Any ne’er-do-well with a computer can be the next whistle blower associated with America’s National Security Agency (NSA). Of course, while it is important to determine the impact of Edward Snowden’s actions, the real conversation should be about the Security job market and the skill sets required to enter into it.
When the head of the NSA speaks at Black Hat and tells hackers “Uncle Sam Wants You” there are sure to be some lowered expectations on certification, degrees and training. However, just because you are hiring the hackers does not mean they are on your side, and thus, somewhere in the hiring process there should be an HR-integrated policy that is not simply delegated to IT for placement into the policy of a firewall box.
Any so-called security expert is aware of three things:
1. The job is impossible. Fundamentally, the amount of ways data can be compromised is far greater than the staff you have on-hand to implement policy, and in the event of a breach the blame will fall on you regardless of any warnings you issued or attempts you made to implement change.
2. Security breach is inevitable. Every company has something they consider proprietary, valuable or secret.
3. Managing security by hiding your policies is nothing more than an attempt at denial that your system has been penetrated, and now you are just kidding yourself.
In speaking with Jeff Kalwerisky executive vice president & chief information security officer of CPE Interactive, it quickly become apparent to me that the need for training at the executive level, is one of the most misunderstood aspects of security.
Just because it’s called “Cyber Security” does not mean the answer is in the computer - often the weaknesses lie at a far more physical level, such as the stealing of hard assets that house the information or security compromise via memory sticks and external hard drives. However, although there are methods for cracking blocked USB interfaces, turned off open network elements, etc., the black hat mindset is to expect a clear path to exploitation.
So why does management need to be trained? Because the problem to consider is not what would happen if a rogue user gets on the network, it is how to contain such a problem once it has occurred.
The access to data enjoyed by Edward Snowden and Bradley Manning was long-term (never mind that the data was unencrypted), and for leaks in cases such as theirs to go unnoticed and unsuspected clearly illustrates that broadband and cheap memory defeat cost as a deterrent or - an easily flagged line item - for transferring data. Also, the use of third parties to manage such services suggests that best practices need to be reexamined for a mixed environment.
Though Snowden and Manning face very different outcomes based on their circumstances and their employers, perhaps the government rules should universally apply. That would certainly be my policy.
Edited by
Stefania Viscusi
QUICK LINKS 
