Passed CISSP 10/24 - disappointing as expected

ITHokie

colemic wrote: »

I very much disagree. Security to most organizations is treated as a bolt-on function, whose weight slows the business down, instead of seeing it as a critical function/security system for the fast shiney sports car. There's a big, big, difference in that perspective, and truly incorporating security from the ground up, and viewing it as an integral part of the team. As broil720 said, when organizations really begin to shift that direction, you will see a remarkable change in the business landscape.

You can disagree all you want, but it's demonstrably true in the federal and financial sectors. They've been dealing with successful attacks for years. Reference the recent attacks on the White House (federal) and JP Morgan Chase (financial). They have very large, very funded security programs. We're not talking bolt on security.

As far as the rest of the industries, they have a lot of catching up to do. I think you may have an argument there (like retail), except for the fact that your strategy (treat security as a critical function) has already failed miserably where it is in use. As other industries become larger targets, they will fail if they rely on the same mentality. Treating security as a critical function is necessary, but it is not sufficient. While it does affect some change, it has been tried and found wanting.

colemic wrote: »

truly incorporating security from the ground up

Would you mind elaborating?

ITHokie

goatama wrote: »

I think what a lot of people here are forgetting is that, in order to obtain the actual CISSP (not just an Associate status), you're supposed to have at least five years verifiable experience in at least two of the ten domains on the exam (or four years, with a one year waiver for having a degree or qualifying cert). This requires you to have your manager or someone sign off on your experience, and you also have to be sponsored by another CISSP who, ostensibly, is supposed to validate that you're not just a test dumper. Unlike other certifications that just require you to pass a test, this is, again, *supposed* to ensure that you actually know what you're doing in the field.

Are there ways to game the system? Absolutely. I worked with someone who had her CISSP and when I asked her to give me her local IP address had no clue how to find it. But these steps are there to at least make an effort to ensure the successful candidates are knowledgeable and competent in the realm of InfoSec. I agree that some people (especially those in the upper management realm) put way too much stock in this cert, but there's a method to the madness.

Regarding the experience requirement, that can be helpful. It can also by bypassed pretty easily (I know because I have worked with these types in DoD). Even then, it does not have to be technical experience. If it isn't technical experience, what good it going to do against skilled threat actors? Or if it is technical experience, what good is 5 years of provisioning user accounts?

colemic

Just curious, but in your mind, what would an effective federal security program have as an end result? It's the US government, of course their risk is always going to be higher, and they will continue to be breached. Re: large, well-funded security programs, that doesn't mean that they aren't the equivalent of bolt on security. I would wager that both ultimately were caused by a failure in training of people, not exploiting some leet 0-day. And I would argue that DoD especially has bolt-on security, evidenced by the existence of DIACAP... a large, large portion of C&A packages are pencilwhipped into compliance. I know, I used to create the packages, and although I never did that, I know for a fact that many did. C&A is a coverup for failed security engineering and a lack of secure software.

There's no such thing a security program that will deflect all attackers. Many businesses do have successful InfoSec programs, but that success is not because they haven't been breached, but because they 1) have made it as difficult as possible (since it can't be avoided altogether due to human element), and have the proper people and processes to deal with them successfully, and mitigate the damage as much as possible. Being prepared and being aware are how I define a successful security program, not that they've managed to stop a breach from occurring, because ultimately that's a metric that can't be achieved.

My thoughts on the CISSP... I have observed that there are two types of people in InfoSec: the technical doers, and the managers/leaders (not that technical personnel can't be leaders as well.) There are many, many brilliant people in InfoSec who are technical geniuses and experts in what they do, but if they don't have the business skills to sell a problem to the board, then the board isn't going to buy the solution (Seth Godin calls this pitchcraft.) And that's where the CISSP comes in. It doesn't measure, and it doesn't care about your technical abilities - there are other certifications for that. It is concerned with bridging the gap between the front line and the board, and having the business acumen to be able to link the two. There's nothing wrong with being a technical wizard, but it's always the technical people that see no value in the CISSP, because they have no reason to - they are not the target audience. (Regardless of what HR departments think.)

ITHokie

colemic wrote: »

Just curious, but in your mind, what would an effective federal security program have as an end result?

