Dear Future President,
Thank you so much for using computer security as a talking point in your campaign this season. Allow me to personally say that, as a computer security professional, your bringing this issue more firmly into the spotlight can only be a good thing. If I may be so bold as to speak for many of my past, present, and future colleagues, having our industry made a conversation piece in homes has done more than any awareness campaign our marketing departments could have dreamed up. (Though IBM deserves a nod a few years back for running a Super Bowl ad about computer security.) We appreciate the current president’s initiatives to bring our nation’s cybersecurity up to a common standard, and I particularly appreciate Initiative 8’s intent to work on education.
So now that you have the nation’s full attention, and our sector has your attention, I’d like to bring up a few special requests from my part of the security ecosystem.
On the most official side, could you share your data classification schema more widely? Data classification standards in an organization are the key to beginning to plot out a security strategy and plan. Many companies don’t realize that your office considers security metadata as being Sensitive But Unclassified—because a website’s IP address can fairly easily be determined through usually legal means via a simple ping or other discovery protocol. Security data is all about what is going on within a system—fragments of bytes, offending scraps of an attacker’s code, anti-virus reports on which bit of malware they’ve quarantined. Without this guidance on what constitutes security metadata as something separate and very different from your real data (PII, intellectual property, payment card information), some companies are paralyzed with indecision about outsourcing any part of their security operations, scanning, or monitoring, because they don’t understand the difference. This keeps them from asking for help when they need it. A firm guideline document from you would help a lot.
In security, we talk all the time about the weakest link being people, with all of the social engineering attacks that arrive via emails and embedded in files. Given that just under half of all successful breaches involve an insecure web application, I think we as security professionals owe it to people to make those applications more secure. I’d like to live in a world where my mom can click the wrong things, or accidentally paste those long lectures she sends me into the entry blank on a form, and not have things go terribly wrong for her or for the site she’s visiting.
I’ve been pondering how to approach this part of the awareness issue, where I might ask your help. I’d love to see people start referring to the cybersecurity discipline as “network and application security” as a whole. Just that much will help people start thinking about their applications and prioritizing a security review.
There is good work being done by organizations like Oasis, who are working to make standards for our security community. They’re creating guidelines for how to formulate and transmit security and threat data, so that we vendors can integrate more quickly with one another in creating a fabric of security. For years, it’s taken manual work most times and integration from one part of network security to another, and most of them haven’t talked to application security tools at all. Your encouragement in this area will make a difference.
Finally, I’d like to talk about people. Security as a discipline is made up of tools, processes, and people. Some people specialize in building tools, some use the tools, and some monitor the tools. Some investigate what happened and do troubleshooting. Believe it or not, these people come from all walks of life. I visited a customer site once where the woman who ran the end-point security system had started life as a very proactive secretary, with solid project management skills. She did a good job. I don’t know that anyone with a computer science degree could have run that system more efficiently.
For those people in IT that need to know more about security, and here I’m talking the people who make applications and write programs, they need to know how to do so securely. Now, I know there are a lot of training programs that exists out there, from company to company. There are tool-specific training and computer-based scenario training. There are professional organizations like SANS and ISC(2) which exist to try and reach more individuals. I’d really love to see the U.S. Department of Education committees reach out to organizations that provide different kinds of training, and help them build connections with high schools, trade schools, community colleges, universities and veterans organizations alike.
As a woman in security, I want other women and girls to see that they have options—to do things they never dreamed about before. When I was in school, I wrote down what I wanted in a job: I wanted to travel widely, making decent money while I helped make the world a better place. I found that in security. With your help, more people might be able to share that kind of dream, and help our industry close an ever-widening gap of capable job candidates.
Thanks, and best wishes,
Jeannie Warner, Security Strategist, WhiteHat Security