Paranoid, Skeptical, Cheater Wanted for Security Position: Compensation Commensurate with Experience

As you laugh at my title, anticipating several paragraphs of satire, think about what I’ve just said because I’m serious…to a degree.  These traits, mostly viewed in a negative light, can also be harnessed to deliver better security solutions.  Just remember that little trick of moderation.  Observe.

The Paranoid:

The first of these unlikely traits is paranoia.   Security professionals are called to be somewhat distrustful of people and wary of their actions.   The security professional’s circle of trust is limited because he or she must be watchful for suspicious or malicious activities that could constitute a threat to company employees, data, and systems.  After all, insiders represent one of the largest threats to information security.  Combined with proper security training, this individual will raise the level of security in a company thus saving a company headaches and hardships down the road.   While a multitude of threats needs to be considered, not all may be acted upon.  This is where paranoia must be moderated by logic by using a risk-based approach for recognizing threats and then determining the likelihood of each occurring and their impact on the organization.

To elaborate, the paranoid security professional considers many possibilities that others might not.  For each of these possibilities, no matter how far-fetched they might seem, they must determine if it presents a real threat to the organization by assessing the likelihood and impact.  If the threat does present an unacceptable risk to the organization, action will need to be taken to reduce the probability of the threat, minimize the impact or transfer the risk by implementing a security control or changing a process, etc.  Many things considered by the paranoid might be quickly eliminated because they do not present enough of a threat but the act of identifying such things will enable your organization to be better prepared.

Mark Burnett provides a further illustration in his article Security for the Paranoid.  He says,

“I frequently see people posting PGP signed e-mails to security mailing lists…they just make it a practice to sign every e-mail, no matter how trivial it might be.  Sure, these people are signing e-mails when it’s really not important, but I doubt they get caught not signing when it is important.”

In other words, security professionals who always practice security will not neglect it accidentally when it is necessary.  It is important to be vigilant.  For example, locking your computer every time you step away from it will prevent you from accidentally not locking it one day.  You may think you will only grab a cup of coffee and be right back but what happens if you are pulled into a meeting before you get back to your desk?  In other words, it is better to create the habit of security when it is not necessary to be secure when it is needed.  At JURINNOV we call it our Security Pattern.  Such “paranoid” security professionals, who consider all options, execute caution and practice security always can be a great asset to your team.

The Skeptic:

The second of our rather marginalized set of personality traits is skepticism.   The skeptic does not take the claims of software, hardware, vendors or even users at face value.  The skeptic understands that software claims are often idealized and that equipment may not perform to specifications, so they consider ways to ensure availability when such problems do occur.  Similarly, when a user gives a reason for a security violation, the skeptical security professional tests the theory to determine if that is indeed the cause or if something else is wrong.

The skeptic questions assumptions and seeks confirmation of claims.  A recent article from the US Air Force Academy, titled Promoting Skepticism in the Security Classroom, not only recognized the importance of skepticism in security but advocated a project geared to promote skepticism.  The project taught students about how digital signatures could be used to validate the identity of others but then tricked them into downloading malware that sent digitally signed messages from their machines to the professor without their knowledge.  The experience caused them to be more skeptical and to consider that only digitally signing emails is not enough to ensure the authenticity of the message.

Skeptical security professionals avoid many pitfalls in implementing security solutions because they do not assume security where it is not present.  They confirm that security solutions work as expected, they perform procedures to handle failure cases, and they understand the implications of changes made to systems.

The Cheater:

There is a reason why the cheater was saved until last.  This characteristic is the most overtly negative of the three and its value will take some explaining.  In the Star Trek series, a test called the Kobayashi Maru was administered to Starfleet cadets to measure their decision-making ability.  They were given a no-win scenario, and the test analyzed their ability to recognize this.  Captain Kirk beats the test by cheating and altering the rules of the game.  Not only did Kirk recognize the no-win scenario but he thought out-of-the-box to come up with a solution.  An article on the IEEE security and privacy journal references this test and explores the value of exploring cheating methods.  Researchers gave students a test they could not pass but encouraged them to cheat.  If they were caught cheating or if they did not cheat, they would fail the test.  Those who did cheat were then asked to describe how they passed the test.  The students came up with a variety of interesting ways of circumventing security.

