Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Why Don't IT Generalists Understand Security?


Why doesn't the rest of the IT department understand what encryption and passwords can and can't do? And does it matter?

Comment  | 
Print  | 
Oldest First  |  Newest First  |  Threaded View
<<   <   Page 3 / 4   >   >>
Steve Yarlly
Steve Yarlly,
User Rank: Apprentice
10/10/2014 | 10:55:07 AM
Re: IT vs Security
As far as your example of a security person setting up firewall rules, that to me seems to be more a network engineers job.  While it is certainly a good idea to have a security persons input for setting up firewall rules, the actual implementation of the rules should be performed by a network engineer, not a security specialist.  Seperation of duties must be maintained.  Having a security specialist provide input on the request and if approved the network engineer will implement.  


My two cents.
User Rank: Ninja
10/10/2014 | 11:46:34 AM
Risk management should become an emphasis.
As I listened to your thoughts and perceptions in the video, I was reminded of a line shared with me a long time ago during my military career.
"You can have exceptionally skilled and trained soldiers, the best equipment, solid policies and plans, effective logistics, awesome everything.  But none of it matters unless everyone... EVERY SINGLE PERSON INVOLVED...  is on the same page with the same goals in mind.

Much of what you discussed is that very problem.  The security professionals have one particular goal that, if you think about it, is relatively new in the IT industry.  The IT professionals have goals that are more focused on service delivery, solution design, operations support, and maintenance planning....  keeping the business in business.  The business is generating revenue = the IT function is working as expected for the business to function.

Security pros would like to say they are keeping the business in business too, but what they believe is only just now becoming a tangable thing.  Thanks to recent events and media coverage, the risks are becoming more difficult to accept by business owners and customers alike.  Not just monetary loss...  reputation is also on the line.
At the same time, IT pros are seeing risk to their own careers by not hearing the guidance provided by security pros.  If a business is not generating revenue because customers have lost confidence in the way the business protects private information, the business may have to make changes to stay afloat.

The gap between these viewpoints still exist because there is still this intangable aspect of security that is difficult for many people, not just IT pros, to rationalize with their current goals.  How does one measure the effectiveness of a fence and gates around a warehouse other than to say that nothing bad happened in the warehouse recently?  Nothing bad can happen without the fence and gates just as easily.  The chance for a bad thing to happen may be higher, but that is still often an unmeasurable factor.
What makes things even more challenging for gaining hearts and minds in regards to security is the fact that threats against our environments are changing tactics so fast that all the fences and gates in the world may still fail to stop those "unknown unknowns".  Organizations with solid security programs are still getting hacked out there, and such news undermines the opinion of security practices because people see such breaches as "security failed again".

"Risk Management Professional"...   maybe that should be the new name for security pros.  Heck, maybe security should be renamed to risk management.  That is all security really is.  Maybe more people would be able to rationalize the need for risk management practices?  Maybe a renaming of the security industry is in order to make it more understandable to IT pros, business owners, and consumers alike.

I will say that I do sense a slow shift in the IT professional mindset however.  As IT pros learn more about what can make them look bad in the eyes of business management, they are also learning more that the security risk management pros can help them avoid those possible as long as they learn to work well together.
User Rank: Ninja
10/10/2014 | 1:20:17 PM
Re: Risk management should become an emphasis.
Although I do agree that Risk Management is a critical part of Information Security, I'm not sold on remaning it as such. Risk Management encompasses so many aspects of an organization not directly related to IT Security. It is true that some organizations have IT Security reporting to the CRO, but my take is that it is a subject that has evolved to really become its own discipline, and really deserves to have its own seat at the table.

I also agree that IT pros in general have become increasingly aware of their need to pay more attention to security, if merely for self preservation. Since IT's role is to deliver technology that aligns with business goals, they should see that Security's role is to make sure that the technology is delivered as securely as the business allows based on risk. After all, the ideal situation is for all aspects of an organization to align with the organization's business goals.
Sara Peters
Sara Peters,
User Rank: Author
10/13/2014 | 12:29:58 PM
Re: Understanding
@RiskIQBlogger  Ah, yes, the ol' "cost center" thing.  As you say:  "IT security is a cost and a drag on the bottom line. That can have all sorts of consequences, but namely they're the last to present, the last voice heard and used to be the least interesting voice in the board room." 

You say that's going to change. How long do you think it will take? I've been hearing for ages that eventually good security will be a selling point for businesses, and THEN they'll take it seriously.... hasn't happened yet.
Sara Peters
Sara Peters,
User Rank: Author
10/13/2014 | 12:34:15 PM
Re: There's no middle ground
@bearinboulder  Great, great points. I'd considered how this chicken-egg problem -- can't get a job without security certs and can't get the certs without the job -- affects the so-called "security skills shortage." But I hadn't thought about how that issue impacts how security is viewed/treated within an organization.
User Rank: Moderator
10/15/2014 | 11:33:25 AM
Information technology generalists don't understand security because they don't understand information technology.
User Rank: Moderator
10/15/2014 | 1:25:54 PM
Re: IT vs. InfoSec

"No more security as a bolt on."

This notion no longer seems tenable. Information technology systems are going through a massive phase of disintegration, where the security controls being provided are fully agnostic to the system itself. Vendors are providing discrete products to satisfy specialized security needs. The mentality that the platform provides the full panoply of security controls is antiquated and arguably defunct.

"If security is included up front we will significantly reduce the ridiculous flaws (Bash anyone) that show up."

I question this conclusion. The bug in bash was obscure, unique, and the consequence of poor programming. I don't know what could have been done 20+ years ago to identify it. And quite honestly the bug would have been far less devastaing if there were not so many interdependencies between applications and the underlying operating system.

"Open source, freeware, whatever you want to call it should give you pause"

I do not want to resurrect the open vs. closed source debate in this forum but will point out that, just as my "German" automobile contains Chinese/Taiwanese electronics and was assembled in Mexico, the "closed source" product in your environment most definitely contains a variety of open source code and even code purchased from others.
Marc Eggers
Marc Eggers,
User Rank: Strategist
10/15/2014 | 8:06:10 PM
IT Generalist - so bad?
As one of those "IT generalists" who has returned to my security roots and is delving back into it, I have to say that I think the issue is less a question of "Do IT Generalists understand security" as it "Why dont' we have more IT generalists who know what they are doing". Now, I am not talking about the business users who are considered generalists because they have superuser rights or can go into admin panels and change passwords, but I am talking about the IT Generalists who are able to support their company in any way that is needed.

I think that there needs to be a return to the generalist mentality. Hear me out before you decry my statement. I am not advocating a return to the single person IT department, but I do think that cross-functional understanding improves everyone's performance and facilitates communication so that everyone is on the same page. How often has there been a problem because a programmer didn't build in enough security assuming that the firewall or vpn would protect them? How often has a firewall been misconfigured because it was quicker or easier to get it up and running that way? How often has a project been completed only to have someone find an architectural concern or security flaw in the design that would have been able to be eliminated from the start had input been sought from someone in a different sector?

It is disheartening to see the silos that are built up around all the different areas of IT. How often have you heard a programmer design a website or an application that does not understand assembler or network protocols? Or a system admin who doesn't question why their server is running at 75% memory usage but just throws more memory at the problem? Colleges these days are teaching programming in a very slapdash manner to get more people out there coding, but so many do not understand how the computer works to understand the difference between an int and a long, strcpy vs strncpy, varchar or nvarchar, etc. The list goes on and on. I have heard infosec professionals say that if every developer stopped using strcpy we would almsot eliminate the entire class of vulnerabilities that rely on buffer overflows. Yet we still have developers using strcpy. We have websites that are still written to send the username and password directly to the database.

I don't think that everyone needs to know the nitty-gritty of encryption or NAT tables or SQL injection or whatever it happens to be, but I think that everyone should have a more than passing knowledge that these things exist so that everyone can support one another. Security can not be one person's responsibility without the support of the rest of the organization. Everyone having a broader understanding of other's roles, responsibilities, and most importantly capabilities allows us to layer security more comprehensively than a wrapper that is thrown on as an afterthought.  One of our biggest responsibilities in security is training others to be secure and bringing everyone together and how can we bring everyone together if we aren't generalists enough to know what everyone else's skills and responsibilities are?
User Rank: Ninja
10/16/2014 | 10:57:07 AM
Re: Understanding
@Sara Peters

"You say that's going to change. How long do you think it will take?"

When we turn on the TV or come out to this site and read that senior people responsible for the care, management operation and security in some poorly secured data environment was hacked for 83 Million customer records, when they along with their CEO's and others responsible been indicted for neglegence. That's when it with change.
User Rank: Ninja
11/4/2014 | 3:47:08 PM
IT Generalists Can Understand Security But Should They?
I started out in the 90s building my own systems (early Red Hat, Slackware and Radio Shack) because I couldn't afford license fees for the software everyone else I knew was using.  That led to work in the industry as a software tester, then builder and automation engineer, to project manager and build/release manager.  Now I'm on my way back down in the tech trenches, doing builds and testing and a host of fun security-related tech at home.  It's fair to say that since the 90s I became an "IT generalist" over time, with a minor specialty at each new job.  However, going back down the ladder, I'm learning that while my experience across the board in IT helps me appreciate what everyone else does, it doesn't mean I should formulate opinions or direct others to do things within their area of expertise.  In fact, I feel more strongly today about "each thing (or resource) in its place" than ever.  I liken IT Security to the military, and I think that all of us "generalists" don't need to understand security more deeply that this:  Shut up and listen to your IT Security team.  They are there to keep your data safe and maintain the integrity of the company you work for.  It's like being caught in a terror attack:  Do you need to understand why it's happening, or the mechanics of how the military sent in to protect you works?  No – respect the SMEs (subject matter experts) and jump when they tell you.

I think that is why I am so focused on software security now that I'm older.  Testing software opened up a new world to me and I broke lots of code; exploits could have been written off some of the results I got out of my stress testing.  Writing code for test automation also opened my eyes to a whole new world of tech, and built appreciation for programmers and what they do; especially from the perspective of writing secure code.  But never once did I feel I "understood" security and could speak to it as an expert.  I shut up and I do what the security teams tell me to do, from patching my systems to cease/desist orders against my ISO downloads :-)  Do I want to understand it fully?  Sure – and I have lots of lab time in over the last couple years that has allowed me to develop both practical systems security knowledge and combative security tactics.  But I'm still proud to be an "IT generalist" because my brain is just too interested in too many things tech to stay on one track for long.

Why don't IT generalists understand security?  Maybe because they shouldn't have to.  They can, but really all that's important is that they respect that IT security is a necessary function, and that when they are told by someone from that function to do something that will protect them and their office mates, they do it.
<<   <   Page 3 / 4   >   >>
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-10-20
Improper handling of sensor HAL structure in absence of sensor can lead to use after free in Snapdragon Auto
PUBLISHED: 2021-10-20
Possible out of bound memory access due to improper boundary check while creating HSYNC fence in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables
PUBLISHED: 2021-10-20
The firewire subsystem in the Linux kernel through 5.14.13 has a buffer overflow related to drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandles bounds checking.
PUBLISHED: 2021-10-20
Possible buffer over read due to lack of length check while parsing beacon IE response in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice &amp; Music, S...
PUBLISHED: 2021-10-20
Possible buffer overflow due to improper handling of negative data length while processing write request in VR service in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Wearables