Security Competence

By Roy D. Follendore III

Consider:

·        There has never been a more complex time for mankind to exist.

·        Telecommunications has changed the nature of knowledge.

·        The Internet is the most complex thing that man has ever made.

·        We have built the Internet but we do not understand it.

·        There is a larger understanding, a gestalt to the problems we face.

·        The big picture is larger than we could have envisioned.

·        The small picture is smaller than we seem to be able to understand.

·        Telecommunications is changing.

·        Security has come to be defined in terms of a static concept.

·        The definition of Privacy has not yet evolved.

·        Strange events begin to take place and we are confused.

·        We can not seem to cope.

Competence can be thought of as being inversely related to complexity. There was a time as recently as in the 1970’s when the concept of security, particularly security related to cryptography was a black art. The operations were simple because they were contained within a black box. The applications were simple because the problems were point to point. The essential idea from an employees perspective was that there are published corporate policies and if you needed help you called the security officer. The security officer would take a look at the problem, ask you what happened, assure it was within regulation, tell you not to do whatever you did and record the incident. That was about it. The centralized hardware and procedure was supposed to take care of the problems. Competence was hard wired. As long as you had a badge, nothing much could go wrong if the people involved were good guys. In the 1980’s, things began to change.

The Personal Computer arrived and people began to think in different terms. Processing could now take place independently of authorized procedures because things got “soft.” Data could be aggregated into information and information aggregated into knowledge. Half dozen small books of critical knowledge could suddenly be created and put into a shirt pocket. The policy of checking for sensitive documents by their classification as people went out of buildings became impossible. To compensate people were voluntarily supposed to have magnetic media passes. Backup tapes were soon included. In 1990’s, personal computers began competing with personal laptops so the magnetic media paperwork began to include laptops and their drives. Then came writable CDs and now writeable DVD’s. During this time, the computers were intranet-worked and then internet-worked. The connection speed became easier and faster than access to a drive. Then came instant messaging. By now the security concepts of the 70’s was sunk. In the background of all of this escalation grew the concept that cryptography could somehow solve all of this and bring back the good old days of centralized security.

It was easy to think that if we could just find a way to transparently secure drives, and encrypt all documents and network links then the solution would be at hand. The trouble was that things got faster, applications changed, operations changed. Embedded cryptographic security processes were not universally inherent within the operating and networking systems. Even the secure operating systems were found to be wanting. There were holes. There were security patches to plug the holes. There were security patches to plug the security holes in the security patches. The security systems prevented the users from using software and hardware that was most useful. There were dozens of passwords required for applications. Cookies were created to authenticate users and machines.

This is the kind of instantaneous metamorphosis of technical hodgepodge we exist within today. Change will happen just as rapidly tomorrow. Solutions to security are fragmented because they remain incremental. Policies are fragmented because they are incremental.

In short, security was being treated like components of a stereo system. The gaps to security do not become coherent because they exhibit themselves as conceptual gaps within the collage of interdependent subsystems. Any idea that a true security competence might emerge from this fragmentation sounds foolish without a more cohesive conceptualization of security.

Having given you an idea of the historical dilemma, something significant becomes obvious. Standards are not enough.

I would like to begin to explain the four pillars that are necessary for a foundation of security competence and how security certification might exist in the future.

With these four things, technical competence can be achieved.

1. Philosophy: Security competence must begin with a more fundamental philosophy about the ethical nature of security. Security is not only about policing problems; it is about organizational fairness and welfare. It is about instilling a just opportunity for internal operational solutions to rise to the top. Moreover, security is more about belief in people than skepticism of people. The philosophy must exist in writing and must be both preached and kept constantly in practice or it will be forgotten. Integrity must be expressed as a statement of order and as a statement of execution.

2. Rationality: Security competence must no longer be based on technologies that turn over every eighteen months. It must be based on the premise that there exist underlying rational processes that justify transactions, rather than logic that may authenticate individuals or systems. This kind of justification is a much larger concept that includes appropriate levels and means of authentication. Justification means real-time observation and responsive documentation. It is a means of making relative the historical fact with the present. It means projecting a proactive urgency that is based on performance because security is about effectiveness.

3. Language: Security competence must take advantage of language in order to communicate reasoned associations. The approach I am speaking of now is not about a new form of techno-speak for security consulting embalmers and arbitrators. It is about establishing and replenishing a richer and deeper language of understanding. It is also not about the historically incremental considerations of language. What I am saying is that if new words are not adequate or relevant than new words are required. Security competence cannot be based on double meaning terms from the dim past that are difficult to get a handle on. Recursive concepts are necessary within a recursive field but that only means that maintaining security competence requires that language is constantly maintained and updated.

4. Inclusion: Security competence should be based on standards that are inclusive rather than exclusive and include both relative human and organizational objectives. By this, I mean that security must include and be included within the concept of performance, not protection from nonperformance. This means that competence be derived from participation within rather than exclusion from participation. Some may consider this a costly thought, but I say that it is a necessary idea. It is necessary because the objectives of organizational performance must be a part of organizational competence.

Now we put these concepts all together. As security experts, we need to think in terms of a Rational Language revolving around an Inclusive Philosophy. This is a very different way of thinking. It affects the choices we make for selecting problems as well as the choices we make in solving them. It is a coherent way of thinking because it removes the blinders through which we have institutionalized the potential solutions we have to select. Instead of technical reductionism to the absurd, a more balanced and more encompassing approach can be integrated into the fabric of the communication process. For those of you who do not know the distinction between communication and communications, I suggest that you should give it some thought. It is the difference between what is possible for security and what we have today.

.