Thursday, October 15, 2009

The Three Phases of the Security Analyst

Creative Commons attribution licensed image courtesy Flickr user anyjazz65

I spend a lot of time working with people outside of my own immediately group of security analysts, and I often find it useful to provide a model that will help them understand how security analysts work. Fortunately, I've found one that I like.

Security staffers that I have known through the years tend to fall into one of three stages - typically depending on the phase of their career, with some variation depending on the person's personality, their workplace, and of course, their experience.

The Phases:

1. The Black and White Security Analyst: A Binary Analysis - typical amongst newer security professionals, a Black and White analyst sees the world as a series of security issues. A system is either secure, or insecure. It complies with best practices, or it fails. Black and white analysts can drive outsiders nuts (and, at times, their non-black and white compatriots), but they also serve as a very useful check to the other phases - and they make very good auditors.

Some black and white analysts find their role because of limited direct experience. Simple book knowledge rarely has a compromise solution, and forcing best practices can make an otherwise reasonable staffer look like a truly obstinate opponent. Every analyst needs to fall back on these behaviors at times, particularly for thorny problems that have a high risk solution. Of course, in some environments this is the desired mode of operation, and should be fostered.

2. Shades of Gray: The Risk Modeller - as security professionals spend more time in the field - and, often, as they become more jaded, they often start to view the world as a series of risks. Training teaches you to do a risk assessment, to rate those risks, and to build controls based on that model.

Their assessments start to balance these risks, and they become more flexible in their views. The danger? Making too many tradeoffs, whether for functionality or simply for the ease of implementation. This can have a benefit of course, as often the shades of gray allow the analyst to be more flexible when analyzing risks and controls.

3. The Realist: Life Along the Continuum- some, but not all security staffers make it to a third phase. This third phase tends to emphasize the continuum of possible security options, and those who have reached this level will typically rate security based on the improvement along that continuum. Analysts often set a minimum acceptable level - and strive to ensure that a balance is maintained between improvements beyond that and the organizational costs of moving along the line. Realists are fully aware that security cannot always win, and instead choose their battles. This can mean that at times, they are more willing to accept compromise than they necessarily should be, and burnout can lead to a less effective analyst, but realists are often the best interfaces with outside organizations if you need to build bridges.

In the end, all three stages are useful, and each has its place. What matters in the end is reaching an organizationally acceptable balance of risk, usability, and security, and that ebb and flow is what makes the job both a challenge and an adventure.

No comments: