Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

Why Don't IT Generalists Understand Security?

150%
-50%

Why doesn't the rest of the IT department understand what encryption and passwords can and can't do? And does it matter?

Comment  | 
Print  | 
Comments
Threaded  |  Newest First  |  Oldest First
R@Ddad88
33%
67%
[email protected],
User Rank: Apprentice
10/8/2014 | 10:32:44 PM
Why Don't IT Generalists Understand Security?
The IT Generalist, dows not want to deal with security.  People want speed and conveinience, rather than deal with security slowiong down their productivity.  Most people also believe that there is a department dedicated to making the security piece work.  Modern trainig plans call for slides to present and educate the average user on need for security, and how they are an important part of security.  Skipping trhough slides, to get to the end, not really learning anything of value. The average user considers the requirement for security just an annual boring training requirement and not a day to day necessity.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/9/2014 | 11:44:15 AM
Re: Why Don't IT Generalists Understand Security?
@[email protected]   This is really interesting, because it sounds like you're saying that most of the people in the IT department are just as bored by and uninterested in security awareness training as non-techie end users. Do you think that security teams need to create super-exciting security awareness training sessions that are just for other people in the IT department?
JunkNtheTrunk
50%
50%
JunkNtheTrunk,
User Rank: Apprentice
10/8/2014 | 10:34:11 PM
IT professionals
I believe that most IT professionals do not need to the ins and outs of encryption. That seems a bit much. I believe that a basic understanding of good security practices would be sufficient.
Sara Peters
100%
0%
Sara Peters,
User Rank: Author
10/9/2014 | 11:52:36 AM
Re: IT professionals
@JunkNtheTrunk   Well I agree with you that IT generalists don't need to know all the ins and outs of encryption. Heck, I don't actually think that all IT security people need to understand EXACTLY how encryption does what it does -- that's the purview of crypto geeks.

However what I saw is a misunderstanding on what encryption accomplishes. For example, while we know that whole-disk encryption on that laptop is a good thing, in case that laptop is stolen, we know that it won't necessarily prevent your laptop from being owned by a bot-herder. Not all the people in IT seem to understand the difference, and when it comes to encryption, that's important, since many companies feel like encryption will save them from all liability.
anon9788632438
50%
50%
anon9788632438,
User Rank: Apprentice
10/9/2014 | 12:45:14 PM
Re: IT professionals
I think I disagree, unless you agree with this point. You have to define, "Ins and outs." No, I do not think every IT Profesional needs to understand I depth HOW the encryption works, however they should understand which implementations work best for the desired protection. Full disk, for example, to protect data on computer where the users are logged off or the machine is off. Shared key or PKI for protection of data during transmission. And so on. They should have enough knowledge to suggest an applicable solution.
gautamnandy01
50%
50%
gautamnandy01,
User Rank: Apprentice
7/9/2015 | 5:09:30 AM
Re: IT professionals
The IT Generalist, dows not want to deal with security. 
rubiusavonside
0%
100%
rubiusavonside,
User Rank: Apprentice
10/8/2014 | 10:35:15 PM
It Security
I think a lot of general IT professionals find the policies of security to be a very boring and dry subject and simply skim over the required materials for their jobs.  Do they need to know?  I agree there is a happy middle ground where they should know enough to not be that weak link but should understand when they need to seek out a Security Profesional for more information.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
10/9/2014 | 7:44:31 AM
Re: It Security -- boring?
@rubiusavonside, From an outsider's perspective, I wouldn't characterize IT security as boring or dry compared to general IT. But it does have a different language and the concepts and issues are complex, and not readily understood by simply reading a couple of articles or viewing a power point presentation. So the smart professionals on both sides of the divide are those who recognize when they need to inform (or be informed) about important trends and have developed relationships that foster open lines of communication. 
anon9788632438
50%
50%
anon9788632438,
User Rank: Apprentice
10/8/2014 | 10:36:41 PM
Re: IT Security
I'm in the camp that believes security specialists should be separate from general IT and risk management. I don't know the grounds from which you're making this observation aboUT general IT professionals but in my experience it is dead on. Mine can manage Active Directory and say big techy words but fail in carrying on basic conversation about security except to regurgitate but words.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/9/2014 | 12:16:32 PM
Re: IT Security
@anon  Now, this is interesting. You say "I'm in the camp that believes security specialists should be separate from general IT and risk management." Can you explain a little further? Do you think that the security department should be completely outside the IT department? Should physical security and infosecurity work together? Also, I tend to think that security people need to be more focused on risk management, and thought that maybe they should be part of the same department. I'm guessing you disagree? 
rp415
0%
100%
rp415,
User Rank: Apprentice
10/8/2014 | 10:40:28 PM
Re: Understanding security
I am not sure whether to agree or disagree with this video. In my experience the general IT team members that I have worked around were not very experienced in the field so it is to be expected that they are not well versed in IT Security features. The IT Directors that I have worked with were more familiar with IT security functions such as encryption but they really could not do anything to secure the network without first recieving word from the corporate IT team.
ldaniee
0%
100%
ldaniee,
User Rank: Apprentice
10/8/2014 | 10:41:10 PM
Re: Understanding security
I think that here  s alot of infomtionin the IT word and ome peope don't want to do ore then theiy are required

 
Killer
100%
0%
Killer"B",
User Rank: Strategist
10/9/2014 | 10:37:30 AM
IT vs. InfoSec
The gap between IT and InfoSec comes down to how one looks at what is being transported and stored.  Too many IT folks I have interacted with see what they do as moving bits and bytes, not information with value.

Information Security looks at what is contained in those bits and bytes and its value.  Then access to that value comes into play and this is where the concepts of access control kicks in.  People want convenient access to their valuable information, but they should be able to access it...  And so goes the fight over convenience and security. 

Think of it like a car.  The car was designed to transport people around more conveniently.  But as time went on we determine that it lacked security.  We added lights, windshield wipers, seatbelts, door locks, anti-theft systems...  It's quite a long list now.

The original purpose has not changed.  Compare the Ford Model T to today's Ford Focus.  Both have four wheels, a couple of doors, headlights.  But the Focus has so much more in security features.  And these features protect us from others as much as our self

We can have Security or Convenience, choose wisely.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/9/2014 | 12:32:37 PM
Re: IT vs. InfoSec
@KillerB  Nice analogy. So ultimately, security will always lag behind convenience. The more we want to do with our computing systems and data, the more secure we'll need to be, and it will just be a never-ending journey.

Let me ask you this, then. Are we best off letting IT generalists do all their blue-sky stuff without security in mind, and then cleaning up afterwards? Keeping those responsibilities separate? Or would we be better off getting everyone working together sooner?
Killer
100%
0%
Killer"B",
User Rank: Strategist
10/9/2014 | 2:15:21 PM
Re: IT vs. InfoSec
@ Sara Peters Yes it will be a never ending journey, until the journey ends. Some businesses will have a longer journey than others. The length of the journey will be directly correlated to the business' understanding of the cost of a security failure. The failure does not have to be the theft of data, but could be just a takedown. Take Code Spaces for instance, their failure was due to a poor understanding of their security exposure. Because of this they succumbed to a takedown. Their data was not stolen, their house was burned down. It would be interesting to know the ripple effect, what other businesses where impacted and to what degree because their data was lost.

To your questions. No more security as a bolt on. It will take time, but security must be included in the design/planning phase of projects. However, this will come with culture change in the organization and also at the college level. If security is include up front we will significantly reduce the ridiculous flaws (Bash anyone) that show up. They cannot be separate, they must work together. IT and InfoSec are two different disciplines, not responsibilities that using the same platform. IT does the moving and storage, InfoSec does the valuation and protection of what was moved and stored.

Another analogy. IT/InfoSec are like man and woman. Each has a specific roles, disciplines and skill sets. But left to themselves they will not alone propagate the human race. They must come together, do a little dance (you know the rest) and keep things moving forward.

One last thing. Money plays a big role in this as well. Money is the great equalizer; you pay for something that has value. If it does not cost something, you should question its value. Open source, free ware, whatever you want to call it should give you pause. If your data has value to you, you should protect it from theft or getting burned down. If the owner/board of directors doesn't understand this, then you have a culture problem and are a Code Spaces waiting to happen. If the boss gets it, but the IT team doesn't, then you have options, find a new IT team.
savoiadilucania
50%
50%
savoiadilucania,
User Rank: Moderator
10/15/2014 | 1:25:54 PM
Re: IT vs. InfoSec
@KillerB

"No more security as a bolt on."

This notion no longer seems tenable. Information technology systems are going through a massive phase of disintegration, where the security controls being provided are fully agnostic to the system itself. Vendors are providing discrete products to satisfy specialized security needs. The mentality that the platform provides the full panoply of security controls is antiquated and arguably defunct.

"If security is included up front we will significantly reduce the ridiculous flaws (Bash anyone) that show up."

I question this conclusion. The bug in bash was obscure, unique, and the consequence of poor programming. I don't know what could have been done 20+ years ago to identify it. And quite honestly the bug would have been far less devastaing if there were not so many interdependencies between applications and the underlying operating system.

"Open source, freeware, whatever you want to call it should give you pause"

I do not want to resurrect the open vs. closed source debate in this forum but will point out that, just as my "German" automobile contains Chinese/Taiwanese electronics and was assembled in Mexico, the "closed source" product in your environment most definitely contains a variety of open source code and even code purchased from others.
SecOpsSpecialist
50%
50%
SecOpsSpecialist,
User Rank: Moderator
10/9/2014 | 12:57:20 PM
IT vs Security
This is an interesting discussion question. Many times, those in IT don't understand Security because they simply don't want to. Often times, companies do not have the ability to have an entire Security department so it falls to the IT people to fix it.

But having been on both sides of the table, I can say that Security people are laser-targeted specialists and IT folks have to know a lot about everything. That's the biggest difference between the two. Security folks have to know everything about networking and how to fix things, on top of how to secure it all. That's why many degree programs that used to combine Security and Networking have split into two different competencies at the University level. That's why Universities like Capella offer an Information Assurance and Security Master's Degree with the specialization in Network Defense or in Forensics.

General IT programs teach IT folks how to fix things from the inside out of a computer. They have a basic understanding of networking and they know how to fix a bunch of stuff. Put them in front of a firewall and tell them to configure VLANS and Rules to let traffic flow through and they freeze because that's not something they are familiar with.

However, give that same task to someone who is specialized in Security and they will ask you "How segmented do you want the VLANs to be? What ports do you want traffic to flow through?" That kind of thing. They are specialized for a reason.

As for the media...while I do appreciate a good media story now and again, often times the media will emphasize the wrong thing and not get the real message across. For example with the JP Morgan Chase breach, it's been said that it's not a concern to the company, which is not the case. Chase is very concerned about the fact they were breached and they are doing what they can to mitigate the situation. Whether that's the fault of the media or the editors, I haven't really figured that out yet.
ODA155
0%
100%
ODA155,
User Rank: Ninja
10/9/2014 | 1:53:49 PM
Re: IT vs Security
"I can say that Security people are laser-targeted specialists and IT folks have to know a lot about everything."

To that I disagree, and here is my reasoning. In my opinion an "IT Gerneralist" is not really IT, they're someone whose interests are geared more toward business interests, getting the project in on time or project managers. Someone only interested until the system\project is handed of to IT professionals who must adminster and maintain what they've been handed. Ask any person whose made their living in IT working with systems or the core infrastructure of how your companies IT environment is configured. When a generalist needs something done they go to the specific IT personell that can accodate their needs whether that be, admin, application, database support or something at a higher level. Also, I believe that the BEST security folks come from the ranks of IT professionals like SYSADMIN and network engineers.

Security professionals, while "laser focused", must know alot more than just the security side of things and that said there are so many different areas of security I can understand why people would think it's that simple. OK, now putting aside the argument of whether the CISSP certification is worth it, I believe that it is, others don't. Putting that aside, I've listed below the ISC2 10 Domains of Information Security, I've had my cert for over 10 years now, and I have to tell you that my laser cannot focus on all of that... there's no way and anyone who says that they are is lying to you. Like any other other profession with multiple levels and concentrations you find your niche and resources.

What I think the real problem is, that it's not who gets it more, it's communication because neither side wants to listen to the other. For instance, there is a project to design and build out something to do something really cool for the business. The system design team may not include security because its going to change how they want that system to do those very cool things and they may not want to hear it... just apply security once it's up and running. Security knows that once it's up and running (which is when we normally find out it's even up and running) it it's too late in most cases to build proper security processes or systems into whatever is being planned, therefore requiring extra effort from all teams involved (again) afterward instead of during the designed process.

I would invite anyone in my company to come walk a day in my "security shoes"... user awareness... phishing emails... CRYPTOLOCKER... CRYPTOVAULT... other assorted malware... firewall rulesets... PCI... HIPAA... SOX...Penetration Testing... compliance configurations... vulnerability scanning and reporting... explaining why any vulnerability on any Internet facing device should not go unresolved regardless how minimal... C-Level people who want non-expiring passwords (yeah), web filtering... user access management and my very favorite thing to do, knife fight with DBA over database security for MSSQL vs Oracle.

Thanks, I've said enough and I hope I haven't made too many folks upset.

 

ISC2 10 Domains of Information Security
1. Access Control – a collection of mechanisms that work together to create security architecture to protect the assets of the information system.
2. Telecommunications and Network Security – discusses network structures, transmission methods, transport formats and security measures used to provide availability, integrity and confidentiality.
3. Information Security Governance and Risk Management – the identification of an organization's information assets and the development, documentation and implementation of policies, standards, procedures and guidelines.
4. Software Development Security – refers to the controls that are included within systems and applications software and the steps used in their development.
5. Cryptography – the principles, means and methods of disguising information to ensure its integrity, confidentiality and authenticity.
6. Security Architecture and Design – contains the concepts, principles, structures and standards used to design, implement, monitor, and secure, operating systems, equipment, networks, applications, and those controls used to enforce various levels of confidentiality, integrity and availability.
7. Operations Security – used to identify the controls over hardware, media and the operators with access privileges to any of these resources.
8. Business Continuity and Disaster Recovery Planning – addresses the preservation of the business in the face of major disruptions to normal business operations.
9. Legal, Regulations, Investigations and Compliance – addresses computer crime laws and regulations; the investigative measures and techniques which can be used to determine if a crime has been committed and methods to gather evidence.
10. Physical (Environmental) Security – addresses the threats, vulnerabilities and countermeasures that can be utilized to physically protect an enterprise's resources and sensitive information.


GonzSTL
100%
0%
GonzSTL,
User Rank: Ninja
10/10/2014 | 9:50:49 AM
Re: IT vs Security
@ODA155 "What I think the real problem is, that it's not who gets it more, it's communication because neither side wants to listen to the other. For instance, there is a project to design and build out something to do something really cool for the business. The system design team may not include security because its going to change how they want that system to do those very cool things and they may not want to hear it... just apply security once it's up and running. Security knows that once it's up and running (which is when we normally find out it's even up and running) it it's too late in most cases to build proper security processes or systems into whatever is being planned, therefore requiring extra effort from all teams involved (again) afterward instead of during the designed process."

That hits the nail right on the head, as the saying goes. When it comes right down to it, most IT security issues boil down to design flaws or weaknesses, whether it be in software, hardware, or architecture. In over 20 years of IT experience including software development, desktop standardization, server infrastructures, network engineering, business analysis, security, and management, I have seen IT groups focus almost exclusively on the design and delivery of technology without bothering with the security aspects of their solution. And yes, too many times security is brought in as an afterthought. There are tremendous pressures on IT to deliver technology that enable business processes, and if security and IT are on a linear reporting structure, security will almost always lose, and securing the technology will be a catch up game at best. Needless to say, there is also a communications gap between IT and security. As you know, ISC² maintains that soft skills, along with the 10 domains, are vitally important to a security professional. Security folks must communicate their security goals properly and effectively, to ensure that security is involved at the design stage of any IT technology project. At the same time, IT must also listen to security, and together, they should collaborate as a team to deliver secure solutions that enable business processes to function efficiently through the use of technology. I also teach InfoSec, and I drive that point home to my students; in fact, I always recommend to them books on effective business writing, communications, and teamwork and leadership skills. It is well known that soft skills rank very high on the "wish list" for security job openings, sometimes even rating higher than actual technical skills, especially at the management level. Incidentally, I agree that the CISSP certification is valuable (or else I would not have gotten it). At the very least, it shows that an individual not only possesses broad knowledge in security, but also has practical experience in the application and deployment of secure practices.
Steve Yarlly
50%
50%
Steve Yarlly,
User Rank: Apprentice
10/10/2014 | 10:55:07 AM
Re: IT vs Security
As far as your example of a security person setting up firewall rules, that to me seems to be more a network engineers job.  While it is certainly a good idea to have a security persons input for setting up firewall rules, the actual implementation of the rules should be performed by a network engineer, not a security specialist.  Seperation of duties must be maintained.  Having a security specialist provide input on the request and if approved the network engineer will implement.  

 

My two cents.
PZav
50%
50%
PZav,
User Rank: Author
10/9/2014 | 4:20:31 PM
Understanding
Its probably a lack of understanding into exactly the challenges posed by information security. I believe most IT people consider information security folks to be the goalies. Its their job to provide a barrier. In IT's mind that just means more hardware, which is a subset of IT's world. 

Good IT people are more focused on operational efficiency, capacity planning and making improvements across the board. Outsourcing IT and cloud solutions has increased IT's visibility and given them a seat at the executive table as they're now key revenue drivers.

Info Sec is a different animal altogether. They have all the above are concerns, but they also lack influence. IT security is a cost and a drag on the bottom line. 

That can have all sorts of consequences, but namely they're the last to present, the last voice heard and used to be the least interesting voice in the board room. However, that's going to change.

The key now is to have people who can translate info sec needs into language that not only IT can understand but also executives. Most executives are risk averse, they just need to understand the risks.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/13/2014 | 12:29:58 PM
Re: Understanding
@RiskIQBlogger  Ah, yes, the ol' "cost center" thing.  As you say:  "IT security is a cost and a drag on the bottom line. That can have all sorts of consequences, but namely they're the last to present, the last voice heard and used to be the least interesting voice in the board room." 

You say that's going to change. How long do you think it will take? I've been hearing for ages that eventually good security will be a selling point for businesses, and THEN they'll take it seriously.... hasn't happened yet.
ODA155
50%
50%
ODA155,
User Rank: Ninja
10/16/2014 | 10:57:07 AM
Re: Understanding
@Sara Peters

"You say that's going to change. How long do you think it will take?"

When we turn on the TV or come out to this site and read that senior people responsible for the care, management operation and security in some poorly secured data environment was hacked for 83 Million customer records, when they along with their CEO's and others responsible been indicted for neglegence. That's when it with change.
bearinboulder
0%
100%
bearinboulder,
User Rank: Apprentice
10/9/2014 | 5:25:55 PM
There's no middle ground
I put a lot of the blame on the security people building a moat around their castle.

I'm a software person but by studying for (and actually testing for) an appropriate certification I can 1) learn a lot, 2) learn the common language I need in order to talk to my peers, and 3) get a credential that will tell my peer's boss to give me a chance. I'm not asking for free reign just because I have a stupid cert, I just want a seat at the table to express my concerns instead of being treated like an idiot later by people who might know less about their subject than me.


Unfortunately security has gone the other way. I can pass exams but, except for CompTIA, I can't get certs because they all require extensive job experience where your only job is security. That means it's a lot harder for me (and others like me) to act as a bridge between development and security teams, it means I have a harder time advocating for little things that will improve security, etc. There's no way to distinguish myself from a guy who read a few DZone papers and is now convinced he has all of the answers.


Sure, some people know what "Associate of ISC2" means, but few will care since infosec isn't my job. It's even worse with CEH - you can make a strong argument that at least one person on every user-facing team should be a CEH but nobody can get it if they're developers, not infosec.

The flip side is also an issue. Since infosec people are expected to focus on infosec they never develop the breadth of experience that will allow them to easily communicate with their non-sec peers. So instead of being involved in early design (or even architectural) meetings and discussing their concerns in a way that the developers, DBAs and sysadmins understand they come in later with decrees that often make no sense from our perspective and then wonder why there's anger.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/13/2014 | 12:34:15 PM
Re: There's no middle ground
@bearinboulder  Great, great points. I'd considered how this chicken-egg problem -- can't get a job without security certs and can't get the certs without the job -- affects the so-called "security skills shortage." But I hadn't thought about how that issue impacts how security is viewed/treated within an organization.
macker490
0%
100%
macker490,
User Rank: Ninja
10/10/2014 | 7:18:09 AM
security starts with software control
the common thread in all this hacking is : malware

malware is un-authorized software

the key to security then is controlling the software.    and you can only do that by starting in the os -- and that is where the real trouble is.    and only the os oem can fix it.    you cannot fix it by tacking on patches.

data encryption and secure passwords are easy to use -- but useless if your system is compromised with unauthorized programming.
aws0513
50%
50%
aws0513,
User Rank: Ninja
10/10/2014 | 11:46:34 AM
Risk management should become an emphasis.
As I listened to your thoughts and perceptions in the video, I was reminded of a line shared with me a long time ago during my military career.
"You can have exceptionally skilled and trained soldiers, the best equipment, solid policies and plans, effective logistics, awesome everything.  But none of it matters unless everyone... EVERY SINGLE PERSON INVOLVED...  is on the same page with the same goals in mind.

Much of what you discussed is that very problem.  The security professionals have one particular goal that, if you think about it, is relatively new in the IT industry.  The IT professionals have goals that are more focused on service delivery, solution design, operations support, and maintenance planning....  keeping the business in business.  The business is generating revenue = the IT function is working as expected for the business to function.

Security pros would like to say they are keeping the business in business too, but what they believe is only just now becoming a tangable thing.  Thanks to recent events and media coverage, the risks are becoming more difficult to accept by business owners and customers alike.  Not just monetary loss...  reputation is also on the line.
At the same time, IT pros are seeing risk to their own careers by not hearing the guidance provided by security pros.  If a business is not generating revenue because customers have lost confidence in the way the business protects private information, the business may have to make changes to stay afloat.

The gap between these viewpoints still exist because there is still this intangable aspect of security that is difficult for many people, not just IT pros, to rationalize with their current goals.  How does one measure the effectiveness of a fence and gates around a warehouse other than to say that nothing bad happened in the warehouse recently?  Nothing bad can happen without the fence and gates just as easily.  The chance for a bad thing to happen may be higher, but that is still often an unmeasurable factor.
What makes things even more challenging for gaining hearts and minds in regards to security is the fact that threats against our environments are changing tactics so fast that all the fences and gates in the world may still fail to stop those "unknown unknowns".  Organizations with solid security programs are still getting hacked out there, and such news undermines the opinion of security practices because people see such breaches as "security failed again".

"Risk Management Professional"...   maybe that should be the new name for security pros.  Heck, maybe security should be renamed to risk management.  That is all security really is.  Maybe more people would be able to rationalize the need for risk management practices?  Maybe a renaming of the security industry is in order to make it more understandable to IT pros, business owners, and consumers alike.

I will say that I do sense a slow shift in the IT professional mindset however.  As IT pros learn more about what can make them look bad in the eyes of business management, they are also learning more that the security risk management pros can help them avoid those possible as long as they learn to work well together.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
10/10/2014 | 1:20:17 PM
Re: Risk management should become an emphasis.
Although I do agree that Risk Management is a critical part of Information Security, I'm not sold on remaning it as such. Risk Management encompasses so many aspects of an organization not directly related to IT Security. It is true that some organizations have IT Security reporting to the CRO, but my take is that it is a subject that has evolved to really become its own discipline, and really deserves to have its own seat at the table.

I also agree that IT pros in general have become increasingly aware of their need to pay more attention to security, if merely for self preservation. Since IT's role is to deliver technology that aligns with business goals, they should see that Security's role is to make sure that the technology is delivered as securely as the business allows based on risk. After all, the ideal situation is for all aspects of an organization to align with the organization's business goals.
savoiadilucania
50%
50%
savoiadilucania,
User Rank: Moderator
10/15/2014 | 11:33:25 AM
Meh
Information technology generalists don't understand security because they don't understand information technology.
Marc Eggers
100%
0%
Marc Eggers,
User Rank: Strategist
10/15/2014 | 8:06:10 PM
IT Generalist - so bad?
As one of those "IT generalists" who has returned to my security roots and is delving back into it, I have to say that I think the issue is less a question of "Do IT Generalists understand security" as it "Why dont' we have more IT generalists who know what they are doing". Now, I am not talking about the business users who are considered generalists because they have superuser rights or can go into admin panels and change passwords, but I am talking about the IT Generalists who are able to support their company in any way that is needed.

I think that there needs to be a return to the generalist mentality. Hear me out before you decry my statement. I am not advocating a return to the single person IT department, but I do think that cross-functional understanding improves everyone's performance and facilitates communication so that everyone is on the same page. How often has there been a problem because a programmer didn't build in enough security assuming that the firewall or vpn would protect them? How often has a firewall been misconfigured because it was quicker or easier to get it up and running that way? How often has a project been completed only to have someone find an architectural concern or security flaw in the design that would have been able to be eliminated from the start had input been sought from someone in a different sector?

It is disheartening to see the silos that are built up around all the different areas of IT. How often have you heard a programmer design a website or an application that does not understand assembler or network protocols? Or a system admin who doesn't question why their server is running at 75% memory usage but just throws more memory at the problem? Colleges these days are teaching programming in a very slapdash manner to get more people out there coding, but so many do not understand how the computer works to understand the difference between an int and a long, strcpy vs strncpy, varchar or nvarchar, etc. The list goes on and on. I have heard infosec professionals say that if every developer stopped using strcpy we would almsot eliminate the entire class of vulnerabilities that rely on buffer overflows. Yet we still have developers using strcpy. We have websites that are still written to send the username and password directly to the database.

