Excellent Article Paul...
Obstacle 1: agree and will add this can also benefit the person if they may have done the opposite before leaving a company. Force resignation and all. But certainly tracking the bad apples would be beneficial and hold them accountable for their decisions. I believe a bonus should be earned if you not only help make the company money but also help prevent the loss of said money.
Obstacle 2: I am finding this to be a reality. I find it more trying to defend against advanced attacks when you can't even implement security 101. Thankfully though where I am the audits are taken pretty seriously and are usually addressed within the first few months after. But that may be only because the current auditors are not as well trained. I am finding auditors are becoming much more technically savvy and are looking for things they never did in the past. I've seen a few IT folks move over to audit mainly because you no longer need to fix the problems but you can just report them. Maybe they are sick of trying to fix them only to be told it costs too much blah blah blah. It certainly is easier to click a check box, specially if you know where to look.
Obstacle 3: Agree as well, but how do we do this? Do we sacrifice skills training for business classes? Do we take one of the SANS MGT courses over a SEC or FOR course? Do we go for an MBA or a MIA? Or do we look at day long workshops to help gain a better focus? I personally don't want to leave the trenches anytime soon, but I find I am being asked to do so although I am not a manager nor care to be. Then again, do I have the aptitude to stay in the trenches? I think so, I just started in InfoSec (well in concentrating on it), and I have no desire to put down the keyboard just yet.
Obstacle 3: so long as the staff is up to par and keeps improving their skill sets. I think heavy reliance on outsourcing your support causes this competitive advantage to decline. I am currently seeing the situation where ALL of your IT knowledge is in the hands of the outsourced company and almost known exists with your FT IT staff. I think it is important to keep the skills up on both sides so you essentially have FTEs with the knowledge to do the job, but they send the work to the out-sourced staff to carry out. They then can focus their time on developing new and better solutions for the company, they may even develop a new product or service from this.
Obstacle 4: Partially agree on this one. This forum clearly shows there is a large number of new people wanting to be "hackers" or pen testers, but seem to lack the base skills and understanding about the systems they want to hack. I partially agree because I think both the technical and business skills are needed equally. The DoD description of what they need does not reflect their target. They want highly trained people fresh out of college? We all know that typical MIS/CS majors graduate with information that is probably 5 yrs out-of-date. Unless of course they were gaining some real world experience during school, but even those entry level security jobs require experience. Essentially you want to groom people for these jobs. Moving those with a strong base knowledge about technology into a security focused job then giving them incentives to build the business skills for that key person we need in that board room. Again how do you do that with someone who wants to stay in the trenches or has no desire to be in that board room mainly because they think nothing will get done either way?
Obstacle 5: Agree with this, my drive is not being bored. I think anyone with a legitimate love for what they do, do it for that simple fact. I think having a love for all things InfoSec related is no different. We enjoy a challenge, that is a real challenge. I think in most enterprises the challenge isn't developing the solution, it is dealing with the red tape around getting it approved. We also love seeing something we created get implemented successfully. But if we are tasked to come up with a solution to something and then not see it implemented or implemented poorly, we are left with a bitter taste in our mouth.
As you had mentioned before there have been a lot of great talks at the security cons about what is wrong with the industry. In most cases those speakers are preaching to the choir. There are probably many of us that do know how to speak the business to the C-Levels, but are they truly listening? Do they even care? Have they ever seen something like the anatomy of a virus? Seeing something so small destroy a company because a single simple patch was not installed or proper network ACLs were not in place to prevent the spread of a worm? I like the point about the Security managers need to be able to tell someone above them - "No we cannot do that and here's why..." If they are worth their salt, they shouldn't need to worry about finding another job if they are fired for disagreeing. Which brings us back to the first obstacle, sure I was asked to resign but here is why and hand over the sign documents.