I recall, a number of years ago, that Marshall Rose described technical folk as divided into go’ers and do’ers. The Go’ers were most likely to attend conferences and working groups, as well as act as representatives to standards committees. Do’ers, on the other hand, stayed in front of their workstations, working out thorny protocol issues and writing interoperable code against imperfect specifications.
And going even further back, we can distinguish between knowing how and knowing that. I don’t fully know the details of the internal combustion engine, but I can still drive a car. I do expect my mechanic to understand the details, at least to the extent that she is able to diagnose a particular problem and come up with a solution.
Which is why the following post struck my attention. In SANS NewsBites Vol. 15, Num. 103, Alan Paller wrote:
The top story at the end of 2013 could just as well have been the top story ten years ago. Federal chief information security officers continue to “admire the problem” by paying $250/hour consultants to write reports about vulnerabilities rather than paying them to fix the problem. Sadly most of the federal CISOs and more than 85% of the consultants lack sufficient technical skills to do the forensics and security engineering to find and fix the problems. Paying the wrong people to do the wrong job costs the U.S. taxpayer more than a billion dollars each year in wasted spending plus all the costs of cleaning up after the breaches. How about a 2014 New Years resolution to spend federal cybersecurity money usefully: either by ensuring all the sensitive data is encrypted (at rest and in transit) and/or the organization implements the Top 4 Controls on the way to implementing the 20 Critical Security Controls?
Now, I’m not sure that a CISO needs to have the technical skills “to do the forensics and security engineering to find and fix the problem.” But the CISO should know whether they have the expertise in-house to do so, of if the consultants they are hiring have these skills, and have the clout necessary to ensure that the right people are hired and that the job has been done right. Otherwise, the top story of 2023 will be that same as 2013.
I could rant on, but I don’t want to break a New Year’s resolution quite yet. 🙂
It’s just the same old song / with a different beat …