One of the key challenges with what we now call cyber is the
shortage of relevant technical cyber skills. This is directly linked to what would seem to be an inability to recognise or accept the real scale of the cyber threat, which is, of course, playing into the hands of the criminals and hackers who are harvesting millions in revenue as a result of their malicious activities.
It was U.S. Defence Secretary Donald Rumsfeld who commented, “There are
known knowns. These are things we
know that we
know, and there are also
known unknowns. These are things we know we don't ‘
know’ and then there are the
unknown unknowns, which can represent very real and present threats” that are unseen by the
conventional eye of security.
It's these elements of
unknowns that pose the highest degree of danger in today’s cyber landscape of complex, interconnected global systems.
Rumsfeld might have arrived at this perspective from an external influence. In his 2007 book
The Black Swan: The Impact of the Highly Improbable, essayist
Nassim Nicholas Taleb tells of a presentation on uncertainty he was requested to give to the
United States Department of Defence shortly before Rumsfeld's speech. The core message of The Black Swan was (is) that ‘
unknown unknowns’ are responsible for the greatest societal change.
It is in this landscape in which some members of the security profession recognise that if they could acquire an understanding of the things we
don’t know and which are
unknown, they could use these nuggets of isolated intelligence as an early warning system against individuals who practice exploitation and/or compromise.
This group is made up of Cyber Criminals, Hacktivists, Black/Grey Hat Hackers, some specialist members of Law Enforcement, the Intelligence Agencies, and a very small number of imaginative forward-thinking Professionals.
The bottom line is here we are turning Gamekeeper to Poacher in order to adopt the very methodology and applied thinking that is exercised by cyber criminals.
The question is: are the current skill-sets employed by the run-of-mill thinking security profession leaning far too close to the wind of
PCI-DSS and other standards, such as the ISO/IEC 27001, and has the industry in the main moved too far away from the pragmatic basics of security?
On the first level, we should be seeking to develop a much more in-depth appreciation and understanding of the technical components of cyber security if we are to fight the good fight on a level playing field. If we don’t, then all may be lost until such time we do.
The second question is as follows: do certifications really make a difference? Well, my answer here is both yes and no.
Yes insofar as they prove to some extent that the holder of the said qualification understands the high-level components of IT/cyber security requirements, but
no insofar as it takes more than a certification to serve as an effective operational team member.
We should not fool ourselves that just because someone holds a CISSP or other such certification that they know what they are doing in real dirty-hands terms.
As a conclusion, in the current drive to ramp up the level of
real-time cyber skills, we need to fight the fight on a level playing field of cyber adversity, and we must balance the professional profile with a proven understanding the back-to-basics of operational security beyond governance and compliance.
However, this must be further facilitated with a level of up-to-date thinking, research and an awareness of the next generation of threats along with the real ability to sniff out those suspicious looking conditions of
unknown unknowns before they become known to all.
Editor’s Note:
The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.