I don't think that everyone needs to know the nitty-gritty of encryption or NAT tables or SQL injection or whatever it happens to be, but I think that everyone should have a more than passing knowledge that these things exist so that everyone can support one another. Security can not be one person's responsibility without the support of the rest of the organization. Everyone having a broader understanding of other's roles, responsibilities, and most importantly capabilities allows us to layer security more comprehensively than a wrapper that is thrown on as an afterthought.  One of our biggest responsibilities in security is training others to be secure and bringing everyone together and how can we bring everyone together if we aren't generalists enough to know what everyone else's skills and responsibilities are?
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
11/4/2014 | 3:47:08 PM
IT Generalists Can Understand Security But Should They?
I started out in the 90s building my own systems (early Red Hat, Slackware and Radio Shack) because I couldn't afford license fees for the software everyone else I knew was using.  That led to work in the industry as a software tester, then builder and automation engineer, to project manager and build/release manager.  Now I'm on my way back down in the tech trenches, doing builds and testing and a host of fun security-related tech at home.  It's fair to say that since the 90s I became an "IT generalist" over time, with a minor specialty at each new job.  However, going back down the ladder, I'm learning that while my experience across the board in IT helps me appreciate what everyone else does, it doesn't mean I should formulate opinions or direct others to do things within their area of expertise.  In fact, I feel more strongly today about "each thing (or resource) in its place" than ever.  I liken IT Security to the military, and I think that all of us "generalists" don't need to understand security more deeply that this:  Shut up and listen to your IT Security team.  They are there to keep your data safe and maintain the integrity of the company you work for.  It's like being caught in a terror attack:  Do you need to understand why it's happening, or the mechanics of how the military sent in to protect you works?  No – respect the SMEs (subject matter experts) and jump when they tell you.

I think that is why I am so focused on software security now that I'm older.  Testing software opened up a new world to me and I broke lots of code; exploits could have been written off some of the results I got out of my stress testing.  Writing code for test automation also opened my eyes to a whole new world of tech, and built appreciation for programmers and what they do; especially from the perspective of writing secure code.  But never once did I feel I "understood" security and could speak to it as an expert.  I shut up and I do what the security teams tell me to do, from patching my systems to cease/desist orders against my ISO downloads :-)  Do I want to understand it fully?  Sure – and I have lots of lab time in over the last couple years that has allowed me to develop both practical systems security knowledge and combative security tactics.  But I'm still proud to be an "IT generalist" because my brain is just too interested in too many things tech to stay on one track for long.

Why don't IT generalists understand security?  Maybe because they shouldn't have to.  They can, but really all that's important is that they respect that IT security is a necessary function, and that when they are told by someone from that function to do something that will protect them and their office mates, they do it.
shirishkunder re
50%
50%
shirishkunder re,
User Rank: Apprentice
7/7/2015 | 4:01:57 AM
Re: IT Generalists Can Understand Security But Should They?
Although I do agree that Risk Management is a critical part of Information Security, I'm not sold on remaning it as such.
anirudhsingh1
50%
50%
anirudhsingh1,
User Rank: Apprentice
7/8/2015 | 3:43:15 AM
Re: IT Generalists Can Understand Security But Should They?
great news
dsweil35
50%
50%
dsweil35,
User Rank: Apprentice
9/23/2015 | 1:08:50 PM
Entry into Info Sec is difficult.

I have lots of coworker who are IT Gen. like myself, but have no interested in security or even care about it. There only concern is getting what they need to do quickly and efficiently done. I on the other hand am intrigued by security, but and limited by what few certs I can get and book knowledge I can obtain, getting actual experience is almost impossible. Companies expect to hire fully formed professionals with all the knowledge that they will need. Even with growing security concern and using cloud based service to help with companies security concerns it seem there will need to be lots of new professionals in the industry to meet the demands of the market with the increased rate and severity of attacks. Only issue is there are very few entries into the security world. Companies are not likely to spend money on training IT Pros. to do the work that is needed so the industry needs is to create people that meet those needs can create better training to get users up to speed with current Sec Pros.

COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5421
PUBLISHED: 2020-09-19
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...