by Michael Argast, Sky Northern Inc
One of the biggest challenges we face in Information Security is the need to pivot from it being a priesthood - the role of a select few who have the arcane knowledge and power - to a religion which has been adopted by the masses.
The term ‘computer’ used to mean ‘one who computes’ - it was a job description rather than a physical device. As time progressed, we had armies of specially trained people who would program massive room sized devices. As computers became more powerful, smaller and ubiquitous, we moved from it being a specialized professional tool to something a two-year old could pick up and use.
Today, we expect everyone in a professional environment to have computer skills. They could be rudimentary - Microsoft Office, Outlook, they could be specialized (AutoCad and Engineering). Not everyone is expected to have every skill, but everyone is expected to have the skills necessary to do their job.
I propose we need to move to this approach in security. Instead of security skills being a talent that is hidden deep in a priesthood, it needs to be part of everyone’s job.
The receptionist needs to be not only skilled on phones, greetings, taking messages - but also skilled in avoiding social engineering techniques.
The physical security guards for an office building need to be looking out not only for people stealing atoms, but also people stealing bits.
Developers need to have skills not only in Java, Swift, C++ and PHP, but also the security development life cycle, fuzzing, buffer overflows and input validation.
The CFO needs to have skills not only in financial management, internal rate of return calculations and foreign exchange hedging, but also recognizing and avoiding business email scams.
HR needs to not only have skills in hiring, talent management and benefits plan analysis, but also background and criminal checks, strategies for dealing with inappropriate use of systems.
Until we bring security out of the shadows, and into the light, we will continue to struggle. It is only when we properly integrate security into everything we do that we will start to turn the corner.
Security is everyone’s job, let’s get to work.
Thanks for reading! If you'd like assistance with your security awareness programming, the security of your DevOps program or assistance in developing a security strategy for your organization, get in touch via a services request.