It's difficult to say exactly, but programs should be and need to be much more effective than they are. Given the amount of failure I witness on a regular basis, it's pretty easy to say that. Rather than painting a pie-in-the-sky picture, I want to fix the broken.

colemic wrote: »

It's the US government, of course their risk is always going to be higher, and they will continue to be breached. Re: large, well-funded security programs, that doesn't mean that they aren't the equivalent of bolt on security. I would wager that both ultimately were caused by a failure in training of people, not exploiting some leet 0-day. And I would argue that DoD especially has bolt-on security, evidenced by the existence of DIACAP... a large, large portion of C&A packages are pencilwhipped into compliance. I know, I used to create the packages, and although I never did that, I know for a fact that many did. C&A is a coverup for failed security engineering and a lack of secure software.

I'm going to stop referring to bolt on security because I'm not sure how you are really using it. Your original statement contrasted it with security being seen as critical function, so I'm going to run with that. Financial institutions and government agencies clearly view security as critical to operations. I'm not sure what agency you worked for in DoD, but it's very difficult to see one could get the impression that DoD does not see security as critical.

C&A is only one component of security. I share all of your frustrations with DIACAP. But the methodological problems with it have absolutely nothing to do with whether security is considered important at the highest levels. Interestingly, C&A is one of those areas where you find a high concentration of CISSP holders that don't have technical knowledge. There are exceptions, including folks like you, but it's not the rule. DoD has a gigantic IA workforce. It really needs to shrink.

colemic wrote: »

There's no such thing a security program that will deflect all attackers. Many businesses do have successful InfoSec programs, but that success is not because they haven't been breached, but because they 1) have made it as difficult as possible (since it can't be avoided altogether due to human element), and have the proper people and processes to deal with them successfully, and mitigate the damage as much as possible. Being prepared and being aware are how I define a successful security program, not that they've managed to stop a breach from occurring, because ultimately that's a metric that can't be achieved.

Being prepared is very broad. Again, the previous way of being prepared is not sufficient. No, there is no program that will deflect all attackers, but I've been pretty clear that I believe that the monitoring, detecting and responding to threats loop really needs to become a bigger part of the security mindset. I say that precisely because no matter good your CIO is, no matter how great your ISSO, no matter much your organization cares about security, no matter how comprehensive your security policies and support procedures are, it's not enough. Attacks can still happen. The IR loop helps to mitigate the damage and tune controls so overall posture is more robust.

colemic wrote: »

My thoughts on the CISSP... I have observed that there are two types of people in InfoSec: the technical doers, and the managers/leaders (not that technical personnel can't be leaders as well.) There are many, many brilliant people in InfoSec who are technical geniuses and experts in what they do, but if they don't have the business skills to sell a problem to the board, then the board isn't going to buy the solution (Seth Godin calls this pitchcraft.) And that's where the CISSP comes in.

First, I just prepared for CISSP and passed. It did absolutely nothing to develop my pitchcraft. I already do this well, which is why I'm a consultant, so take that with a grain of salt. I noticed that it covers some concepts that one needs to have awareness of, but that's it (just like all domains in CISSP).

Second, you recognize that technical people can be leaders as well. There is a dichotomy of doers and non-doers, but there is not a dichotomy of nerdy do-ers that can't speak in complete sentences and polished management that don't even know how to find their own IP address. Somehow this has become conventional wisdom, but that does't fly. It's a continuum. While they are definitely a minority, there are some technically proficient folks out there that can speak the language of business. It has nothing to do with whether they studied for CISSP or not.

Third, you don't need an army of professionals who can sell solutions to a board. Really. How many people do you need getting in front of the board? As I've said, all elements of a program are important. I'm advocating for re-calibrating the ratio of doers vs non-doers.

colemic wrote: »

It doesn't measure, and it doesn't care about your technical abilities - there are other certifications for that. It is concerned with bridging the gap between the front line and the board, and having the business acumen to be able to link the two. There's nothing wrong with being a technical wizard, but it's always the technical people that see no value in the CISSP, because they have no reason to - they are not the target audience. (Regardless of what HR departments think.)

