This article can also be found in the Premium Editorial Download "Information Security magazine: Are you secure? Adam Putnam says, "Prove it!"."
Download it now to read this article plus other related content.
I recently shared a lecturn at a security conference in London with a speaker who proudly proclaimed to the audience that he was a "white hat hacker." You could practically hear the spurs jangling.
Such pompous claims of hero status were common during the dot-com heyday, when infosecurity pros were rough-and-tumble cowboys trying to tame the digital Wild West. But we no longer need white hats to protect us against black hat villains.
The excitement of dueling with hackers was a lure that attracted far too many of today's info-security practitioners into our profession. Consequently, the prairie is littered with people who are easily distracted by glitzy technology and the prospect of adventure. Turned off by the day-to-day requirements of security management, these cowboys want to play Wyatt Earp--on company time, with company money. Who can blame them? There's nothing sexy about setting policies, hardening and patching systems and managing change.
In spite of the growing prominence of certifications such as the CISSP, there are still too many old hands who refuse to grow up. As a profession, we perversely continue to promote the cowboy image with credentials such as the Certified Ethical Hacker.
The compelling romance of the Wild West is a source of frustration. The C-suite wants security practitioners who will ensure that nothing happens to the IT infrastructure, but we continue to hire thrill-seeking cowboys instead of peacekeeping deputies.
We talk about the need for effective risk management, but we subconsciously motivate our infosecurity staffs to avoid the tasks that reduce risk. Relying on reactive enterprise security programs, we still wait for the hackers to arrive on our doorstep so our hired guns can respond with a flurry of activity. Infosecurity specialists aren't given incentive to prevent fires; they're paid to put them out. If you're skeptical, ask yourself: Are your staffers more likely to get a bonus for an incident-free year or overtime pay for fighting a worm outbreak? Until we start paying infosecurity practitioners to maintain peace and quiet, they'll be motivated to conduct spectacular rescues instead of preventing incidents in the first place.
We criticize technologists for always wanting to have the sexiest new security software, but perhaps we're equally guilty: It's more interesting to hire a few gray hats instead of stodgy program managers. Responding to their self-aggrandizing warnings about the dangers of the Internet, we hire gunslingers in preparation for the promised shootout. But as risk programs mature, it becomes obvious that anticipating and preparing for trouble is better than responding to it.
Shareholders and security managers shouldn't have to subsidize cowboys like that self-labeled white hat in London. If they want peace in their Internet towns, they should stop filling their security departments with gunfighters spoiling for a shootout. Instead, they should fill those seats with people who will create stable infrastructures.
There will always be a place for a few Stetson-wearing hotshots, but gunfighters cause more harm than good when they are allowed to set the infosecurity agenda. For true risk reduction, we need to replace these cowboys with sensible admins who diligently and methodically follow proven risk reduction procedures.
About the author:
Jay G. Heiser, CISSP, is a London-based security analyst with TruSecure Corp.
This was first published in May 2004