Posts RSS
Subscribe via Email
Guerilla CISO Tip: Get Inside the Data Center
Posted June 4th, 2007 by rybolov
I’m an engineer at heart. I love technology and I love to build. I can’t really understand the operational mindset, which is a weakness I have to work around at times, considering I’m managing security for an operational division.
Back in November, I spent a month building $3Million worth of equipment. The reason? It was the biggest risk to my organization at the time–failure to meet a delivery deadline. As a side benefit, I know what each and every device does.
In fact, if I haven’t done anything techie in a week, I start to get antsy. I go home and rearrange my linux partitioning scheme just to move data around.
There’s a lesson in there: Get out of the office and into the Data Center at least once a week, even if you’re a total wonk.
Common sense, right? But you would be surprised how many security people don’t get out of their cubicle and go see the technology. One of the critical failings of how we do security in DC is that because there is a shortage of people with hard skills, we send in the people with soft skills such as financial auditors, technical writers, and quality assurance. Don’t get me wrong, there is a place for these people in security as long as they adopt a security mindset, but overall your security staff need to have some sort of technical background.
Question is, how do you get your non-technical staff into the technology? Believing in practical solutions and advice, I have a couple tactics, techniques, and procedures for you:
- Give them the responsibility to do a data center walkthrough every week
- Assign them as direct support to a smaller project
- Turn them into a mobile vulnerability scanning and reporting team
- Send them to investigate the security implications of a specialized technology like a SAN
- Give them a cubicle next to the system administrators and encourage them to socialize
Of course, none of this is really a new idea, it’s basic career development activities for a junior security staff member. I guess that’s the topic for a later post. =)
Similar Posts:
Posted in Technical, The Guerilla CISO, What Works | 
4 Comments »
June 15th, 2007 at 12:25 pm
I think you have a good point here and anyone reading this blog who has not come from a technical background should take note.
It isn’t necessary for non-technical people to become technical but it is necessary for them to become familiar with technical issues.
It is in this way that we can begin to integrate security into how we operate. We need to seek ways to eliminate the divide between security and operations. When it all becomes “the way we do things” we will be better off.
Thoughts?
June 15th, 2007 at 1:14 pm
So in general, you’re saying that the business operations are the customers and we need to do more internal marketing and customer relations?
June 15th, 2007 at 3:04 pm
I agree, but here its hard enough to get the non-tech people to understand even the need for a decent password or not to leave their CAC cards unattended.
June 15th, 2007 at 4:29 pm
Ah, a little bit of explanation is in order here.
What we are talking about is security people who are not technical. You basically have 2 camps: the technical guys and the policies and procedures guys.
It’s fairly easy to teach the policies and procedures part to the techies, but significantly harder to teach the technical side to the policies and procedures people.