cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Contributor I

All areas of responsibility are important!

There seems to be this underlying disdain for ‘non-technical’ CISSPs in this forum. Let me clear some things up right quick. There’s no occupation more formidable than the military and the IC where information security is most at work. The technical end of it is important, but the GRC end of it is even MORE important in my opinion. We as security professionals must understand that there are various domains of work and all of them must support the organization’s strategic objectives. Absent supporting a business’ strategic objectives, what do you have really?

 

Learning a piece of hardware is very linear. There’s no wow factor in implementing security on a firewall or router – a person of marginal intelligence should be able to do that. Now tying all of the security functionality with policies that supports the business’s strategic goals, now that’s where the CISSP earns their money. When I were an enlisted soldier, I thought less of the officers as they strategized on GRC. When I became an officer, I certainly did not think less of the technicians that I managed. Everyone performs in their domains and areas of responsibility. There’s no such thing as technician being ‘better’ or executives being ‘better’ in either case. It’s more important that the technicians understand the governance than for the CIO, CISO or any other high-ranking executive to understand how to patch a server. The executive-level person should understand their requirements; which turns me back to one of my other posts.

 

 

Lamont Robertson
M.S., M.A., CISSP, CISM, CISA, Security+, MCSE
4 Replies
Contributor II

Re: All areas of responsibility are important!

Lamont,

 

I think that a lot of folks that pursue the CISSP come from Information Systems and Technology backgrounds.  While I took a small detour through the IS&T world, most of my CISSP toting former coworkers came from surprisingly different careers before landing in Cyber-counterintelligence and Incident Response:

 

One of my colleagues, and my former supervisor before he retired as a Major from the military and became a contractor came from the Ammo career field before undertaking an IS&T Security risk management role.  The value he brought to the table was being able to understand and articulate how a change to IS&T would impact combat support operations.

 

Another colleague, and a mentor that really brought me over from the tech to the policy world came from the Nuclear Surety career field.  This guy REALLY understood both the value of risk management and process improvement that both increased the safety and reliability of his target platforms and proving that he got those results to management.

 

Yet another colleague came from the Intelligence career field.  She brought with her the ability to assess and articulate threats and vulnerabilities using metrics that leaders could understand.  She was astute in taking the raw technical details from the IS&T operators and maintainers and translating that into plain language for her audience; and taking leadership intent and priorities and translating that into technical action plans for the operators and maintainers.

 

While these folks were all smart enough to go crack open a book, or scan the Internet for step by step guides, they didn’t have the day to day exposure with the systems that would enable them to walk up to a router or switch, a Microsoft or *nix system, etc. and make the changes themselves.  But the CISSP CBK is what brought these folks together and made them enablers both up and down the chain of command for leadership and the operators.

Sincerely,

 

Eric B.

Contributor I

Re: All areas of responsibility are important!


@Baechlewrote:

 

"While these folks were all smart enough to go crack open a book, or scan the Internet for step by step guides, they didn’t have the day to day exposure with the systems that would enable them to walk up to a router or switch, a Microsoft or *nix system, etc. and make the changes themselves.  But the CISSP CBK is what brought these folks together and made them enablers both up and down the chain of command for leadership and the operators."

Sincerely,

 

Eric B.


Well my reason for posting this particular topic was my intended purpose to remind my colleagues that the CISSP is holistic. Without a strategic objective, technical personnel are just 'spinning wheels' and working in a vacuum. Business Continuity & Disaster Recovery personnel gets overlooked in our profession, especially when they do their jobs well. Project Management is never considered in the realm of Information Security by those who are so focused on the 'technical' end of things.

 

I leave this conversation by saying that ALL of the domains are inter-related and they are ALL important. Senior management, though they may not be 'technical' are the stalwarts in the business that drive the strategic vision. I have great respect for one of my senior leaders in the US Army who was not 'technical' in the least bit, but he certainly knew the requirements of our organization and was a master at communicating the strategy in such a way that we were well-resourced with the tools and funding that we required. He kept everyone on board, striving to achieve that organizational goal and vision. This is the most important role that a CISSP may find themselves in.

 

An individual of marginal intelligence can always learn Active Directory; VPNs, VLANs, IPS/IDS, SIEM and most any other technology implementation without much fanfare. All that's required there is to give such individual a book and leave them alone for a few hours. However, leading the security strategy for an organization takes a lot more critical thinking than linear implementations and mitigation steps that are normally required for any given  technical solution.

 

 

Lamont Robertson
M.S., M.A., CISSP, CISM, CISA, Security+, MCSE
Contributor II

Re: All areas of responsibility are important!


@Lamont29wrote:

@Baechlewrote:

 

"While these folks were all smart enough to go crack open a book, or scan the Internet for step by step guides, they didn’t have the day to day exposure with the systems that would enable them to walk up to a router or switch, a Microsoft or *nix system, etc. and make the changes themselves.  But the CISSP CBK is what brought these folks together and made them enablers both up and down the chain of command for leadership and the operators."

Sincerely,

 

Eric B.


Well my reason for posting this particular topic was my intended purpose to remind my colleagues that the CISSP is holistic. Without a strategic objective, technical personnel are just 'spinning wheels' and working in a vacuum. Business Continuity & Disaster Recovery personnel gets overlooked in our profession, especially when they do their jobs well. Project Management is never considered in the realm of Information Security by those who are so focused on the 'technical' end of things.

 

I leave this conversation by saying that ALL of the domains are inter-related and they are ALL important. Senior management, though they may not be 'technical' are the stalwarts in the business that drive the strategic vision. I have great respect for one of my senior leaders in the US Army who was not 'technical' in the least bit, but he certainly knew the requirements of our organization and was a master at communicating the strategy in such a way that we were well-resourced with the tools and funding that we required. He kept everyone on board, striving to achieve that organizational goal and vision. This is the most important role that a CISSP may find themselves in.

 

An individual of marginal intelligence can always learn Active Directory; VPNs, VLANs, IPS/IDS, SIEM and most any other technology implementation without much fanfare. All that's required there is to give such individual a book and leave them alone for a few hours. However, leading the security strategy for an organization takes a lot more critical thinking than linear implementations and mitigation steps that are normally required for any given  technical solution.

 

 I agree wholeheartedly, applying the principles involves critical thinking, which have to be embedded.  On many an occasion, a lot of us do not have the luxury of time, we inherently have to apply the principles and think critically, whilst conducting a mental risk management and actively listening to those around one.   We are often called to think through the issues, due to the urgency of the situation.   Unplanned circumstances occur all the time, and we have to be prepared to also have the confidence to make room to think and not be cajoled or forced into making incorrect recommendations or decisions.


 

Newcomer II

Re: All areas of responsibility are important!

Let’s hear it for leading through business oriented risk assessment and management and requirements led design and development. As you say anyone can configure a box and many can do it skilfully, but is it appropriate to the business need of the organisation (including legal and regulatory requirements) , can it be used and managed appropriately (policy, standards, and guidelines), and does it provide appropriate use of mechanisms to address the risk posed by a threat source exploiting vulnerability? As is correctly stated, addressing all of this is where the real skill and professionalism lies.  This requires policy, procedural, personnel, physical and technical measures be applied. Remember, not all risk has a cost effective and proportionate technical response. A man with a gun on the door will always give pause for thought whereas if it can be built it can be broken is as true now as it has always been.