This week we interviewed David Michaux, Whispering Bell Director of Technical and Security Services and asked him to share with us what he sees as the important characteristics of a great info sec professional to handle the new trends of cyber crime, as we head into 2016.
David Michaux: I remember when I started in this business in the late 90s, I was asked to interview a Russian candidate for a job, one of the first questions I asked her was “If you had an important Unix server, how would you make sure it’s secure?” I was expecting a detailed answer around hardening of the operating system, firewalls, IDS etc. he answer was simple “I would switch it off, dig a big hole and bury it in concrete, even then I wouldn’t tell you it’s secure!”. I hired her and haven’t regretted it since. So when asked “what is the most important characteristic of a great infosec professional in 2016?”, for me it’s the same as it’s always been; extreme paranoia and a great mistrust of vendors who promise the earth.
On a more practical note, the infosec professional’s job role has changed dramatically since the 90s, when only in the large multinationals would you find a dedicated resource, normally under the IT Director (which I always found a great conflict), who was looking after IT security, a position usually filled by a graduate and not very well paid. The early 2000s saw the role elevated slightly, with companies moving the role under Finance (if they had been hit by a virus or hack that had effected them with financial loss), or under physical security. The infosec professional simply needed to make sure that antivirus was rolled out properly and they patched the machines as and when vendors pushed things out. Normally, if you had a good networking person running your security, you were going to be in good shape. Towards 2010 things had started to become scary, the job role in the multinationals had changed from IT security manager to CISO. They now managed a team so were not as technically inclined as before, and needed to spend a lot of their time looking at legal compliance issues and obtaining and maintaining security certifications for their companies, while also being able to brief the board. As we approach 2016, it’s more about admitting that it’s nearly impossible to defend yourself against a determined attacker and preparing yourself for the day when you get hacked. As the market is proving, the CISOs of today’s multinationals come from an ex-government or intelligence services background, whose purpose is not to firefight and protect the networks on a day to day basis, but to better understand who is trying to attack them and why. The reasoning behind this is to try and prevent the attack before it even reaches your network. Which basically brings you full circle, the most important characteristic of an infosec professional in 2016 is paranoia and the ability to have a better crystal ball than the rest!