In the Army, we see the basic fundamental skills being tested on missions and operations. From jumping out of C-130 to performing sub submersion, operators’ basic skills are always being tested.
This goes for IT professionals in any security setting, as well. Your basic skills sets will be tested every day. I have seen junior support staff trying to stump and check senior level and even CISOs on information security best practices. Many may take this as being disrespectful; however, in teams, groups and special operations, you will see this happen a lot. With all the alpha personalities in the team mixed with smart people, do not be surprised if and when you get checked.
It is important not to forget the basic fundamental skills, such as command lines, understanding of networking, programming, and overall how that translates to having security in the line of business. We have seen many executive management get lost in office politics and lose sight of their skills that got them there in the first place.
This can really affect the image of Sr. Management, VPs of Compliance and executives with regards to how well they really understand what is going. I have overheard conversations at the water-cooler suggesting that junior staff knows more than the management. This sets the wrong tone.
Fortunately, it’s preventable with a simple understanding of basic IT and how it works in security.
It is recommended that Sr. Management, VPs of Compliance, and executives have a fundamental understanding of their line of business and the skills that are needed to fulfill their duties. If not, these personnel will be quickly overshadowed by the worker bees. It is recommended, much like soldiers, marines, seamen, and airmen regardless of rank to once a year do a field training exercise.
This challenge will help to ensure they’ve still got the fundamentals that got them there in the first place.
Here are some simple recommendations to help you ensure your Basic Readiness Management (RBM) skills are squared away:
- Networking: Know your environment and the network topology. Understand how these systems are communicating with each other on what ports and using what protocols.
- Security: Ensure you know what layers of security you have, where they are, and how far down the stack it is. What security elements are internal and on the edge? What checks and balances do you have in place to ensure these can be audited?
- Application: Please know what your dev environment looks like, how it is hardened, and how clean some of the programming is. Ensure you engage and really listen to your red team and security personnel on this one.
- Security Governance: Not everyone loves the “fun police;” however, it is necessary to ensure that security is adhering to the rules, law and regulations that are set forth. Rules are sometimes not fun; however, they are needed to protect all parties. This will help you to really determine your risk factors and how they will play in the business.
- Really listen: Please listen to your security staff. Many times management thinks it doesn’t need to listen to their general security, ITand Networking staff. That is how your end up on CNN or Packet-storm news. Just listen.
About the Author: Ricoh Danielson is a U.S. Army Combat Veteran of Iraq and Afghanistan. As a digital forensic expert in cell phone forensics for high profile criminal and civil cases, Ricoh has a heavy passion for information security and digital forensic that led him to start up his firm (Fortitude Tech LLC) in the middle of law school to become Phoenix’s heavy hitting digital forensic power house.
He is also a graduate of Thomas Jefferson School of Law, Colorado Tech University, and UCLA Anderson School of Management.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.