Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Why Don't IT Generalists Understand Security?
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 3 / 4   >   >>
SecOpsSpecialist
50%
50%
SecOpsSpecialist,
User Rank: Moderator
10/9/2014 | 12:57:20 PM
IT vs Security
This is an interesting discussion question. Many times, those in IT don't understand Security because they simply don't want to. Often times, companies do not have the ability to have an entire Security department so it falls to the IT people to fix it.

But having been on both sides of the table, I can say that Security people are laser-targeted specialists and IT folks have to know a lot about everything. That's the biggest difference between the two. Security folks have to know everything about networking and how to fix things, on top of how to secure it all. That's why many degree programs that used to combine Security and Networking have split into two different competencies at the University level. That's why Universities like Capella offer an Information Assurance and Security Master's Degree with the specialization in Network Defense or in Forensics.

General IT programs teach IT folks how to fix things from the inside out of a computer. They have a basic understanding of networking and they know how to fix a bunch of stuff. Put them in front of a firewall and tell them to configure VLANS and Rules to let traffic flow through and they freeze because that's not something they are familiar with.

However, give that same task to someone who is specialized in Security and they will ask you "How segmented do you want the VLANs to be? What ports do you want traffic to flow through?" That kind of thing. They are specialized for a reason.

As for the media...while I do appreciate a good media story now and again, often times the media will emphasize the wrong thing and not get the real message across. For example with the JP Morgan Chase breach, it's been said that it's not a concern to the company, which is not the case. Chase is very concerned about the fact they were breached and they are doing what they can to mitigate the situation. Whether that's the fault of the media or the editors, I haven't really figured that out yet.
anon9788632438
50%
50%
anon9788632438,
User Rank: Apprentice
10/9/2014 | 12:45:14 PM
Re: IT professionals
I think I disagree, unless you agree with this point. You have to define, "Ins and outs." No, I do not think every IT Profesional needs to understand I depth HOW the encryption works, however they should understand which implementations work best for the desired protection. Full disk, for example, to protect data on computer where the users are logged off or the machine is off. Shared key or PKI for protection of data during transmission. And so on. They should have enough knowledge to suggest an applicable solution.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/9/2014 | 12:32:37 PM
Re: IT vs. InfoSec
@KillerB  Nice analogy. So ultimately, security will always lag behind convenience. The more we want to do with our computing systems and data, the more secure we'll need to be, and it will just be a never-ending journey.

Let me ask you this, then. Are we best off letting IT generalists do all their blue-sky stuff without security in mind, and then cleaning up afterwards? Keeping those responsibilities separate? Or would we be better off getting everyone working together sooner?
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/9/2014 | 12:16:32 PM
Re: IT Security
@anon  Now, this is interesting. You say "I'm in the camp that believes security specialists should be separate from general IT and risk management." Can you explain a little further? Do you think that the security department should be completely outside the IT department? Should physical security and infosecurity work together? Also, I tend to think that security people need to be more focused on risk management, and thought that maybe they should be part of the same department. I'm guessing you disagree? 
Sara Peters
100%
0%
Sara Peters,
User Rank: Author
10/9/2014 | 11:52:36 AM
Re: IT professionals
@JunkNtheTrunk   Well I agree with you that IT generalists don't need to know all the ins and outs of encryption. Heck, I don't actually think that all IT security people need to understand EXACTLY how encryption does what it does -- that's the purview of crypto geeks.

However what I saw is a misunderstanding on what encryption accomplishes. For example, while we know that whole-disk encryption on that laptop is a good thing, in case that laptop is stolen, we know that it won't necessarily prevent your laptop from being owned by a bot-herder. Not all the people in IT seem to understand the difference, and when it comes to encryption, that's important, since many companies feel like encryption will save them from all liability.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/9/2014 | 11:44:15 AM
Re: Why Don't IT Generalists Understand Security?
@[email protected]   This is really interesting, because it sounds like you're saying that most of the people in the IT department are just as bored by and uninterested in security awareness training as non-techie end users. Do you think that security teams need to create super-exciting security awareness training sessions that are just for other people in the IT department?
Killer
100%
0%
Killer"B",
User Rank: Strategist
10/9/2014 | 10:37:30 AM
IT vs. InfoSec
The gap between IT and InfoSec comes down to how one looks at what is being transported and stored.  Too many IT folks I have interacted with see what they do as moving bits and bytes, not information with value.

Information Security looks at what is contained in those bits and bytes and its value.  Then access to that value comes into play and this is where the concepts of access control kicks in.  People want convenient access to their valuable information, but they should be able to access it...  And so goes the fight over convenience and security. 

Think of it like a car.  The car was designed to transport people around more conveniently.  But as time went on we determine that it lacked security.  We added lights, windshield wipers, seatbelts, door locks, anti-theft systems...  It's quite a long list now.

The original purpose has not changed.  Compare the Ford Model T to today's Ford Focus.  Both have four wheels, a couple of doors, headlights.  But the Focus has so much more in security features.  And these features protect us from others as much as our self

We can have Security or Convenience, choose wisely.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
10/9/2014 | 7:44:31 AM
Re: It Security -- boring?
@rubiusavonside, From an outsider's perspective, I wouldn't characterize IT security as boring or dry compared to general IT. But it does have a different language and the concepts and issues are complex, and not readily understood by simply reading a couple of articles or viewing a power point presentation. So the smart professionals on both sides of the divide are those who recognize when they need to inform (or be informed) about important trends and have developed relationships that foster open lines of communication. 
ldaniee
0%
100%
ldaniee,
User Rank: Apprentice
10/8/2014 | 10:41:10 PM
Re: Understanding security
I think that here  s alot of infomtionin the IT word and ome peope don't want to do ore then theiy are required

 
rp415
0%
100%
rp415,
User Rank: Apprentice
10/8/2014 | 10:40:28 PM
Re: Understanding security
I am not sure whether to agree or disagree with this video. In my experience the general IT team members that I have worked around were not very experienced in the field so it is to be expected that they are not well versed in IT Security features. The IT Directors that I have worked with were more familiar with IT security functions such as encryption but they really could not do anything to secure the network without first recieving word from the corporate IT team.
<<   <   Page 3 / 4   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-40108
PUBLISHED: 2021-09-27
An issue was discovered in Concrete CMS through 8.5.5. The Calendar is vulnerable to CSRF. ccm_token is not verified on the ccm/calendar/dialogs/event/add/save endpoint.
CVE-2021-40109
PUBLISHED: 2021-09-27
A SSRF issue was discovered in Concrete CMS through 8.5.5. Users can access forbidden files on their local network. A user with permissions to upload files from external sites can upload a URL that redirects to an internal resource of any file type. The redirect is followed and loads the contents of...
CVE-2021-23243
PUBLISHED: 2021-09-27
In Oppo's battery application, the third-party SDK provides the function of loading a third-party Provider, which can be used.
CVE-2021-3799
PUBLISHED: 2021-09-27
grav-plugin-admin is vulnerable to Improper Restriction of Rendered UI Layers or Frames
CVE-2021-3818
PUBLISHED: 2021-09-27
grav is vulnerable to Reliance on Cookies without Validation and Integrity Checking