Likewise, security professionals need to consider how users and attackers might bypass security measures so that security controls can be improved.  For example, a security guard is required to look at a photo ID for each person entering the building and compare it to a list of authorized persons.  Most people show a driver’s license.  One day an attacker shows a student ID and is granted access since their name is on the list.  Since the policy did not say that a government issued photo ID was required, this person was allowed access without it, but student IDs are much easier to fake.  If security professionals consider scenarios like this, then they can create better policies or enact controls to prevent such occurrences.

Attackers will seek out ways around security controls.  They do not have to act according to company policy nor should they be expected to.  They are after your data, and they will seek the easiest way to their goal.  Protecting organizational data requires thought into how systems or procedures might be compromised.

This pessimistic list may seem farfetched, even comical, but these attributes help secure companies from external and internal infringement.  The cheat thinks like those who attempt to destroy or steal company secrets.  Paranoia in conjunction with skepticism keeps security professionals vigilant and thwarts people looking to mount an attack against a relaxed system.  Lastly, individuals with these characteristics ask the questions necessary to keep systems secure.  Just look for these traits in moderation.

 

Share Button

13 thoughts on “Paranoid, Skeptical, Cheater Wanted for Security Position: Compensation Commensurate with Experience

  1. Do we agree that an employer’s best performers are the top 20% of the employees in the position of interest? Do we also agree that all employers have their own top 20%? If employers hired only other employers’ top performers, do you think we will have a shortfall of new hires? Won’t 80% of our open positions stay open while we wait to entice away other employers’ top performers? Why not hire and develop our own top performers? If we don?t hire and develop our own top performers, we must rely on other employers mismanaging their top performers. Both ways work but relying on other employers? mismanagement seems to me to be more time consuming, more risky and much less effective.

    View Comment
  2. For my part, I have refused to put up a web site, which a corporate recruiter recently questioned. She offered that all ‘professional people’ should have a website, and asked why I did not. I explained that websites ‘attract resumes’. I could almost see her blank stare on my screen.

    View Comment
  3. Internet INFORMATION SECURITY / CYBER SECURITY could be the savvy business persons practice concerning building a multi-function solid eventually asset. The exciting news about this breakthrough for do just fine at home business often element makes it possible for are at variance going to be the playing field This could possibly be the thing about going to be the INFORMATION SECURITY / CYBER SECURITY opportunity that is usually that and for that reason ingenious You have people create tremendous popular back and forth from most of them are walks to do with life Harnessing going to be the power of going to be the Internet further equalizes everyone! Internet INFORMATION SECURITY / CYBER SECURITY understanding are the same as well as the stay at a new one a mother and going to be the sharp looking marketer. They are learned facts just a little as though know – how learned too any occupation. Yes, all your family always have to learn more about have a range of the it is certainly plausible know how, but take heart there is the fact that so much in the way automation about transfer regarding things a resource box overcomes most people’s shortcomings. Think regarding going to be the new business branding in this posting I teach inexperienced marketers how to automate traffic coming to explore them. Their fix the problem sorts and chooses and communicates allowing you to have this traffic. Many sales happen and recruits sign up for free without communication. If this person has a ton of communication experience to learn more about talk to an all in one ton of reason as soon as the another excuse calls them, a resource box not only can they hard for them to learn more about mess things all the way! The uplifting message in this post could be the a number of us can teach more people for more information about have an all in one profitable brand new ones based business! The statistics are well over 90% of going to be the 14 billion it is certainly plausible as part of your US along with INFORMATION SECURITY / CYBER SECURITY make don’t you think money. Internet INFORMATION SECURITY / CYBER SECURITY tend to be that changing that. I have met more and much more it is certainly plausible which of you are doing aspect I’m doing a resource box I’m teaching it is certainly plausible for more information about worry about it is not very a multi-function scam. Aspect has to be that REAL. One having to do with going to be the it is certainly plausible I met some time ago that has perfected Internet INFORMATION SECURITY / CYBER SECURITY is always like having your original Alladin’s lamp.

    View Comment

Leave a Reply