ITHokie wrote: »

ISC2 is not the problem - perception is.

colemic

Security may be important at the highest levels, but that message didn't necessarily exist in the past, and it is hell trying to make old, insecure, legacy software work in a secure manner, when it was never intended to do so. For example, I know of one gov. network that, similar to an octopus, has several tentacles reaching out to MIT networks. (MIT is a close partner) And several of those open, we-can-see-them-passing-data connections, we literally didn't know who was on the other end. And we weren't allowed to close the connection to protect mission activities. Maybe it was a legit connection. Maybe it was a nation-state actor on the other end. Higher ups didn't really care. And lo, an approved accreditation package came forthwith. Bottom line, it may be the intent now, but all of these old crappy legacy systems, which ARE important, to be sure, are fundamentally insecure, and lead to unnecessary exposure and risk. (I think we are pretty much on the same page just saying it a little differently.)

I think you hit a very common misperception regarding the CISSP, when you said it didn't do anything to develop your 'pitchcraft' - that's exactly what the CISSP is NOT for. Certification exams were created to measure existing knowledge, not try to cram all sorts of new knowledge in, to pass a single-point-in-time test. Passing doesn't imbue you with a new-found level of knowledge, it's simply an attestation to the knowledge that you have already accumulated through education and more importantly, experience.

Agree that there is a subset of individuals who can speak both languages, and the CISSP is really intended for that specific set of folk, not the technical experts, to validate that capability.

I think this is a great discussion, btw.

broli720

@ITHokie what would you suggest the re-calibration be? How would you run a program given budgetary restrictions and other extenuating circumstances? I feel like we could find common ground here, but I'm just not sure what your angle is.

ITHokie

colemic wrote: »

Security may be important at the highest levels, but that message didn't necessarily exist in the past, and it is hell trying to make old, insecure, legacy software work in a secure manner, when it was never intended to do so. For example, I know of one gov. network that, similar to an octopus, has several tentacles reaching out to MIT networks. (MIT is a close partner) And several of those open, we-can-see-them-passing-data connections, we literally didn't know who was on the other end. And we weren't allowed to close the connection to protect mission activities. Maybe it was a legit connection. Maybe it was a nation-state actor on the other end. Higher ups didn't really care. And lo, an approved accreditation package came forthwith. Bottom line, it may be the intent now, but all of these old crappy legacy systems, which ARE important, to be sure, are fundamentally insecure, and lead to unnecessary exposure and risk. (I think we are pretty much on the same page just saying it a little differently.)

Yep, agreed on this point.

colemic wrote: »

I think you hit a very common misperception regarding the CISSP, when you said it didn't do anything to develop your 'pitchcraft' - that's exactly what the CISSP is NOT for. Certification exams were created to measure existing knowledge, not try to cram all sorts of new knowledge in, to pass a single-point-in-time test. Passing doesn't imbue you with a new-found level of knowledge, it's simply an attestation to the knowledge that you have already accumulated through education and more importantly, experience.

I actually don't think CISSP is supposed to develop pitchcraft. I was just responding to this point:

colemic wrote: »

There are many, many brilliant people in InfoSec who are technical geniuses and experts in what they do, but if they don't have the business skills to sell a problem to the board, then the board isn't going to buy the solution (Seth Godin calls this pitchcraft.) And that's where the CISSP comes in.

I must have misunderstood what you had in mind. Your perspective that certification exams were created to measure existing knowledge is very foreign to me. I understand the thinking behind it, but I have learned a ton from training for many of my certs. CISSP is the exception.

colemic wrote: »

Agree that there is a subset of individuals who can speak both languages, and the CISSP is really intended for that specific set of folk, not the technical experts, to validate that capability.

I think this is a great discussion, btw.

Well said.

ITHokie

broli720 wrote: »

@ITHokie what would you suggest the re-calibration be? How would you run a program given budgetary restrictions and other extenuating circumstances? I feel like we could find common ground here, but I'm just not sure what your angle is.

As an example, decrease emphasis on auditing and compliance. There is far too much unskilled manpower dedicated to this facet of security, not to mention all of the pencil whipping and massaging of data that colemic referred to. Move emphasis and funding to CERT functions like monitoring/threat detection/analysis/incident response/forensics/pen testing etc so more skilled folks can contribute and more skilled directors/management can lead.

colemic

That mentality is a bit understandable from a technician's point of view, but it's frankly not realistic. Auditing and compliance are an integral part of security, the checks and balances that ensure that an organization is doing the right things (and compliance is making sure orgs do the absolute bare minimum of right things.)

I do believe that certs were created to test existing knowledge, and have been effectively cop-opted by test takers to prove that they know just the material on the exam, and that's not the spirit of what they were meant for. ISC(2) and ISACA both have experience requirements, to supplant the knowledge tested on the exam. I am not saying there's anything wrong with test prep, not at all - but if I took the CISSP, and felt I sailed through it, in my mind that is simply validation that I know the test material (gained through study and work experience), and I am the true target audience of the cert.

ITHokie

colemic wrote: »

That mentality is a bit understandable from a technician's point of view, but it's frankly not realistic. Auditing and compliance are an integral part of security, the checks and balances that ensure that an organization is doing the right things (and compliance is making sure orgs do the absolute bare minimum of right things.)

You're stuck on false dichotomy. Many responses in this thread are falling into this same line of thinking. You seem to think that the options are

1. Status quo or
2. Auditing and compliance are worthless and should be completely scrapped.

If you decide to respond, please address the point I've been making throughout this thread.

Also,

colemic wrote: »

a large, large portion of C&A packages are pencilwhipped into compliance. I know, I used to create the packages, and although I never did that, I know for a fact that many did. C&A is a coverup for failed security engineering and a lack of secure software.

You clearly see the problem, yet somehow still want to cling to the status quo. There is a better way.

broli720

Well I don't think the better way is to pump more money into the CIRT functions. I can't speak for all organizations, but for mine things a re fairly balanced. I'd say you'll need more compliance people on at the start of a program to get the ball rolling before the technical controls are ironed out.

It may do you some good to actually work on the compliance side of things. I've been on both sides of the fence and I think you'll change your tune if you spend a great deal of time there. I understand what you're saying, but I think your thinking will move us further out of balance.

ITHokie

broli720 wrote: »

I can't speak for all organizations, but for mine things a re fairly balanced.

That's wonderful for your organization, but the certainly is not the case elsewhere. My role allows me the privilege of seeing many organizations. I would suspect that exposure to these orgs would at least shift your opinion. Out of curiosity, why do you believe you organization is well balanced?

broli720 wrote: »

I'd say you'll need more compliance people on at the start of a program to get the ball rolling before the technical controls are ironed out.

As far as auditing, I personally witness a lot reporting massaged numbers, "pencil whipping" of C&A packages, changing controls for inspections, folks lacking the technical expertise to know what to do with audit results and vul scans, etc. More bodies will make it worse.

broli720 wrote: »

It may do you some good to actually work on the compliance side of things. I've been on both sides of the fence and I think you'll change your tune if you spend a great deal of time there.

Not a chance. All of my recent roles cause me to work directly with auditing/compliance. I've also been the technical point for C&A on some very large projects. I'm intimately familiar with benefits and drawbacks of these functions.

broli720 wrote: »

I understand what you're saying, but I think your thinking will move us further out of balance.

Perhaps this wouldn't be the best choice for you org. What criteria are you using to make this determination?

broli720

Well, our security functions are a set of teams (SOC, CIRT, Security/Compliance) and sub teams within those all providing checks and balances. The majority of our policy guys had a pretty robust technical background thus allowing them to make informed decisions. Our CIRT and SOC teams have proprietary training sessions in which they are taught the nuances of our different methods of operations. This coupled with peer reviews and industry certifications, ensures that everyone is adequately trained and provided feedback. Our infrastructure team is also ingrained in the process as well from a design standpoint.

You had a bad experience from what you described with regard to C&A packages but you can't put everyone that does that work in the same boat. Work on a team where it is done correctly and experience the pressures that they have to go through. It takes a significant amount of technical expertise and business acumen to be a good at that. You need to except that the business ramifications are more important than the security ones. And the only thing that can change this are regulatory requirements.

NOC-Ninja

Congrats!

For me, I see it as a checklist. Im currently watching the CBT videos for it. I see that its very high level. I dont see anything technical or hands on in it. Again, for me , this is a checklist moving forward to sec.

ITHokie

broli720 wrote: »

The majority of our policy guys had a pretty robust technical background thus allowing them to make informed decisions

It sounds like you work for a company that is ahead of the curve.

broli720 wrote: »

Our CIRT and SOC teams have proprietary training sessions in which they are taught the nuances of our different methods of operations. This coupled with peer reviews and industry certifications, ensures that everyone is adequately trained and provided feedback. Our infrastructure team is also ingrained in the process as well from a design standpoint.

This is all well and good, but do you do internal and external pen tests or red team assessments? If you don't, you really don't know if your environment is the bastion of robust security that everyone thinks it is, or if there is just a lot patting each other on the back.

More importantly, having well trained personnel does mean that you have the right balance of well trained personnel which is what I actually asked about. Again, what is your criteria for know that you have the right balance?

broli720 wrote: »

You had a bad experience from what you described with regard to C&A packages

With all due respect, this is hand waving. No, I didn't just "have a bad experience". It is a continuous stream of bad experiences spread of multiple projects, organizations and networks. The irony here is that you have visibility into only one organization, whereas I have visibility into many organizations, yet you're able to narrow my field of vision to one bad experience. That sword cuts both ways. All of the evidence being presented here is anecdotal, but at least I see different environments on a regular basis.

BTW, perhaps some of the differences can be explained by complexity of the environments that we see. How large (in nodes) is your network?

broli720 wrote: »

Work on a team where it is done correctly and experience the pressures that they have to go through. It takes a significant amount of technical expertise and business acumen to be a good at that.

Whether or not there are balanced, high performing programs out there is irrelevant to fact that there are widespread systemic problems in the industry as evidenced by the frequency of successful attacks. Are you following Dark hotel, the Chinese hack on our weather systems, or the Russian produced malware dropped on our critical infrastructure? We're seeing large scale compromises nearly every day. And that is only what is being reported.

broli720 wrote: »

You need to except that the business ramifications are more important than the security ones. And the only thing that can change this are regulatory requirements.

Business ramifications is a far more nuanced subject than you want to believe (for example, what are the business ramifications for the United States Missile Defense Agency or a large hospital?). No, you need to accept that this kind of tow-the-line, we do it the way we've always done it because "business" has helped get us into the mess we are in today.

Again, how exactly did this work out for Target? I mean, they were PCI compliant. They hit all their numbers. They have a huge security outfit with great tools. Yet the attackers waltzed around for weeks undetected. Now they are getting hammered by lawsuits. It is going to cost them millions, if not more.

ITHokie

NOC-Ninja wrote: »

Congrats!

For me, I see it as a checklist. Im currently watching the CBT videos for it. I see that its very high level. I dont see anything technical or hands on in it. Again, for me , this is a checklist moving forward to sec.

Same here, I did it to check a box. Good luck to you!

philz1982

ITHokie wrote: »

This is a low bar, and there are plenty of people out there that have this ability with or without CISSP. Again, if CISSP was perceived by the industry as an entry level baseline of security knowledge, I wouldn't find it problematic. However, the level of knowledge required to obtain CISSP is going to do little to prevent and deal with the types of attacks that I've been referring to.

Actually, the knowledge required will do a lot. I sat with some senior executives today telling me all about their "security" plans. Having the CISSP provides you a broad enough skill set to carry on a managerial conversation and tie it to ROI which will get your security systems funded. CISSP is a managerial not a technical cert. The purpose is to be able to professionally discuss business ramifications of security with non-security personnel.

philz1982

ITHokie wrote: »

It sounds like you work for a company that is ahead of the curve.



This is all well and good, but do you do internal and external pen tests or red team assessments? If you don't, you really don't know if your environment is the bastion of robust security that everyone thinks it is, or if there is just a lot patting each other on the back.

More importantly, having well trained personnel does mean that you have the right balance of well trained personnel which is what I actually asked about. Again, what is your criteria for know that you have the right balance?



With all due respect, this is hand waving. No, I didn't just "have a bad experience". It is a continuous stream of bad experiences spread of multiple projects, organizations and networks. The irony here is that you have visibility into only one organization, whereas I have visibility into many organizations, yet you're able to narrow my field of vision to one bad experience. That sword cuts both ways. All of the evidence being presented here is anecdotal, but at least I see different environments on a regular basis.

BTW, perhaps some of the differences can be explained by complexity of the environments that we see. How large (in nodes) is your network?



Whether or not there are balanced, high performing programs out there is irrelevant to fact that there are widespread systemic problems in the industry as evidenced by the frequency of successful attacks. Are you following Dark hotel, the Chinese hack on our weather systems, or the Russian produced malware dropped on our critical infrastructure? We're seeing large scale compromises nearly every day. And that is only what is being reported.



Business ramifications is a far more nuanced subject than you want to believe (for example, what are the business ramifications for the United States Missile Defense Agency or a large hospital?). No, you need to accept that this kind of tow-the-line, we do it the way we've always done it because "business" has helped get us into the mess we are in today.

Again, how exactly did this work out for Target? I mean, they were PCI compliant. They hit all their numbers. They have a huge security outfit with great tools. Yet the attackers waltzed around for weeks undetected. Now they are getting hammered by lawsuits. It is going to cost them millions, if not more.

Actually, the attackers were detected. They were just ignored as false positives.

ITHokie

philz1982 wrote: »

Actually, the knowledge required will do a lot. I sat with some senior executives today telling me all about their "security" plans. Having the CISSP provides you a broad enough skill set to carry on a managerial conversation and tie it to ROI which will get your security systems funded.

Knowledge required to "get your security systems funded" ≠ knowledge required to "prevent and deal with the types of attacks I've been referring to". We're talking about very different things.

philz1982 wrote: »

CISSP is a managerial not a technical cert. The purpose is to be able to professionally discuss business ramifications of security with non-security personnel.

As I have pointed out previously, the problem is not the cert itself, the problem is how it is perceived. Please take a moment and cruise Indeed for CISSP references and tell me you don't see a pile of technical positions.

ITHokie

philz1982 wrote: »

Actually, the attackers were detected. They were just ignored as false positives.

Exactly, they were ignored. Which is to say they were not detected. If you don't have the skills and procedures in place to respond, and you don't know how to tune events, it does not matter what your tools detect.

colemic

ITHokie wrote: »

Knowledge required to "get your security systems funded" ≠ knowledge to "prevent and deal with the types of attacks I've been referring to". We're talking about very different things.

Actually I don't think you are. Where do you think those tools and all those analysts come from? They have a champion that is working to convince the business that security isn't just a cost center. No dinero ≠ no employees or tools to prevent and deal with the types of attacks you've been referring to.

As for your last point, that's not the fault of CISSP holders, that's an HR issue.

ITHokie

colemic wrote: »

Actually I don't think you are. Where do you think those tools and all those analysts come from? They have a champion that is working to convince the business that security isn't just a cost center. No dinero ≠ no employees or tools to prevent and deal with the types of attacks you've been referring to.

So someone with basic knowledge of "what kernel is" or "what a processor is" possesses the knowledge outfit the organization with right tools and analysts for the job? I'm going to say no.

As for your last point, it is an HR issue, but not just an HR issue (although I used to think that was the case). Many job descriptions are written by hiring managers. The fact that so many technical positions require CISSP indicates it is a more systemic issue than that in some orgs.

colemic

That's quite a stretch from what I was saying.

for point 2, maybe hiring managers see value in people who have the CISSP, as being able to communicate across business lines and understand the bigger picture outside of just a security perspective, not just be someone who flips switches and levers. Regardless of what some security people think, security isn't the most important thing to a business; it's supposed to enable the business, not direct it.

philz1982

Ignored is different then not detected. Semantics makes a big difference when your talking about the performance of humans vs IDS/IPS. The Malware detection worked fine. It was a failure on the human side. Their training was effective they just didn't know how to properly vet through FAR/FRR issues.

The thing is its easy to say they didn't have skills and procedures. They actually did, but like so many organizations when you depend upon humans to enforce and enact procedures failure points appear. It was not a lack of training, software, or policies. It was simply human error. The issue with cyber security is the threat landscape is always changing.

You can rely on auto-pilot in an airplane because the way to fly and the way the plane responds is not constantly shifting. Thus technology can greatly reduce the margin of error. With cyber security the landscape switches so fast. All you can hope to do is have the best tools with good people and a compelling ROI to keep your executives engaged and sponsoring your program.

philz1982

ITHokie wrote: »

So someone with basic knowledge of "what kernel is" or "what a processor is" possesses the knowledge outfit the organization with right tools and analysts for the job? I'm going to say no.

As for your last point, it is an HR issue, but not just an HR issue (although I used to think that was the case). Many job descriptions are written by hiring managers. The fact that so many technical positions require CISSP indicates it is a more systemic issue than that in some orgs.

Not a lot of folks take into account Kernels and processors in the procurement of tools and software. On the defense and government side where systems are regulated yes, but your average organization relies on consultants and vendors to drive product since most IT folks can't sell up within their org.

