cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Lamont29
Community Champion

All areas of responsibility are important!

There seems to be this underlying disdain for ‘non-technical’ CISSPs in this forum. Let me clear some things up right quick. There’s no occupation more formidable than the military and the IC where information security is most at work. The technical end of it is important, but the GRC end of it is even MORE important in my opinion. We as security professionals must understand that there are various domains of work and all of them must support the organization’s strategic objectives. Absent supporting a business’ strategic objectives, what do you have really?

 

Learning a piece of hardware is very linear. There’s no wow factor in implementing security on a firewall or router – a person of marginal intelligence should be able to do that. Now tying all of the security functionality with policies that supports the business’s strategic goals, now that’s where the CISSP earns their money. When I were an enlisted soldier, I thought less of the officers as they strategized on GRC. When I became an officer, I certainly did not think less of the technicians that I managed. Everyone performs in their domains and areas of responsibility. There’s no such thing as technician being ‘better’ or executives being ‘better’ in either case. It’s more important that the technicians understand the governance than for the CIO, CISO or any other high-ranking executive to understand how to patch a server. The executive-level person should understand their requirements; which turns me back to one of my other posts.

 

 

Lamont Robertson
M.S., M.A., CISSP, CISM, CISA, CRISC, CDPSE, MCSE
8 Replies
Baechle
Advocate I

Lamont,

 

I think that a lot of folks that pursue the CISSP come from Information Systems and Technology backgrounds.  While I took a small detour through the IS&T world, most of my CISSP toting former coworkers came from surprisingly different careers before landing in Cyber-counterintelligence and Incident Response:

 

One of my colleagues, and my former supervisor before he retired as a Major from the military and became a contractor came from the Ammo career field before undertaking an IS&T Security risk management role.  The value he brought to the table was being able to understand and articulate how a change to IS&T would impact combat support operations.

 

Another colleague, and a mentor that really brought me over from the tech to the policy world came from the Nuclear Surety career field.  This guy REALLY understood both the value of risk management and process improvement that both increased the safety and reliability of his target platforms and proving that he got those results to management.

 

Yet another colleague came from the Intelligence career field.  She brought with her the ability to assess and articulate threats and vulnerabilities using metrics that leaders could understand.  She was astute in taking the raw technical details from the IS&T operators and maintainers and translating that into plain language for her audience; and taking leadership intent and priorities and translating that into technical action plans for the operators and maintainers.

 

While these folks were all smart enough to go crack open a book, or scan the Internet for step by step guides, they didn’t have the day to day exposure with the systems that would enable them to walk up to a router or switch, a Microsoft or *nix system, etc. and make the changes themselves.  But the CISSP CBK is what brought these folks together and made them enablers both up and down the chain of command for leadership and the operators.

Sincerely,

 

Eric B.

Lamont29
Community Champion


@Baechlewrote:

 

"While these folks were all smart enough to go crack open a book, or scan the Internet for step by step guides, they didn’t have the day to day exposure with the systems that would enable them to walk up to a router or switch, a Microsoft or *nix system, etc. and make the changes themselves.  But the CISSP CBK is what brought these folks together and made them enablers both up and down the chain of command for leadership and the operators."

Sincerely,

 

Eric B.


Well my reason for posting this particular topic was my intended purpose to remind my colleagues that the CISSP is holistic. Without a strategic objective, technical personnel are just 'spinning wheels' and working in a vacuum. Business Continuity & Disaster Recovery personnel gets overlooked in our profession, especially when they do their jobs well. Project Management is never considered in the realm of Information Security by those who are so focused on the 'technical' end of things.

 

I leave this conversation by saying that ALL of the domains are inter-related and they are ALL important. Senior management, though they may not be 'technical' are the stalwarts in the business that drive the strategic vision. I have great respect for one of my senior leaders in the US Army who was not 'technical' in the least bit, but he certainly knew the requirements of our organization and was a master at communicating the strategy in such a way that we were well-resourced with the tools and funding that we required. He kept everyone on board, striving to achieve that organizational goal and vision. This is the most important role that a CISSP may find themselves in.

 

An individual of marginal intelligence can always learn Active Directory; VPNs, VLANs, IPS/IDS, SIEM and most any other technology implementation without much fanfare. All that's required there is to give such individual a book and leave them alone for a few hours. However, leading the security strategy for an organization takes a lot more critical thinking than linear implementations and mitigation steps that are normally required for any given  technical solution.

