Blog

The majority of my peers in the security industry evolved to leadership through a much different pathway than the future in store for those that follow.  I was one of the few who dabbled with computers in high school and entrenched themselves in the science of computers in college.  I was 10 years out of college before I began to apply security principles to computers.  It has been a fun 25 years “in” security since.

The pathway to security is much different now.  Our children are now Cyberpatriots, possessing certified security skills and competencies before leaving high school.  Most colleges have or are developing a bachelor degree program in cybersecurity. 

This dramatic evolution is certainly preparing greater masses of our population for a security profession, but how is this transformation building our future leaders?

I had a brief conversation last week with a few local graduate students who were pursuing their Masters of Information Assurance.  All were seeking intern positions.  Some were graduating by year’s end.  The conversation was all too similar to what it was 10 years ago when I began mentoring student co-ops for their future security careers.  It was then that I realized that we are failing our future security leaders. 

Much like our children who need to mature to recognize and appreciate the responsibilities of becoming a parent, our security aware youth still need to be mentored to recognize and appreciate the responsibilities of leading our security programs.  There are no shortcuts. 

So I am calling out all of my peers to up their game.  The baseline entry point to our profession is rising.  How are we transforming to take advantage of a stronger base and developing stronger leaders for the years to come?

Those that know me know that I love to listen and process the lessons learned and observations of my peers in the security industry.  I know and appreciate the art of our professional.  Individuals matter. 

This past Wednesday, I had the awesome opportunity to channel the strengths of 7 distinguished “artists” from 7 of the top security brands of our industry at SecureWorld Boston during a lively panel discussion on the Current Threatscape.  The panelists were Bill Sweeney (BAE Systems), Jason Georgi (Zscaler), Victor Danevich (Infoblox), Meghan Diaz (Open DNS), Rob Sadowski (RSA), Ron Winward (Radware), and Ben Johnson (Carbon Black)

We started by looking at how the threat landscape has changed in just the last year. One panelist thought we should break it down further since the change agent is so fluid.  If you’re not plugged in, you’d better be!  We proceeded to explore Ransomware, DNS, application-layer attacks, endpoints, nation state advisories, and threat operations.  An hour could have been spent on each area but all I had was an hour!

Gauging from the audience all appeared intrigued with the painting that was unfolding.  The panelists did an awesome job filling in any cracks left from the answers proceeding before them.  It kind of felt like rapid fire with a fine concentration around my agenda bullseye.

I obviously had too much to do to capture a picture of the final masterpiece.  If you attended the session, please comment on your main takeaways from the session!

I’d like to personally thank Kerry Nelson and Shauna De La Mare from SecureWorld Expo for roping me into facilitating this panel!  Who would have thought a computer scientist could help shape a new piece of the art of security?

References:

1. https://events.secureworldexpo.com/agenda/boston-ma-2017/

Laymen often think that privacy principles are at odds with security.  This post explains why privacy needs security – at last the kind of security I endorse.

Privacy is all about control over our personal information – guaranteed since 1791 by the 4th Amendment to the US Constitution.  Privacy protections exist in telephone conversations (1934), health records (1964), US mail (1971), education records (1974), financial records (1978), identity information (1982), cable communications (1984), electronic mail (1986), polygraphs (1988), license and motor vehicle records (1994), telecommunications (1996), and information about children (2000). 

Security ensures that control of our personal information, or at least that what it’s supposed to do.  Reasonable efforts must be made to prevent the loss of collected information.  Individuals are also entitled to know when and what information is being collected and be able to opt out of such collection.

The conflict comes with the other duty of security – the identification of violators and collection of the evidence needed to prosecute them.  Enter “Apple vs FBI”.  So, how can the two sides of the security coin exist in peace?

The same framers which guaranteed privacy also established the process to which wrongdoings would be investigated and prosecuted.  Security must either establish probable cause – the belief that a search will discover criminal activity – or the consent of the accused to conduct a search.  If consent is not obtained, law enforcement must submit a warrant to search and receive written permission from a court of law.  Regardless of consent, property cannot be seized without a warrant. 

So what about “Apple vs FBI”?  In this case, a warrant to search was approved but the appropriate evidence could not be seized due to the strong encryption.  Unlike previous cases involving telecommunication carriers, the accused has the encryption keys, not the technology company.  Does law also allow law enforcement to break security?  No.

The debate goes a step further.  Imagine all authorized software having back door keys available for law enforcement.  What prevents criminals from using unauthorized, black market cryptography?  We’d have law abiding citizens with weaker security – not the criminals we are attempting to prosecute.