There is a strong demand for certifications among infosec professionals, and a expanding range of institutions and organizations that offer them. The never-ending list of security certifications, programs, specializations, sub-categories and vendor-specific certifications can seem mind boggling.
However, there still seems to be something missing in the quagmire of credentials that define a properly qualified security professional. The lessons learned from the "old school" methodology are often overlooked and, it seems, rarely used by the new breed of book-smart, multiple-choice qualified professionals.
The "certification of the day" at the moment is the Certified Information Systems Security Professional (CISSP). The words "CISSP preferred" or "CISSP required" are familiar in ads for job vacancies in both industry and government.
In a lot of cases, these newly certified individuals lack one thing: practical knowledge. Gaining the knowledge needed to pass a test and understanding how and when to use it are two different things.
It seems to me that the more I run into security professionals these days, the more I find that understanding the fundamental problem completely and evaluating the overall environment is lost as a starting point. In reality, it should be just a simple rule of common sense.
When I was learning about security and going through the developmental phases, there were no courses to teach me. It was the school of trial and error, reverse engineering and working it through before affecting it. In those days, a true assessment was crucial to success. It wasn't just about tools and tricks and solving the problem. It was about finding out if there really was a problem; assessing whether a tool provides any real benefit or not; and always asking the who, why, what and where to determine if a solution is required at all. Some of the hardest problems I came up against were actually not technical, but involved defusing the panic induced by the onslaught of "Chicken Little" briefings made by security professionals who hadn't looked at the big picture.
In these days of homeland security and increased sensitivity to suspicious network activity, it is hard to discover and play around with scenarios and equipment in the "old school" fashion to solve an issue. There are deadlines and critical milestones and a wealth of bureaucratic barriers. While there are no "old school" training programs or certifications, the best place to obtain the right infosec information is still through experience. Seeking out peers who are well-versed in this style is a great learning experience.
Indeed, senior IT security people offer the best lessons – better than those proved by a course. They often teach you the fundamentals of security not found on any multiple choice test. Some of these basics include:
- Evaluating the situation and the environment first and foremost;
- Taking the time and thought to understand how things work, both by themselves and together;
- Don't chase symptoms – evaluate the impact instead;
- Find out what the functions are, not just the software on the system;
- Try to maintain balance in the operational network so that one "fix" doesn't ripple through the network creating another 50 "fixes" to accommodate it.
In the end, it comes down to common sense. Don't call the fire department when you smell smoke. Step back and figure out whether the fire is actually safely contained in your fireplace.
I remember the days long ago when my best friend – now an infosecurity peer – and I would try to get into each other's home computer. It was more of a game for us and a battle for bragging rights, but it was one of the best environments to learn the lessons from the old days.
In the world of security professionals, if you are one of the people who can get things done and get them done the right way, you will fall into a close crowd of peers. These peers will recognize your skills and your genuine understanding of the real-world environment, which can only come from being self-taught. There is a mutual respect among these professionals and an open sharing of knowledge that rarely travels outside this "old school" club freely. The types of associations forged in such a group dispel doubt and automatically grant trust and confidence.
Practiced IT security pros who help one another learn form a tight knit and supportive fraternity. And those who are in it are trusted, while those on the outside are not. For this group, newbies with a long trail of acronyms following their name need to have some practical knowledge and hands-on, on-the-job training to back those certifications up; they need to be well versed in the old methods of learning the ropes.
Although these lessons will not earn you a raise, or a credential that you can add to the list after your name, you will find that when you engage with someone who knows what they're talking about, you will very quickly become a peer, as opposed to an apprentice.
Scott Rasmussen is senior security engineer at Computer Sciences Corp.