 

 

Lamont Robertson
M.S., M.A., CISSP, CISM, CISA, CRISC, CDPSE, MCSE
Caute_cautim
Community Champion


@Lamont29wrote:

@Baechlewrote:

 

"While these folks were all smart enough to go crack open a book, or scan the Internet for step by step guides, they didn’t have the day to day exposure with the systems that would enable them to walk up to a router or switch, a Microsoft or *nix system, etc. and make the changes themselves.  But the CISSP CBK is what brought these folks together and made them enablers both up and down the chain of command for leadership and the operators."

Sincerely,

 

Eric B.


Well my reason for posting this particular topic was my intended purpose to remind my colleagues that the CISSP is holistic. Without a strategic objective, technical personnel are just 'spinning wheels' and working in a vacuum. Business Continuity & Disaster Recovery personnel gets overlooked in our profession, especially when they do their jobs well. Project Management is never considered in the realm of Information Security by those who are so focused on the 'technical' end of things.

 

I leave this conversation by saying that ALL of the domains are inter-related and they are ALL important. Senior management, though they may not be 'technical' are the stalwarts in the business that drive the strategic vision. I have great respect for one of my senior leaders in the US Army who was not 'technical' in the least bit, but he certainly knew the requirements of our organization and was a master at communicating the strategy in such a way that we were well-resourced with the tools and funding that we required. He kept everyone on board, striving to achieve that organizational goal and vision. This is the most important role that a CISSP may find themselves in.

 

An individual of marginal intelligence can always learn Active Directory; VPNs, VLANs, IPS/IDS, SIEM and most any other technology implementation without much fanfare. All that's required there is to give such individual a book and leave them alone for a few hours. However, leading the security strategy for an organization takes a lot more critical thinking than linear implementations and mitigation steps that are normally required for any given  technical solution.

 

 I agree wholeheartedly, applying the principles involves critical thinking, which have to be embedded.  On many an occasion, a lot of us do not have the luxury of time, we inherently have to apply the principles and think critically, whilst conducting a mental risk management and actively listening to those around one.   We are often called to think through the issues, due to the urgency of the situation.   Unplanned circumstances occur all the time, and we have to be prepared to also have the confidence to make room to think and not be cajoled or forced into making incorrect recommendations or decisions.


 

CEMyers
Newcomer III

Let’s hear it for leading through business oriented risk assessment and management and requirements led design and development. As you say anyone can configure a box and many can do it skilfully, but is it appropriate to the business need of the organisation (including legal and regulatory requirements) , can it be used and managed appropriately (policy, standards, and guidelines), and does it provide appropriate use of mechanisms to address the risk posed by a threat source exploiting vulnerability? As is correctly stated, addressing all of this is where the real skill and professionalism lies.  This requires policy, procedural, personnel, physical and technical measures be applied. Remember, not all risk has a cost effective and proportionate technical response. A man with a gun on the door will always give pause for thought whereas if it can be built it can be broken is as true now as it has always been.

Steve-Wilme
Advocate II

Well said.  Everyone has something to contribute no matter their ability level, background, academic and technical experience, life experience, race, gender, sexual orientation, religion etc.   Google "the Convention for the Protection of Human Rights and Fundamental Freedoms)" from 1953 and understand it's historical significance in post war Europe if anyone on the forum true believes that humans abusing each other in an context is a good thing. 

 

Or spend 91/2 hour watching Lanzmann Shoah, an oral history of the holocaust using first person testimony.  Cross the road by the American Embassy in Warsawa, near the old town and the rail track are still visible in the paving as you look down.  Or visit Dubrovnik and think through the whole break up of Yugoslavia.  I guess just read up on the civil right movement.  Civilisation and communities are built together not by antagonism.  On any normal day I'm going to defend the worst performer in a group rather than attack them.  But then I would say all that as I'm just a bit of an old hippy at heart.

