Confessions of a WONK Part 1

Another day has dawned in the information security salt mines. I'm throwing up a couple of quick posts to create a lattice for future development and expansion. I want to open a discussion about all those people who don’t understand information security. Let’s call them WONKS.

I’ll talk about what that is latter but for now I wanted to share an experience I had where a information security project manager could not process that an incident that was being called out from outside an organization was less important than a vulnerability report that was due. The issue really came down to limited resources and only one engineer to get NIDS up and running so as to allow the capability to see what was going on at least from the network perspective. By the way note I said "get the NIDS up and running" as they were racked but not operational.

I think it is a not so secret dirty fact that most organization don’t have a clue what is going on inside the perimeter!!!! These are critical issues we have in our industry. We have too many people who claim to be part of information security but in reality just feel into this area of Information Technology (IT) or were doing something else and then got the dual hat of information security and the job they were doing which had little to nothing to do with information security. So in the follow up to this post “Confessions of a Wonk” I’ll talk about the various breeds of WONKS and the overarching need to mitigate there presence in our field.

I’ll put it another way in the form of an experience I had when I was working in the Aerospace Industry as an FAA Certified Airframe & Powerplant (A&P) technician. At the time I was working L-1011 “C” checks for American Trans Air out of Indianapolis, IN and was working with a guy who some how passed his A&P exam and got hired in as one of the other contractors. (We were all contractors at the time.) I saw him beating on a part of the airplane and immediately stopped him. I asked what he was doing and he proceeded to tell me a story. I asked him a few questions and then got into a “conversation” with him about professionalism and what it meant, for me at least, to be to be privileged to be able to work as an A&P and bear the responsibility of certifying airworthiness of the aircraft that I was entrusted with.

To which his response was I am just doing this because “It’s just a Job”. My response to that was then you need to think about another line of work before you kill yourself, maybe not a bad thing given his attitude towards his chosen profession, or worse, he kills a lot of other people. The same holds true for the WONKS. You need to seriously evaluate if this is the place you want to be.

If you want to be here, GREAT! Welcome! But understand that with that choice to be here you need to accept the responsibility of your choice and get that this is not just a job anymore. You can not just punch in and punch out when you feel like. As Information Security Professionals we, in some cases, literally hold the responsibility of life, property, and for the privileged few the very security of our nation. We are all part of a very young and immerging profession and believe it when I say that we have everything to prove and everything to lose right here and right now. The very core of the IT industry has begun shifting to ever cheaper and ever less experienced labor.

I saw the exact same thing happen in my previous life as an A&P technician. What amazes me is how fast the IT industry is shifting. What took the Airlines 40 years to do the IT industry has done in 10 years. That being that once, about 15 years ago, if you were in IT you could feel good about your work with some level of job security. We still have a chance to turn things around for information security. We need to codify ourselves beyond what ISC and other organizations are offering.

Yes I believe that organizations like ISC and SANS are doing great things but if we don’t take it to the next level and standardize what it means to be an information security practitioner and the various levels and areas of what that title means then we risk loosing control over our own destiny. When I was an active A&P technician I was privileged to be able to have advanced training that in essence type rated me to specific technologies. In Europe type rating means you can only work on a specific aircraft and be able to have the legal authority to return that specifc tpye of aircraft to service.

For example I have, although out of date, a Boeing 757 General Familiarization. This means that I have specialized training on the Boeing 757 and all the systems on that aircraft. Another type rating that I was privileged to hold was Category (CAT) II/III [AUTOLAND] Avionics certification. This meant that I was authorized under the carriers CAT II/III certificate to maintain, repair, test, and most importantly have the legal responsibility to return the system to service through signature authority for the autoland capabilities of the *MD-11 that I was certified on.

We need a similar system of controls on ourselves to escalate our profession. We need to consolidate and have an authority that won’t be shifted, moved, or corrupted at all to hand out certifications. We need to also have a system in place where the work that a person does as a security professional is held accountable to that person for life. I’m not saying anything that I am not already on the line for. For all I know there is a airplane parked in the desert somewhere with my signature on it.

I will be legally responsible for that aircraft and the people that fly on it until another A&P does the same work I did and signs off on it or until the airframe is destroyed. We need that level of accountability now. Sadly just about anyone with a normal IQ and enough money can get a CISSP by going to enough boot camps. That doesn’t mean the person knows anything about how information technology works. It simply means they had a lot of money and can pass the exam.

When I sat for my CISSP exam I met a lady who was taking the exam not because she involved in information security but because her company mandated that she have the certification as her sales department worked with the information security elements of companies and agencies that bought her product. So she was a sales rep taking the exam purely to look good to clients and for no other reason.

In all fairness and at the core of the “confession” is that I too was a WONK and only by understanding my inner WONK am I able to accept what I was and move on to be the security practitioner I know I am. So to all the folks who falsely claim the title of “Information Security Professional” but who just don’t get it please understand that there is nothing personal in this but that it is time for you, as I did, to wake up smell the burning data center, get smart or get out.

The world that we manage from the digital perspective is just too important for you to stay ignorant any longer. We need every single person who is working in the field of information security to be dedicated to one universal principal of transforming this industry to beyond everything that we know today if we are ever to have the hope of moving from detection and reaction and away from being hunted to being the hunters.

*[For those who don’t know most of the time when weather and visibility is poor the airplane lands itself. Also for the general public airline pilots don’t actually fly the plane most of the time. The onboard Flight Management Systems (FMS) do all the heavy lifting and pilots are trained not to fly the plane but let the FMS do it as the FMS can fly the plane with higher levels of fuel efficiency. Also another feature of FMS is that central maintenance control can see in real time what the airplane is doing and more importantly from a cost perspective what the engines are doing through the Full Authority Digital Engine Controls (FADEC). ]