Spotting weak security staff

Organisations whose C-level execs buy bundles do save money - lots of it. Unfortunately, they often get "really subpar security; sometimes dangerously so," says the vendor.

But how to get that through the head of the C-level exec who's sold on a bundle? By getting security personnel in on the decision-making process, before the money has a chance to drift out of the C-exec's hot little hands.

Bob Maley's lucky that way - his employer fixed the problem shortly before he came on board. Before he took on the job of chief information security officer for the Commonwealth of Pennsylvania in late 2005, the Commonwealth had developed an enterprise architecture process patterned after that of the National Association of State Chief Information Officers (NASCIO ). Part of that process, now in place for some more than four years, is a clear set of standards for security product selection.

As Maley puts it, some other parts of the government may have unlimited resources to purchase security tools, but not his. So he and his group have gotten good at collaborating with peers - not only through NASCIO but also through the Multi-State Information Sharing and Analysis Center ( MS-ISAC ).

Under the MS-ISAC, which is run through the US Department of Homeland Security, all 50 states share best practices. As well, the organisation recently has hitched a ride on the federal government's SmartBUY purchasing initiative, designed to leverage the government's hefty buying clout to save money through aggregate purchasing.

What works for one sector - the government - in this case works for others: Network with peers, find out what security tools they use and trust, and find out which are clunkers to avoid.

But if it's not an option to cut your bundle-buying C-exec out of the picture altogether, salvation comes down to intervention at an early stage. Communication is key, and not the type of communication where security says "We have to use XYZ because I said so." Rather, security has to convert the geek discussion into a business discussion.

"I recommend that security get users to buy into them as people," advises Alvaka Networks' McDonald. "Do lunch and learn internally. Bring staff in, bring management in and have them understand why the things you're saying are being said."

That helps security pros to break down the "You're just in the way" barrier, McDonald says. "If you ask the employees and management, 'So, I have these things I'm being told I have to do - say, to secure PCI information, or to protect assets of the organisation, and do other things mandated by government. What would you have me do if you were in my seat?'"

It's not formal training; rather, it's getting together and figuring out how to do the security task at hand.

Useless certifications Security also suffers from paper tigers. "We hire guys with wonderful degrees who are just idiots," says one security vendor who requested anonymity. "We've had guys in here who've got degrees and certifications and they can't even wire a network. They know the words, but they don't know how to sing the song."

"For years now, people were getting certifications left and right," Maley agrees. "They might have five different acronyms after their name.... Honestly, [in] the certification industry, there are brain-dump sites. People can get certified without having experience."

Maley says that from what he can tell, hiring managers see the acronyms, get impressed and let extensive vetting slide. To avoid hiring paper tigers, employers have to look at a resume and then map the experience back to the listed certifications, he says.

That said, Maley would hire CISSPs (Certified Information Systems Security Professionals), CISAs (Certified Information Systems Auditors) or CISMs (Certified Information Security Managers) - if he could afford them, that is.

"CISSP, I wish I could say I'm hiring them," Maley says. "I can't pay those guys enough." As far as CISAs or CISMs go, Maley says that typically CISSPs have those certifications, which reflect what he calls built-in experience. "You can't get those unless you show you have that experience," he says.

Getting what you pay for Speaking of not being able to afford CISSPs, Maley says that not being able to afford qualified security staff has been "one of his biggest challenges" in heading up cybersecurity for state government. In fact, Maley estimates that there's a pay differential of anywhere from 20 percent to 100 percent between the public and private sectors.