 

And no I'm not a CISO, nor do I want to be one, and I've worked for a few.  Yes I have some of the qualifications CISOs have and yes I've got books that CISOs have probably read, because you need to understand that role if you work in InfoSec, so you can speak the same language and get your head around what you're being asked to do.  Being the average Joe in InfoSec is good enough.  Do your CPEs, keep up to date in niche and know your limitations.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
Steve-Wilme
Advocate II

A bit vague on my background; 

Whilst my school friends joined the forces, I quit my factory job went back to school, did a degree in Psychology, then an IT conversion course, joined a Data Processing department, did a bit for everything from programming to analysis, testing, networking, building servers, site installs etc., Then development and support, ran teams and projects and bailed out at 31 into telecoms and hosting outside IT.  Telcomms bust followed the dot.com bubble, so approached a few former clients.  Not the big I am, but more of a is there anything I could do for you?  Just roll with fads and fashions of what we’re calling business vs. IT vs. InfoSec vs. Cyber each decade.  Be patient, be resilient, be flexible,


@Steve-Wilme wrote:

Well said.  Everyone has something to contribute no matter their ability level, background, academic and technical experience, life experience, race, gender, sexual orientation, religion etc.   Google "the Convention for the Protection of Human Rights and Fundamental Freedoms)" from 1953 and understand it's historical significance in post war Europe if anyone on the forum true believes that humans abusing each other in an context is a good thing. 

 

Or spend 91/2 hour watching Lanzmann Shoah, an oral history of the holocaust using first person testimony.  Cross the road by the American Embassy in Warsawa, near the old town and the rail track are still visible in the paving as you look down.  Or visit Dubrovnik and think through the whole break up of Yugoslavia.  I guess just read up on the civil right movement.  Civilisation and communities are built together not by antagonism.  On any normal day I'm going to defend the worst performer in a group rather than attack them.  But then I would say all that as I'm just a bit of an old hippy at heart.

 

And no I'm not a CISO, nor do I want to be one, and I've worked for a few.  Yes I have some of the qualifications CISOs have and yes I've got books that CISOs have probably read, because you need to understand that role if you work in InfoSec, so you can speak the same language and get your head around what you're being asked to do.  Being the average Joe in InfoSec is good enough.  Do your CPEs, keep up to date in niche and know your limitations.



avoid the politics and pettiness; no really!  Think not what you want, but what you’d like and what you need  …  Lifecycle of earnings, professional career longevity.  

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
Steve-Wilme
Advocate II

A bit vague on my background; 

Whilst my school friends joined the forces, I quit my factory job went back to school, did a degree in Psychology, then an IT conversion course, joined a Data Processing department, did a bit for everything from programming to analysis, testing, networking, building servers, site installs etc., Then development and support, ran teams and projects and bailed out at 31 into telecoms and hosting outside IT.  Telcomms bust followed the dot.com bubble, so approached a few former clients.  Not the big I am, but more of a is there anything I could do for you?  Just roll with fads and fashions of what we’re calling business vs. IT vs. InfoSec vs. Cyber each decade.  Be patient, be resilient, be flexible,


@Steve-Wilme wrote:

Well said.  Everyone has something to contribute no matter their ability level, background, academic and technical experience, life experience, race, gender, sexual orientation, religion etc.   Google "the Convention for the Protection of Human Rights and Fundamental Freedoms)" from 1953 and understand it's historical significance in post war Europe if anyone on the forum truly believes that humans abusing each other in an context is a good thing. 

 

Or spend 91/2 hour watching Lanzmann Shoah, an oral history of the holocaust using first person testimony.  Cross the road by the American Embassy in Warsawa, and see the rail tracks still visible near the Ghetto.  Or visit Dubrovnik and think through the whole break up of Yugoslavia.  Civilisation and communities are built together not by antagonism.   I'm just a bit of an old hippy at heart.

 

And no I'm not a CISO, nor do I want to be one, and I've worked for a few.  Yes I have some of the qualifications CISOs have and yes I've got books that CISOs have probably read, because you need to understand that role if you work in InfoSec, so you can speak the same language and get your head around what you're being asked to do.  Being the average Joe in InfoSec is good enough.  Do your CPEs, keep up to date in niche and know your limitations.



avoid the politics and pettiness; no really!  Think not what you want, but what you’d like and what you need  …  Lifecycle of earnings, professional career longevity.  

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
CISOScott
Community Champion

Or if you are a holocaust denier, you can look at what happened to the civilians as the German forces crossed into Russia and see the depravity of the human being. They raped, tortured, mutilated, did sadistic things, etc. to the people, animals, and land they came across. Then when the tide turned and Russia started back in to Germany, that army did the same things to the civilians they came across in retaliation for what was "done" to their civilians. There is a reason they say "War is Hell." When you see the psychological horror of what the human being is capable of during the most dire of circumstances and a position of power, it is truly disheartening.