber security became apparent after violent protests over Iran’s presidential leadership broke out and sparked a flood of social networking that was eventually policed by the ruling Iranian government. The political group limited the free flow of information over social media sites, such as Facebook, Twitter and YouTube. Keeping information flowing freely on the Internet and preventing cyber warfare will only become more complicated as time goes on, Worstell says.

Barbara Endicott-Popovsky, director of the Center of Information Assurance and Cybersecurity at the University of Washington, agrees with Worstell’s concerns. She says targeted acts by the government could lead to other problems, such as hackers or other organized forces, which may use the Internet to intentionally harm people.

You can read the whole interview here, and it is worth reading because it really takes a review not just of my viewpoint on where we need to go with information security, but what we are doing to solve the problems we face as an industry. Not just one person, but a whole region of colleges, groups, support groups, and other mechanisms to help people become smarter information security practitioners. Well worth reading.

Comments

Wired threat level is running a must read article for anyone who does PCI, PCS-DSS certification for companies. Card Solutions was hacked in 2004, and while they passed their CISP, they still ended up getting hacked. While most information security environments are fluid, and most networks change on a regular basis, CISP auditing is expensive, and not something companies can afford to do every time they slot a new system into place. What is at stake here is the liability that auditors have when they have certified someone compliant, but they still get breached by hackers anyways.

The case, which appears to be among the first of its kind against a security auditing firm, highlights flaws in the standards that were established by the financial industry to protect consumer bank data. It also exposes the ineffectiveness of an auditing system that was supposed to guarantee that card processors and other businesses complied with the standards. Credit card companies have touted the standards and the auditing process as evidence that financial transactions conducted under their purview are secure and trustworthy. Yet Heartland Payment Systems and RBS WorldPay, two processors that recently experienced large breaches, were certified compliant before they were breached. And Hannaford Bros. was certified in February 2008 while an ongoing breach of the company’s system was underway. Source: Wired

While you can purchase information security insurance, and over time this will become something that any company is going to need, this case is in a class of its own as it is trying to settle out by law who is responsible for the opinion of an expert brought in to certify something as secure. The various meanings of the word secure, the various ways to interpret even the most simple check sheet of standards, and the qualifications of the people doing the audit all are being brought into question. This case regardless of who prevails is going to alter how we approach compliance with an information security regulation (even if it does not have the force of law in the case of HIPAA or SOX).

Auditors are just as prone to making errors as security engineers and indeed any person in any role. It is very simple to misconfigure a system and accidentally give a hacker a toe hold into a company network. Not so much by failing to take security into account, but by being rushed or an error of omission. In these cases, who really is liable, and how that liability will result in compensation to the wronged party. This is a case that many people need to be following, as it is going to set precedence, one that will be used repeatedly in the future to help determine liability for hacker breaches, when a system or an organization has been certified compliant.

Comments

While I have a vested interest in people going to college, that is not what the thread is about; the thread is about what the potential earning power is for college graduates. You have seen the statistics; they are everywhere, that college grads earn more than people who do not have college degrees. I am not selling anyone a particular college, what I am looking at is the ability of a college education to get you in front of a hiring manager. With many companies looking for college degrees, this is the best time to try to find a college in your right price range, with the degree program that you want to follow.

One of the conversations I have been following over on FriendFeed is talking about going to college. College has been a huge benefit to me, and Louis Gray also points out that College has been a huge benefit to him, both on his personal blog, and in a thread started on FriendFeed (subscribe to me or Louis, we get into interesting conversations) as shown in the embed below.

Comments

Gigaom this morning posts the idea that cloud computing is going to have a negative influence on the IT Job market, as much as the computer had on the typewriter market. The idea is sound; the question is how do people learn enough about cloud computing to remain competitive in the market place? There are few viable training programs out there, no degrees, and very few certificates. While Google is taking this a step further by offering education in the clouds, my own experience with Amazon Web Services has shown that even just getting started in running virtual servers in the cloud can be painful at best, or bring you to a dead stand still at worst.

There is no way to get around this, if you are in IT and you stop learning, then you are doomed to be replaced in the near future.

Today’s laid-off systems administrators, however, are not likely landing these newly formed IT 2.0 jobs. They have been too busy applying duct tape and Band-Aids to existing infrastructures to stay on top of the cutting edge. Nearly a year and a half ago, already, I heard a FedEx Corporate Services IT executive bemoan how ill-equipped his team was to deal with the division’s increasingly fabric-like infrastructure. He was neither the first nor the last to express that sentiment. Source: Gigaom

The next big thing to learn is cloud computing. Business and IT budgets are already being framed around the idea of outsourcing many applications and functions to cloud systems. The problem is going to be finding education, but that does not mean you cannot purchase time on Amazon’s Web Service (AWS) and go play around with what you want to work on, and what you think can and cannot be done. There is a large body of very good information on how to connect and how to use these services. Although at times the information might be confusing if not in conflict with each other, there are always opportunities for people to learn how cloud computing works and what you can do with it.

The good part is if you get started now, when the Business office starts picking up and wants to use these services, you already will have hands on practical experience in cloud computing based on your own learning, and as education/training catches up with where business is going, this might just end up being something you can do that could be quite lucrative for you.

Comments