Are your security professionals qualified?

Many don't know what they don't know

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

Several lessons have been derived from the recent iCloud security incident, but the most important for me is how it demonstrates the ignorance of many security professionals, an ignorance that calls their management into question.

When the iCloud hack started hitting the news, it generated a lot of discussions among security personnel. Many of them grasped the underlying concepts reasonably well. Unfortunately, though, some of the conversations demonstrated a clear lack of understanding of fundamental security concepts.

As is widely known by now, a hacker was able to compromise the Amazon.com and iCloud accounts of a Wired reporter. The accounts were compromised as a result of operational security flaws in the password reset processes of the respective organizations. The attack itself was rather involved, but at bottom it was a fairly straightforward social engineering type of attack.

One thing that is clear is that the strength of the account passwords was completely irrelevant, since the attacker simply needed the password reset. Why, then, would someone who is supposed to be a security professional argue that the attack would not have been successful if the passwords had been stronger?

When I read that comment from a self-identified security professional online, I had to wonder about his qualifications. I soon learned that he had been reassigned to the information security department from another department and had no formal security training before the reassignment. That isn't the problem, though. The problem is that this person was not provided any training after the reassignment and did not seek it out.

This situation is not unique among Fortune 500 companies. Many companies have a hiring freeze, while also conducting layoffs. Frequently, that means that the security departments have to take whomever they can get. Even if there isn't a hiring freeze, many companies have a habit of encouraging employees to rotate internally for professional development purposes. This has the effect of encouraging security managers to accept people whom they might not otherwise choose.

To continue reading this article register now

Enterprise mobility 2018: UEM is the next step
  
Shop Tech Products at Amazon