Saturday, October 17, 2009

1000 Security Experts? Not exactly what the doctor ordered.

Bob Cringely recently discussed the Department of Homeland Security's plan to hire 1,000 "cybersecurity experts" to defend U.S. computer networks. His take? That there aren't 1,000 cybersecurity experts to be found in the U.S. His unnamed cybersecurity expert friends tend to agree in various forms, ranging from a discussion of the semantics of the goal to a more in-depth discussion of the forms of expertise that can be found, and a note that there are 1,000 security experts - on the wrong side of the fence.

Cringely also contends that no matter what the actual intent, this hiring is largely window dressing and that the end result won't be a sea change in how government information security is done. He points to low CCIE graduation rates as a good metric for how many security experts can be found, which may not be the best metric for security expertise across the board - to me, it indicates that holders of one brand of high level network security expertise do exist, but that the demand for CCIEs isn't sufficient to push further qualifiers into the certificate at a high rate. In addition, personal experience indicates to me that many qualified security experts don't carry all of the certifications that they could qualify for for any of a broad variety of reasons - that doesn't mean that we have hundreds of certification-less CCIEs around, but it does mean that we may have experts we're not counting if we only count certificates.

The problem here is that security expertise covers a broad variety of fields from risk assessment to network security to physical security design and back again. Seeking a thousand cybersecurity experts is, in many ways more akin to seeking a thousand expert college professors in engineering. You many not find them all in nuclear engineering at the level that you desire, but you may very well find that many experts across all of the disciplines that you need - and then you'll realize that you really wanted some of them to be TA's, Ph.D. candidates, and others who many not yet be experts - but will be.

Polymath experts with broad experience and deep expertise across the spectrum of information security are definitely necessary to tie those skillsets together, especially when you need to glue complex systems together, but you don't need - or necessary want hundreds of those big guns. Cringely notes that such experts aren't found in packs, and that is one point that I'll agree with. In any field the major experts hold a special place, and some take full advantage of it.

One of Cringely's experts dismisses the DHS plan - "you will end up with 1,000 Security Managers in the government with Sec+, and CISSP certifications". This picture of outsourced expertise and a lack of true change doesn't reflect the fact that skilled security managers are just as necessary as the heavy hitter deep dive experts. If the Department of Homeland Security really wants to change the face of government information security, the program and these new hires must be run adeptly, and that can be a real challenge.

DHS doesn't need to simply hire 1000 identical security superheroes. They need to embed employees with appropriate skillsets in those areas that face risk - after they assess the risk - and then they need to work out a coherent program to improve and manage both their security program and their security staffers. With the right guidance, 1000 security employees of many types could change how government information security is done.

No comments: