Computer repair tech AKA Security Expert
-
@scottalanmiller said:
I think that this supports my other thread - these "security" specialists in the field are anything but that. No one seems to train and go into security, even the local news doesn't recognize security as a skill set. It's just not a thing, not to specialists, not to IT, not to the uneducated public.
Wait, what? you don't think security specialists exists for IT? I know I'm not one, but If/when I really need to be secure, I'd hope I'd be able to hire one. Granted, as you said, I'm not sure how I would hold them accountable to being such a thing.
-
@Dashrender said:
@scottalanmiller said:
I think that this supports my other thread - these "security" specialists in the field are anything but that. No one seems to train and go into security, even the local news doesn't recognize security as a skill set. It's just not a thing, not to specialists, not to IT, not to the uneducated public.
Wait, what? you don't think security specialists exists for IT? I know I'm not one, but If/when I really need to be secure, I'd hope I'd be able to hire one. Granted, as you said, I'm not sure how I would hold them accountable to being such a thing.
Sure, you can hire one, they are everywhere. All sitting around out of work because the field that they went into doesn't exist. I think "security" is a field dreamed up by high school guidance counselors.
-
@scottalanmiller said:
@Dashrender said:
@scottalanmiller said:
I think that this supports my other thread - these "security" specialists in the field are anything but that. No one seems to train and go into security, even the local news doesn't recognize security as a skill set. It's just not a thing, not to specialists, not to IT, not to the uneducated public.
Wait, what? you don't think security specialists exists for IT? I know I'm not one, but If/when I really need to be secure, I'd hope I'd be able to hire one. Granted, as you said, I'm not sure how I would hold them accountable to being such a thing.
Sure, you can hire one, they are everywhere. All sitting around out of work because the field that they went into doesn't exist. I think "security" is a field dreamed up by high school guidance counselors.
Why is that? Security is something that is real and, I think, needed, is it not? Or is it just really that simple, install a ERL and be done with it?
-
@Dashrender said:
Why is that? Security is something that is real and, I think, needed, is it not? Or is it just really that simple, install a ERL and be done with it?
Things need to be secure, but ask yourself.... what the heck is a "security" department? Traditionally a security department was slang for "physical security." They didn't make sure that people were acting secure, or that products were secure or that designs were secure, they had cameras, walked the perimeter and carried a gun or a club and a flashlight. They checked the door locks, looked for open windows. A physical security (is the building locked down?) department makes sense, we know what that is.
So tell me, if you are a "technical security" department employee, what exactly is your job? What role does a "security" person do in this context?
You don't lock down servers, the server people do that. You don't design a secure network, the network people do that. You don't have anything to do. It's a nonsensical department for all intents and purposes. And hence, probably why they don't exist in the real world. What is a "security expert" really?
-
@Dashrender said:
Why is that? Security is something that is real and, I think, needed, is it not?
Of course it is. And what person can not be a security person? Security is either an aspect of everything that everyone does, or else security doesn't matter to you. If everyone does security, you don't need a security department. If no one cares about security, you don't pay for a security department.
It's because it is so important and has to be part of every technical role that you have no need for a special department that does this mythical "security" thing and nothing else.
-
Hmm... This makes me question my own ability to setup a server then - I can setup a server to be a file/print/AD etc box, but I'm not knowledgeable on making it completely 'secure.' Can I learn, sure, am I learning - yes I am. But I get the feeling that like Microsoft programmers in the 1990's and 2000's, security was/is an after thought for most IT folks today.
-
@Dashrender said:
But I get the feeling that like Microsoft programmers in the 1990's and 2000's, security was/is an after thought for most IT folks today.
Sure, and that's why SMBs are so wildly insecure. The skills and training and time needed to make an environment really secure cannot reasonably be done by a single person nor can it be done by a "security" consultant. What you need is a mindset of considering security from the ground up with buy-in from management. If management doesn't care about security, IT sure isn't going to focus on it.
But there is only one way to get secure - build it into everything. Security isn't a switch or a layer that can be applied later. It has to be involved at every step, with every process. Everyone in the decision chain needs to be thinking "security" as they make their decisions.
Security is just one of the many aspects of being an IT professional.
-
@scottalanmiller said:
It's because it is so important and has to be part of every technical role that you have no need for a special department that does this mythical "security" thing and nothing else.
I'd advocate for a security department where it was primarily for user training, secondary would be dedicated white hat testers
Edit: obviously not a dedicated person needed for this until you're breaking out of SMB
-
Clearly it's not just a problem at SMB - Sony a few years ago... Target last year, etc!
-
@Dashrender said:
Clearly it's not just a problem at SMB - Sony a few years ago... Target last year, etc!
It has to be a problem in the SMB, how can an SMB overcome it?
Companies like Sony, they just don't care. That's a different issue. When you are a company that makes crappy products and your customers keep coming back because your name is trendy, you don't tend to focus on being a good steward for your customers because being a good vendor is not why they like you. How many people stopped using Sony because of that? Just about none, I'm guessing, because Sony's customers just don't care enough.
-
@MattSpeller said:
@scottalanmiller said:
It's because it is so important and has to be part of every technical role that you have no need for a special department that does this mythical "security" thing and nothing else.
I'd advocate for a security department where it was primarily for user training, secondary would be dedicated white hat testers
This makes me think - a second pair of eyes are usually worth having to look at a problem to ensure you dotted all the i's and crossed all the t's.
IT security could be a team that checks the designs with the intent of hacking them - the white hat hacker as @MattSpeller said.
-
@Dashrender yup, but primarily user training - gotta secure the weakest links in your chain
-
@MattSpeller said:
I'd advocate for a security department where it was primarily for user training, secondary would be dedicated white hat testers
Dedicating pen testing, sure, there is some call for that and I have seen that in the real world (very, very little.) But it is important to note that that is a testing department. They don't secure you, they just let you know when the people securing you have failed.
User training is really just a training department. Yes, security training is important, but again, just a part of normal operations of "how to be a user."
-
I think this topic has ran it's course as to the OP - Scott's probably right on that an IT security department isn't a real thing. But the other items brought up here are definitely often missing from many if not most companies.
-
@scottalanmiller said:
User training is really just a training department. Yes, security training is important, but again, just a part of normal operations of "how to be a user."
is any company actually rolling with dedicated user trainers on staff? If so that's F*@&# amazing!
-
@Dashrender said:
I think this topic has ran it's course as to the OP - Scott's probably right on that an IT security department isn't a real thing. But the other items brought up here are definitely often missing from many if not most companies.
I always get curious and side track it, we need a dedicated ML thread TL;DR bot.
-
@Dashrender said:
This makes me think - a second pair of eyes are usually worth having to look at a problem to ensure you dotted all the i's and crossed all the t's.
IT security could be a team that checks the designs with the intent of hacking them - the white hat hacker as @MattSpeller said.
Could be, but the downside there is that what do you have, generalists? You probably get a lot more mileage looking at that with more pairs of dedicated specialist eyes. If you are building a Windows server, what do you need, some random "security" guy going over your individual system choices (he may not know which ones lead to insecurities specifically) or another Windows specialist that is considering security, performance, ease of use and other IT factors too?
-
@Dashrender said:
This makes me think - a second pair of eyes are usually worth having to look at a problem to ensure you dotted all the i's and crossed all the t's.
And that is a big difference between SMBs and the enterprise space. In the enterprise you expect that people are checking on each other, reviewing things, looking over each other's shoulders, etc. In the SMB, you generally assume that it is one person working in a vacuum. You might get to hire someone to review major decisions, but that's rare and only on occasion. In the enterprise, I've seen shops where you have someone looking over your shoulder for every command run in production, every time.
-
@scottalanmiller said:
You don't lock down servers, the server people do that. You don't design a secure network, the network people do that. You don't have anything to do. It's a nonsensical department for all intents and purposes. And hence, probably why they don't exist in the real world. What is a "security expert" really?
I think people think testing what the server and network people did would be a full time job, like the configuration show how would change daily or something
-
@Dashrender said:
is an after thought for most IT folks today.
It vastly depends on the company. It's not for us. We have approx 25 IT staff (We have mostly generalists. I'm the Systems Engineer for the main DC site, which is not at cooperate due to weather/torando's and such ) plus DevOPs to develop our in house software. There is a lot of focus on security but it's not just IT security. Our Parking lots, buildings etc are all gated with armed guard with shacks at every entrance. RFID + PIN are required to get in (at every location, not just this one.)