Not investing in training

By Joel Snyder
Network World, 08/28/2006

Original Article on Network World Web Site

Security isn’t a thing you buy and install, such as a database package or a file server. Security comes when you build a policy, then choose products and configure them to meet specific goals and counteract specific risks.

You wouldn’t give an untrained person cheese and eggs and expect a perfect soufflé. But many companies seem to think that security is something you get by throwing a lot of money at hardware and software vendors, unpacking cardboard boxes and plugging in appliances.

Unfortunately, it just doesn’t work that way. Without training and a thorough grounding in the principles of IT security, you will end up with a patchwork mess that brings little or no benefit.

In customer visits, I find untrained staff in critical positions, often making poor decisions — wasting money on products they don’t need, failing to properly use the products they have, skipping critical steps, such as policy development, and never really aligning the technology of security with the business of the enterprise.

For example, I was recently asked by an organization to help reconfigure its existing VPN. The reason, I was told, was that “Triple-DES is completely discredited, and we have to switch to Advanced Encryption Standard.”

While it’s true that you wouldn’t choose Triple-DES over AES if you were building a new VPN, this VPN was used as an Internet-based backup when point-to-point circuits went down, and it had seen only about 40 hours of operation over four years.

When I pointed out that most of the organization’s traffic went out over unencrypted lines anyway, that changing the VPN configuration was going to mean replacing all of its equipment and that it didn’t matter for that application and risk level anyway, I was met with wide-eyed stares of confusion.

This team’s leader had stumbled on a Slashdot posting and given a directive. No one on the team had the expertise to look at the whole problem and understand that they could improve security, if the risk warranted it — but not by swapping out a perfectly good VPN they rarely used.

Buying point products won't help if your staff lacks training in security principles and policies.

Companies often focus on product training, and that’s understandable. Many — in fact, most — security-product vendors require training to use their product, by providing miserable, misleading documentation and delivering user interfaces designed by programmers utterly unskilled in the matter.

The “it was hard to write; it should be hard to use” method of product management is very popular nowadays. Product training is valuable, especially with the most recent crop of hard-to-use devices rushed to market.

Security teams need three kinds of training, delivered in copious doses. Product-specific training should go with any major new product, but that’s only a start. It’s no good to know how to configure SYN flood protection on a firewall if you don’t understand what a SYN flood is.

The second kind of training is on the core concepts and idea behind networking and security. Basic technologies such as TCP/IP, cryptography, VPNs and stateful firewalls need to be well understood by everyone in IT responsible for security. Someone with a good grounding in networking and math can pick these up through dedicated study, but companies should jump-start the process by taking advantage of technical-training opportunities at conferences or at local colleges.

Here, the Internet is actually a bane. I meet many IT professionals who could not function without Google and have come to depend on it, rather than actual understanding, as the primary tool to help them lurch from problem to problem and get through each day’s tasks.

The Internet makes it quick and easy to gather factoids, headlines, opinions and bits of information about any topic. But finding an authoritative-sounding message on a mailing list explaining the differences between SHA-1 and MD5 is not the same as understanding those differences — or whether those differences make any difference to you for your application.

The third kind of training required for good security is the hardest to get: overview knowledge and wisdom that only comes from an experienced mentor or through intensive on-the-job training. Being able to take the big-picture business requirements and translate those to a security policy is something that comes with practice and perspective. It’s not enough to know what a SYN flood is and how to prevent it. You have to understand what assets require protection and how to balance risks and costs.

A few training groups make great efforts to recruit experienced technologists as instructors and provide a holistic curriculum that includes big picture and details.