cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion

Should everyone become security professionals?

Give the article from Dark Reading this morning: 

 

https://www.darkreading.com/cloud/russia-facebook-and-cybersecurity-combating-weaponized-fud-in-the-...

 

What are your thoughts on this subject?  Should everyone become security professionals?

 

Regards

 

Caute_cautim

8 Replies
4d4m
Newcomer III

I don't think security pros is the right phrase in the context of the article. I do think people should learn about critical thinking, and use it.

 

Do people need to understand the risk of what they are doing? Absolutely yes. In order to do that they need to know the risk. Does everyone need to be a security pro? No, and they won't because it just doesn't interest everyone.

 

Adam

Chuxing
Community Champion

This not about should everyone being a security pro, it is about how common users treat information and misinformation. 

 

The entire society is undergoing a transition with information overload, and unfortunately many subconsciously believe 'it is on the Internet thus must be true'.

 

Misinformation providers are rehashing Nazi propagandist Joseph Goebbels' playbook: “A lie told once remains a lie but a lie told a thousand times becomes the truth”, and Internet makes it so easy to accomplish that objective.

 

Personally I don't AI or other tools can solve that.

 

 


____________________________________
Chuxing Chen, Ph.D., CISSP, PMP
SteveLavoie
Newcomer III

Well everyone should be security aware, from the users to sysadmin. The greater their role, the greater the training they should have. Eventually more knowledge will became common knowledge, like other knowledge in the past like TCP/IP, who became normal thing to know years later. But sec pro will have to surf on this wave to stay relevant and on the edge. So yes people will became better on security, but it will not make them sec pro
CraginS
Defender I

No, of course not!

 

Should everyone become physicians?

 

Should everyone become attorneys?

 

Should everyone become pharmacists?

 

Should everyone become Certified Public Accountants?

 

Should everyone become climatologists?

 

For closely related discussion, see the thread Cybersecurity is Everyone's Job.

(Hint: No it isn't.)

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
denbesten
Community Champion

 


Should everyone become physicians?

No, but I should know enough to decide between a bandaid, scheduling with my regular doctor, heading to the ER or calling EMS.

 

Should everyone become attorneys?

No, but I should know how to react when pulled over and what I can reasonably say/do before asking to speak to my lawyer.  If you start by lawyering up, you guarantee yourself a trip in a squad car, and if you don't lawyer up soon enough, it is even worse.

 

Should everyone become pharmacists?

No, but I need to what my prescriptions are supposed to do, and more importantly what they are NOT supposed to do.  I also need to know not to take two drugs together that both contain acetaminophen due to the risk of overdose. 

 

Should everyone become Certified Public Accountants?

No, but I should know how to balance my checkbook and file my taxes using simple guides, such as taxcut.

 

Should everyone become climatologists?

No, but I should be able to look at the radar map to decide If I can finish mowing my lawn before seeking shelter.

 

Security is no different. Everybody needs a novice understanding so that they can appropriately handle the routine and so they can effectively escalate issues that may arise.

 

In this respect, security is part of everybody's job, but it is only a significant focus for the security professionals.

 

 

CraginS
Defender I

In the Dark Reading article cited at the top of this thread, Mike Convertino concluded his essay with the totally stupid statement, 

"In the age of weaponized FUD, it's up to all of us to become security pros."

That prompted @Caute_cautim's question to this group. 

 

Everyone who has commented in the thread gets it: People need a basic survival level of awareness, and we need to improve the ability of the general population to engage in critical thinking. (Thanks, @4d4m.) @denbesten properly finished the logic I launched, describing the difference between daily survival knowledge and professional level knowledge. 

 

We, as professionals, have two challenges:

1. What are the basic cybersec survival skills everyone really needs in today's digital environment?

2. How and when can we share that knowledge effectively?

 

Maybe the (ISC)2 Safe & Secure program is a good start.

 

If you have ides on either of those questions, please do not continue this thread to propose those ideas. Instead, launch a new thread that addresses one or both of the questions. That will make topic discovery for Community members much more effective. 

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
rslade
Influencer II

First, as to the title, should everyone become security professionals?  No, when you add "professionals."  Not everyone needs to get a CISSP.  Not everyone is going to manage security, or consult on it, or advise.

