This week I’m at the 8th IT Security Automation Conference in Baltimore, which is co-located with the SANS National Cybersecurity Innovation Conference, so I think this is probably a short post, but it’s in important one (IMNSHO. It’s been an interesting week so far, but I’ve not really been surprised by anything I’ve seen or heard yet. Well, except one thing.
And, this one thing wasn’t really much of a surprise, but it put a finger on something that many of us have known for a while – it gave it a name. During the first few keynotes, and then during a CISO playbook discussion put on by Tony Sager (former NSA IAD), all sorts of claims were made about our scarcity of security professionals. But, an interesting observation was made: We still suck at doing security. How can we have zero unemployment in the field, and still get it wrong?
The answer was simple: We don’t have the right players. Borrowing a concept from American football, there is an area on the field where each play is more intense than if it is played elsewhere. This area is between the 20 yard line and the goal line – when the offense is about to score, and the defense has a final opportunity to hold them off.
The observation goes a bit further. Given the increasingly complex and dynamic world in which we’re living, we will need an increasing number of red zone security professionals. This is a subset of all security professionals, and represents those people capable of keeping their cool, assessing the situation, finding the problems quickly and accurately, and making decisions under pressure.
If you’re running a risk management program, something you might ask yourself today is this: How many red zone players do I have? Do I have people capable of tracking down and analyzing malware? Do I have open channels to CSIRTS? Do I have people who care about this sort of thing? This goes beyond crafting practical policy, understanding theory, and analyzing the security of configurations. It’s playing in the red zone, where our jobs are to prevent the adversary from scoring.