Thoughts on Latest SANS Whitepaper

I read about the new SANS paper IT Security Industry Changes: Trouble on the Horizon (September 2006) (.pdf) in this NewsBites issue. Here are some excerpts and my reactions.

Over the past six months, SANS Technology Institute's Stephen Northcutt has been gathering data and stories from security managers in more than 100 US organizations searching for patterns in job changes of security managers and the consultants who support them. The research was triggered by multiple emails from security managers who were facing reorganizations. His conclusions, albeit preliminary, paint a worrisome picture of job prospects for ill-equipped security managers, but also offer promise of some opportunities for success and advancement.

That's an interesting project. Let's read more.

[S]enior executives began to feel more comfortable voicing their frustration that they were wasting money paying for hugely expensive people and compliance reports that probably were not needed and that often had no impact on their ability to stop attacks or avoid disclosure of private information. The senior executives pushed back on budget requests, asking exactly what they would get in decreased risk from each of the expenditures. When they got answers they didn't like, they looked for ways to reorganize. Numerous security managers were pushed out as their responsibilities were moved to IT operations or audit or risk management groups.

Stephen continues by implying that these fired security managers lacked real technical skills and could not do much more than write reports. However...

Government is the one area where soft security skills, like policy and report writing, are still in demand, both in security staff and in consultants. The US Congress and the White House passed and implemented legislation (the Federal Information Security Management Act) that rates federal agencies less on whether their systems are protected from attack and more on whether agencies have written security evaluation reports for every system. Consulting firms have gotten rich writing those reports. One CEO reported that his firm had grown from three people doing security evaluations to 175 people writing FISMA reports, in just five years.

Does that make any else sick? It makes me ill.

Recent public disclosure of huge security failings, however, have caused government officials to review FISMA, particularly how it is implemented. Change seems to be in the air. That same CEO reported that 75% of his 175 FISMA folk today have soft skills and only 25% have solid technical security skills. He sees the need for that mix of skills to be reversed, within the next year or so, or the business "will dry up."

That is awesome. It probably explains why TaoSecurity continues to receive calls from firms inside-the-Beltway (and beyond) wishing to "team" to provide technical services to .gov clients, instead of just certification and accreditation.