 

But, yes, as @denbesten has pointed out, everyone needs to be able to manage their own security, and their own risks, as they go through life.  And the level of knowledge that is needed is, at the moment, basically defined as "more than they currently know."  It's rather galling, as a security curmudgeon, to look around at society, and back over the past few decades, and note that we live in a society increasingly (and usually critically) dependent upon science and technology, and to note that the proportion of the population that actually understands the technology is not only not growing, it seems to be shrinking.  The vast majority of the population not only considers technology as a sort of magic, but appears to be positively proud of being ignorant of it!

 

(I rather like the sentiment of the cartoon that seems to be associated with the article, promoting the idea of personal responsibility.)JuneCartoonJK-DRsecurotyresponsibilityCOL300

Right.  The article itself.  Well, it seems to dwell very heavily on being able to assess lies and misinformation on the Internet and social media.  And, yes, I would generally agree with the sentiment: one of the things that people need to be able to do, with greater accuracy and facility, is figure out when they are being lied to.  It's important to politics (and, in that regard, one helpful resource is the Pro-Truth Pledge project) as portrayed in the article, but it's also important for those trying to avoid viruses, drive-by downloads, phishing, advance fee frauds, and all kinds of other dangers that are all too prevalent in our society.

 

(Being a security curmudgeon means constantly being embarrassed by your friends and family, like the time that my mother walked into the biggest security conference in the city and admitted that she had just been phished, or the two [TWO!] times that my father-in-law very narrowly avoided being victimized by the grandparent scam.  One is constantly reminded of the various attempts to create an "Internet Driving Licence" and, even though I know there is pretty much a zero chance that one will actually come to pass,  I have to have sympathy for the motivation behind the idea.)

 

But there are plenty of other instances of security, that the article doesn't even touch upon, that should be in the toolkit of every single user.  (When was the last time you made a backup?  Go ahead, you can go do it now.  The article will still be here when you get back.)

 

(There.  Don't you feel better?)

 

And, yes, this issue of security awareness, and how far we have to go, and what is a basic necessary syllabus, is a constant discussion in our field. (And thank you, @CraginS, for providing the full title, although, given the shortcomings of the search function on the "community" it is almost easier to search Google with "site:community.isc2.org" as a term, and it would have been nice if you had actually created a link to the NIST NICE discussion.)

 

In regard to the NICE (National Initiative for Cybersecurity Education) document ("Cybersecurity is Everyone’s Job") (and, for those who get caught by the breakage of the other discussion's links, here's a link to the NIST NICE page for the document), it's nice, but it's not great.  It's a fairly banal and pedestrian security awareness document, and I doubt that it will interest anyone in a) reading it, b) thinking about it, c) finding out more about information security, or d) changing their behaviour in any way.  We see all too many of these efforts: well-meaning, yes, but not written in such as way as to make any difference.

 

For example, every section of the book/pamphlet, under the "What we all should do" part, mandates "Do not use public Wi-Fi without VPN."  What, never?  Now, I assume we can all agree that it is probably best not to log into your company's back end research repository from unsecured public wifi in a coffee shop in [a country which will not be named but is infamous for surveillance of its own citizens and particularly foreigners].  But never using public wifi at all?  Even for a Google search, or using a map app?  I mean, there are some variations in importance, here.  (And we've got another discussion on some possibilities elsewhere on the "community.")

 

If you want an example of a guidebook that might have a chance, I'd suggest you look at "Information Security Awareness Basics," written by Fred Cohen.  Fred's books are all rather odd, at first glance.  They are never what you expect.  Which is good: we've seen all kinds of books that don't work, so doing something different stands a chance of succeeding.  In this case, Cohen starts out with some very simple physical security basics, like improving the security of your purse at your desk.  This is a) possible for ordinary employees to do, and b) of use to them.  Starting out this way gives them a reason to be interested and continue to read, and you can then start to move into some of the areas that we might consider more significant.  (You've got to start where people are.)

 

Should everyone be a security professional?  No.  Should everyone know more about information security?  Yes.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Caute_cautim
Community Champion

"Right. The article itself. Well, it seems to dwell very heavily on being able to assess lies and misinformation on the Internet and social media." This is the next barrier, in terms of what a human will believe, and also as AI is now under attack itself - what can you really believe. If AI is under attack, how much trust can we put in it, or human beings who feed it along with all their inherent bias.