ITHokie

colemic wrote: »

That's quite a stretch from what I was saying.

This is the full context of the original post were all referring to. My low bar comment was related to this.

philz1982 wrote: »

My take on the last part of your post is this. Noone is going to come out of the CISSP being an "expert" on cyber security. Even the premier certs like OSCE will still leave you with gaps. The thing is Cyber is ever changing. What CISSP gives you, is a broad base of knowledge so that when you begin to research on a topic you have a fundamental understanding. Imagine if you never had any, and I mean ZERO, experience with the SDLC or CPU architecture. All you know is, C&A or maybe Audit. You go on an industrial site and they are worried about the security of their embedded compute. At least with the CISSP you will understand what a Kernel is, what a processor is, how memory works, ect. That way when you begin to study protocols, and Layer 1 through 4 security your not totally lost.

colemic wrote: »

for point 2, maybe hiring managers see value in people who have the CISSP, as being able to communicate across business lines and understand the bigger picture outside of just a security perspective, not just be someone who flips switches and levers. Regardless of what some security people think, security isn't the most important thing to a business; it's supposed to enable the business, not direct it.

I respectfully going to stop the round and round with this. We've already discussed it. My comment was to Phil, who says it is a managerial cert not a technical one. You're welcome to discuss that point with him.

philz1982

colemic wrote: »

That's quite a stretch from what I was saying.

for point 2, maybe hiring managers see value in people who have the CISSP, as being able to communicate across business lines and understand the bigger picture outside of just a security perspective, not just be someone who flips switches and levers. Regardless of what some security people think, security isn't the most important thing to a business; it's supposed to enable the business, not direct it.

From where I sit, security is a pain in the ass to the business. I watch everyday, customers try to figure out ways around IT because:
1) IT is usually a bunch of premadonna ego thumpers who are too altruistic to see the reality of funding, sales, and cashflow
2) IT is to busy to work with the business because they are understaffed or not properly allocated
3) IT doesn't know how to communicate business outcomes and understand the ramifications of the policies they try to enforce.

I say these things with myself being an IT focused person who is very pro-security.

colemic

@ITHokie Sorry I missed the context on that... but I do agree w/ him that's a cert geared toward managers, not technicians.

@Philz I agree... and that disconnect is the direct result of lack of executive buy-in to see IT/Security as essential, not cost centers. To me that's what it all boils down to. And that's largely the fault of middle to upper management not communicating effectively to the board (or equivalent) and getting their full support.

ITHokie

philz1982 wrote: »

Ignored is different then not detected. Semantics makes a big difference when your talking about the performance of humans vs IDS/IPS. The Malware detection worked fine. It was a failure on the human side. Their training was effective they just didn't know how to properly vet through FAR/FRR issues.

The context of the discussion throughout this entire thread is clearly people and the skills they possess. We're not talking about the performance of humans vs IDS/IPS. We're talking about the performance of humans.

philz1982 wrote: »

Their training was effective they just didn't know how to properly vet through FAR/FRR issues.

Their training was effective even though they didn't act on malware.binary on multiple occasions? Really? And exactly what role did biometrics play in this?

The problem is that they had a crap load of events and hadn't tuned them, so they rubber stamped warnings. This is normal - I see it all the time.

philz1982 wrote: »

The thing is its easy to say they didn't have skills and procedures. They actually did, but like so many organizations when you depend upon humans to enforce and enact procedures failure points appear. It was not a lack of training, software, or policies. It was simply human error.

It was definitely human error - no one is arguing otherwise. But it wasn't just human error. It was a lot of them stacked on top of each other by under-skilled management and analysts. Again, I see this all the time with our customers. It's nearly always related to skills and procedures.

philz1982 wrote: »

You can rely on auto-pilot in an airplane because the way to fly and the way the plane responds is not constantly shifting. Thus technology can greatly reduce the margin of error. With cyber security the landscape switches so fast. All you can hope to do is have the best tools with good people and a compelling ROI to keep your executives engaged and sponsoring your program.

Yes, tools help. But they don't obviate the need for talent (or process).

ITHokie

philz1982 wrote: »

Not a lot of folks take into account Kernels and processors in the procurement of tools and software. On the defense and government side where systems are regulated yes, but your average organization relies on consultants and vendors to drive product since most IT folks can't sell up within their org.

Yes, I understand that. Please refer to #57 and Colemic's response.