I blogged a satire piece about people in IAM but wanted to raise an issue in a more serious tone. Firstly, let me say,
this is not unique to security or IAM, and I am sure it exists in many areas in and out of technology. Years ago, I was required to mandatory military service and served as a marine on a
naval base. The base had about a dozen marines and over a thousand navy staff. As a Marine, we wore combat fatigues, carried weapons and stood apart, while the navy wore whites and most classroom weapons training only. The average navy officer had no idea what we actually did. We shrugged off any naval policy and tradition we could and defined our own space as "mystical authorities of obscurity". Sorry navy officer, we can't because [pick and obscurity+
add some mysticism] for an excuse, then dodged as much work or responsibility as we could. Anyone read the book bullshit jobs?
Perhaps this can be attributed to a skills gap, or perhaps its leadership gap, recruiting gap or just industry hype, growth or a dozen causes. Professional certifications like ISC2 offers have done much to ensure recognition of the discipline and some level of base understanding. The problem is you can take a
professional dishwasher and in a one-week executive crash course, prepare them to write their professional security designation with a significant success rate. Suddenly, with 1 week of training and a chunk of dollars, we have a "security professional", "audit professional", "risk professional", that never has looked at a log or provisioned a user, been audited or had to deal with risk other than for themselves on social media. I have had to show
"security professionals" how to book a room in outlook, and heard this same person recommending phishing training guidelines for outlook 30 minutes later.
Perhaps is because so many companies consider IAM a
regulatory or security cost vs considering the additional pillars of
IAM. So, when a "security professional" is found, not demanding top dollar, they are snapped and added to the team of "defenders". Perhaps some recruiter (who has even less
understanding of security than the newly minted "security professional")
tries to screen candidates with questions like have you worked
with "Zero Trust", "PIM", or "least privileged", discounting
anyone that resume does not list these keywords in under 2 pages as
lacking experience. Or have you
deployed "CyberArk", "SailPoint", "Okta" and nice to have
"Venifi" in a financial organization of 100,000 or more people... in the last 6 months and have your CISSP and 5-10 years experience? If so, I have an excellent opportunity for $45,000 a year. It's a competitive market, and you get what you pay for.
Only
someone that knows little about deploying these products or has an integrity gap,
would claim yes. Often the deployment "experience" turns out to be in a line of business, effected by the product deployment. Yet these jobs are soon filled and with the shortage in security, audit and compliance teams, no one seems the wiser. Next, you hear, the "security professional" was promoted to management and starts hiring their own team and finds more newly minted "security professionals" to work for them, that won't expose their limited industry knowledge. Soon the company has an entire team of
"security professionals" setting policy, policing and driving corporate security strategy, with limited to no exposure to the technologies, they are attempting to protect.
As a contractor,
I usually take time to interview for potential new contracts. You usually can spot these people 5-10 min into an interview, if not by their questions, by their vision or aspirations. "I am committed to fixing an audit finding in 5 months, that’s been open for 5 years"... and yet from experience I know that would take 2 years and significant resources to close. These are usually not the contracts you want.
Alternatively there "old security" personnel. These are people that spent many years in security and have nothing more to learn. Doing it like its 1999. They ignore emerging technologies as "security principals remain constant". They spend money on Active Directory tools, legacy firewalls and SIEMS while their organizations deploy SaaS, federated access, BI, AI and cloud-based services. Easy to find, since you notice controls in legacy environments are the focus, while the business continues to move ahead "unhindered".
Alternatively there "old security" personnel. These are people that spent many years in security and have nothing more to learn. Doing it like its 1999. They ignore emerging technologies as "security principals remain constant". They spend money on Active Directory tools, legacy firewalls and SIEMS while their organizations deploy SaaS, federated access, BI, AI and cloud-based services. Easy to find, since you notice controls in legacy environments are the focus, while the business continues to move ahead "unhindered".
IT and other technology teams soon realize that the mystical authorities of obscurity have little or no idea about their business and are seen only as roadblocks. "Security professionals" defend their standards, policies and controls as regulatory, or best practice by throwing more mysticism and obscurity around. There is usually a huge amount of hype words and jargon (often misused)
that emerges. $45,000 a year solution, starts costs the company millions in other resources time and efforts, with little to show for it and all confidence, is lost.
One does not move all ones players to the defensive line, unless you lost already and just focused on trying not to bleed to death. So why put so much emphasis on second and 3rd lines of defense, at the expense of the first line. Information security needs people focused on securing systems proactively and if most of the security staff are simply reporting on the the state of security or writing a new policy (that those managing the systems will probably ignore). We need forwards if we want to stand a chance of creating a winning team, but forwards are loved by their supporters and hated by the opposition and it can be dangerous to be noted.
One does not move all ones players to the defensive line, unless you lost already and just focused on trying not to bleed to death. So why put so much emphasis on second and 3rd lines of defense, at the expense of the first line. Information security needs people focused on securing systems proactively and if most of the security staff are simply reporting on the the state of security or writing a new policy (that those managing the systems will probably ignore). We need forwards if we want to stand a chance of creating a winning team, but forwards are loved by their supporters and hated by the opposition and it can be dangerous to be noted.
Sooner or
later and executive has everyone telling them IAM folks don’t get it, and this starts looking bad on them.
Management picks a project and gets IAM leadership to promise it in record time or "face the consequences". Left with little choice but quit, the project is soon kicked off often just buying time. A vendor "partner chosen" as the scapegoat, the objectives are set. Limited timelines and resources, coupled with previous short cuts and lack of experience results in the project getting descoped repeatedly and more corners are cut. The result is usually foundational work is descoped for visible goals, like building data stores, stopping the bleeding, training, building to a point in time or ignoring life-cycles been dropped in favour of risk acceptance or bias checkbox assessment. If the deliverables can
be spun as met, the security team may buy some temporary goodwill,
at least until descoped issues come to the fore.
Now the IAM team cant raise additional funding to finish what they already claimed to have done, without admitting failure. In the meantime, IT and other
technology teams are rolling their eyes and saying,
"What did you expect" and life goes on, with the next project building on the missing foundations of the previous. Sinking more good money into new projects, that will be wasted when it all collapses.
Then they get a new CISO, spend a year doing a
current state assessment with gaps and making a plan and then - start again – at the beginning. Usually resetting the company security maturity level in the process.
There are good IAM security professionals and organizations. Usually so busy plugging away that they are often overlooked. Medical specialists first need a medical base, engineers need basic engineering skills before specialization. Why then does the industry think you can have a security professional that has no experience with the technology they protecting? Security professionals need to be technology professionals first. In fact, they should be subject matter experts in a
platform, area or system before specializing.
Perhaps we need a cultural change or need more collaboration and openness and less mysticism and obscurity. Perhaps if we dropped the jargon and hype words and focused on understanding and learning. Or perhaps we need rotation programs were security staff does IT work and IT staff does security work for a period. As
an IAM professional though, I cannot encourage others enough to do a non-security
course in technology areas your organization is adopting.
No comments:
Post a Comment