By Vince Tuesday
Every so often I meet with a group of my peers to trade war stories about life in the security trenches. Mostly we swap technical hints and tips about what works when trying to sell security to management. Recently, the topic was manager and staff issues.
The discussion revolved around what makes a good security staffer or manager. We all agreed that bright, inquisitive people seem to do well and that a mix of technical and people skills is vital. But these qualities are general and hard to identify in the people around us. It is difficult to provide guidance on what anyone who wishes to succeed should do, but in speaking to my colleagues, I've come up with some simple things to avoid.
The Arrogance Trap
The most common trap that security managers fall into is being arrogant. I'm sure I have suffered from this weakness myself at times but hopefully not as badly as some of the folks my colleagues have described.
A good security manager must have confidence in his abilities and make snap judgments under pressure. The problem is that these traits, when exaggerated, become a weakness.
I used to have a boss who would always show off the work he did to everyone he met. He also abused a secure investigations room our staff had set up for storing all of our tools and evidence from investigations. We had set a policy that everyone who entered that room had to be signed in and out. But this manager would hold meetings with external suppliers in the room because, I suppose, he felt it made him look like a security professional when he was surrounded by all the equipment -- and white boards with the progress of investigations written all over them.
We kept a log of everyone involved in each investigation, such as those from the legal department and human resources, so we would know who had the details if the information leaked. This same chap used to boast over drinks at conferences about his work in such detail and with such a lack of discretion that I had to add workers at an external company to one list as knowing the full details of an investigation.
Such arrogance clearly can imperil the confidentiality that a security manager is supposed to protect, but an overzealous manager can also err by going too far the other way, hiding too much of the details of what he does. This "I'd tell you but then I'd have to kill you" attitude can be just as disruptive as shouting your mouth off to all who will listen. Although we try to keep up with technical trends and the latest threats, if we don't share, then we won't gain the best from the other teams in the company.
You don't have to be a technically skilled manager to lead a security team. One of the security managers I respect most has little formal technical training but has a wonderful knack for knowing which parts of any system or presentation don't quite add up and then asking for more detail in those areas. Technical experience can help with that process if you already have that magic sixth sense, but technical experience alone isn't enough. It's much easier to teach someone with analytical thinking skills how to configure a firewall than the other way around.
An even worse weakness is to be overawed by technology to the point where your critical faculties step into reverse. I've spotted this in a few situations. One such scenario is when a security staffer gives a presentation on hacking that turns into a tutorial for script kiddie wannabes. At a conference or sales meeting, an eager-to-impress techie will stand up and do a blow-by-blow re-creation of an attack that compromised corporate servers.
Then there are the antimalware vendors that sometimes provide demonstrations of Java code or viruses that might do dreadful things. These demonstrations aim to spread fear in the minds of naive managers. There are definitely threats out there, but in my experience, the sky isn't falling. Java and ActiveX haven't cost any business downtime other than delays caused by using scanning software.
The other area where a lack of knowledge can be worrying is cryptography. I'm often called in to discuss our secure network with other financial institutions' security teams to convince them it's safe to connect. Most take a look and come to an informed decision. But the companies with inexperienced security managers just ask how large our crypto keys are.
Why do they think this is important? Perhaps because it's difficult to market cryptographic products on their real strengths, vendors simply claim to be better if they have larger key sizes. Key envy leads to situations such as the 1 million-bit key size product. This doesn't really have a 1 million-bit key in mathematical terms, but in marketing terms it does.
All of these weaknesses can be dreadful, but my No. 1 is the manager who doesn't know enough about the business he's trying to protect. If you don't know what your company is trying to do and what risks it will accept while doing it, then you'll never get it right.