1100 words, 4 minutes. This post is one of a short series on structural and systemic things the Information Security industry does wrong, and what we might do about them.
Disclaimer: I advocate lifelong learning, that includes professional training, product training, workshops, online or in-person courses, and academic study. The professional trainers I know who author and deliver their own material are among the most mentally agile people I’ve ever met. The world’s best educators would be my first choice for human cloning experiments.
This isn’t going to work.
We are not going to up-skill ourselves out of this.
Not now, nor ever.
I’ve noticed a rash of articles, news stories, and even government initiatives around increasing the number of people with cyber skills on the heels of years of security breaches involving well-known corporations, branches of government, and public individuals.
The thrust of those articles is:
Organisations and individuals have failures of Information Security because they lack the skills needed to avoid them. Or if failure is their natural state, they lack the skill to detect it and wouldn’t know what to do about it anyway.
Upskilling large numbers of people will make a significant difference to their Information Security outcome. They would have fewer problems or problems of a less serious nature. They would catch them sooner, and recover faster.
I’m going to prove to you that whether (1) is true or not it is irrelevant because (2) is futile as a strategy for achieving better security outcomes at anything other than a small scale for a brief moment in time.
The reason upskilling won’t make any significant difference to the amount of pain experienced by companies and individuals or the ease with which attackers can find a vulnerable system is because of the scale of the problem today, its rate of growth, and the multiple dimensions in which it is growing.
Security vulnerabilities are like entropy in the universe, always increasing. In multiple dimensions on multiple levels, simultaneously, at an accelerating rate. The visible portion of this entropy, the reported hacks or detected and countered vulnerabilities you read about, are but the merest observable portion of that universe. The rest is dark. We don’t have a universal fuzzing telescope with which to see it. In fact, when we examine systems today, we are actually looking into the past, at software which was designed, written, implemented, and put into service long ago.
Every day there are more systems. They are more complex. They have more interconnections between them. Those connections involve more trust relationships and carry more valuable information.
Systems and software are going to be everywhere. Insecurity is created faster than security can be imposed or mistakes corrected. How many lines of code were written in the world in the time it took you to read this sentence? How many of those lines contained a security vulnerability? How many of those programmers are you going to upskill so that they make slightly fewer errors? As a strategy for improving cyber security, upskilling is only marginally less futile than educating end users, most of us gave up on that decades ago. I almost forgot to mention that even the best software can still be installed improperly or configured unwisely, exposing you to even more insecurity. How many systems administrators are we going to educate, and how much better will they be than before?
Remember when we solved the Database Administrator skill shortage by training people?
Neither do I.
I’ve a feeling a good DBA may be harder to find now than in the ’80s or ’90s because today so many average-to-poor DBAs are in the market, and there are so many qualifications of dubious merit which may or may not indicate a candidate’s real competence.
Yet databases are everywhere and for the most part, they work. Why?
- Isolation and sharding, pre-packaged applications and pre-packaged DBs.
- Explosion in capability and collapse in cost of storage including memory. No more exotic devices.
- Caching layers to mitigate limitations of storage or poorly conceived, resource wasting queries.
- “As a service” for enterprise applications, where the service provider has all the best DBAs and offers you an SLA.
- New database paradigms which are a better fit for certain applications, simplifying them.
- Sometimes it turns out you didn’t really need a DB after all.
Having an increased pool of skilled DBAs isn’t on the list. I’ve no idea if interested parties were calling for a mass upskilling of people into Database Administration during the ’80s and ’90s. They probably were. I expect a lot of training courses, study guides, and certificates were sold and a lot of search consultants did well. While a great DBA was valuable then and is now (if you need one), DBAs did not have a transformative, lasting effect on the world’s experiences of databases. The stuff on the list did.
This isn’t an argument against having skills, remember my disclaimer. It’s an argument against the belief that skills can significantly improve Information Security outcomes for the majority of organisations over the long term, even if we could somehow train people en masse to a high standard. I forgot to mention that such outstanding people will have to be retained by your organisation too.
I make it a rule never to call-out a problem without suggesting at least one solution.
The fact is you probably already know what to do about the cyber security skills shortage.
We need winning systems, and I mean systems in the broadest sense of the word. How can we identify a likely winning system? It’s going to have one or more high-level characteristics:
- If it requires human effort, that effort will be coupled to a force multiplier.
- It will have the inherent property of being able to adapt to threats.
- It will operate with an assumption that failure is an inevitable state of any supposedly secure system.
It didn’t take an army of experts to make cholera a thing of the past in Victorian London. Just a few smart people with knowledge, a winning system, access to capital, and a practical plan to get that system implemented using cheap labour (who for the most part couldn’t even read). The same was true for leprosy vaccination in 1950s Africa. The pointy end of the syringe went into the patient and everyone had to come for their jab at the same time. Vaccine works and a syringe has a very limited range of failure modes. The plans and systems had to be simple enough to be repeated and executed by novices.
Is Information Security really so different?
At the cutting edge of research and development, skill and knowledge are vital. However, the majority of actual securing will get done through the adoption of winning systems implemented using packaged products or services at scale, usable by novices.
Like the idea of getting paid to implement winning systems rather than just being skilled and working hard?
You might like this.
If not, then you just wasted 5 valuable minutes you could have spent Skilfully patching something. Console yourself by reading this, because it was written by someone who has attended lots of training courses.