Global Security, Privacy, & Risk Management

Rant Alert- Security Neophytes January 30, 2012

Like others who read this blog, I have worked in several areas of security over the years including physical security and information assurance.  Irrespective of the domain of security in which you work, the underlying principles are similar. Risk management, defense in depth, and incident response are common principles in all areas of security though the implementation may differ.  Security is a discipline that, like any discipline, requires study and experience to become proficient.  Physical security is about more than holding a gun and information assurance is about more than having a firewall.

I recently came across a the website of a company that states in uncertain terms that that they are experts in cybersecurity (and several other domains).  To demonstrate their “industry leading” expertise they state that they can manage ‘various firewalls’ and that they have experience with ‘intrusion detection systems’. Really? This is expertise?   While we shake our heads at their approach, some company will hire them because they can offer services at lower rates (due to the lack actual expertise) and there will be the inevitable incident.   It is this amateur approach to security that results in companies being hacked in the information assurance business and people being arrested or killed in the maritime security arena.

For what ever reason every tom, dick or harry (or sally) that has ever carried a rifle or worked for the government believes that he or she is now a “security professional”. Unfortunately, these companies make their way into the various industries and create issues for those professional organizations that have actual expertise borne of hard earned experience and have paid their dues to understand the issues and understand their discipline.