A cybersecurity employee profile

As you laugh at my title, anticipating several paragraphs of satire, think about what IÔÇÖve just said because IÔÇÖm actually seriousÔǪto a degree.┬á These traits, mostly viewed in a negative light, can also be harnessed to deliver better security solutions.┬á Just remember that little trick of moderation.┬á Observe.

The Paranoid:

The first of these unlikely traits is paranoia.┬á ┬áSecurity professionals are called to be somewhat distrustful of people and wary of their actions.┬á ┬áThe security professionalÔÇÖs circle of trust is limited because he or she must be watchful for suspicious or malicious actions that could constitute a threat to company employees, data and systems.┬á After all, insiders constitute one of the largest threats to information security.┬á Combined with proper security training, this individual will raise the level of security in a company thus saving a company headaches and hardships down the road.┬á ┬áWhile a multitude of threats need to be considered, not all may be acted upon. ┬áThis is where paranoia must be moderated by logic by using a risk-based approach to consider threats and then determining the likelihood of each occurring and their impact to the organization.

To elaborate, the paranoid security professional considers many possibilities that others might not.  For each of these possibilities, no matter how far-fetched they might seem, they must determine if it presents a real threat to the organization by determining the likelihood and impact.  If the threat does present an unacceptable risk to the organization, action will need to be taken to reduce the likelihood of the threat, minimize the impact or transfer the risk by implementing a security control or changing a process, etc.  Many things considered by the paranoid might be easily eliminated because they do not present enough of a threat but the act of identifying such things will enable your organization to be better prepared.

Mark Burnett provides a further illustration in his article Security for the Paranoid.  He says,

ÔÇ£I frequently see people posting PGP signed e-mails to security mailing listsÔǪthey just make it a practice to sign every e-mail, no matter how trivial it might be.┬á Sure, these people are signing e-mails when it’s really not important, but I doubt they get caught not signing when it is important.ÔÇØ

In other words, security professionals who always practice security will not neglect it accidentally when it is necessary.┬á It is important to be vigilant.┬á For example, locking your computer every time you step away from it will prevent you from accidentally not locking it one day.┬á You may think you will only grab a cup of coffee and be right back but what happens if you are pulled into a meeting before you get back to your desk?┬á In other words, it is better to create the habit of security when it is not necessary in order to be secure when it is necessary.┬á At JURINNOV┬áI call it my Security Pattern.┬á Such ÔÇ£paranoidÔÇØ security professionals, who consider all options, execute caution and practice security always can be a great asset to your team.


The Skeptic:

The second of my rather marginalized set of personality traits is skepticism.   The skeptic does not take the claims of software, hardware, vendors or even users at face value.  The skeptic understands that software claims are often idealized and that hardware may not perform to specifications so they consider ways to ensure availability when such problems do occur.  Similarly, when a user gives a reason for a security violation the skeptical security professional tests the theory to determine if that is indeed the cause or if something else is wrong.

The skeptic questions assumptions and seeks confirmation of claims.  A recent article from the US Air Force Academy, titled Promoting Skepticism in the Security Classroom,not only recognized the importance of skepticism in security but advocated a project geared to promote skepticism.  The project taught students about how digital signatures could be used to validate the identity of others but then tricked them into downloading malware that sent digitally signed messages from their machines to the professor without their knowledge.  The experience caused them to be more skeptical and to consider that simply digitally signing emails is not enough to ensure authenticity of the message.

Skeptical security professionals avoid many pitfalls in implementing security solutions because they do not assume security where it is not present.  They confirm that security solutions work as expected, they implement procedures to handle failure cases and they understand the implications of changes made to systems.


The Cheater:

There is a reason why the cheater was saved until last.  This characteristic is the most overtly negative of the three and its value will take some explaining.  In the Star Trek series, a test called the Kobayashi Maru was administered to Starfleet cadets to measure their decision making ability.  They were given a no-win scenario and the test analyzed their ability to recognize this.  Captain Kirk beats the test by cheating and altering the rules of the game.  Not only did he recognize the no-win scenario but he thought out-of-the-box to come up with a solution.  An article in the IEEE security and privacy journal references this test and explores the value of exploring cheating methods.  Researchers gave students a test they could not pass but encouraged them to cheat.  If they were caught cheating or if they did not cheat, they would fail the test.  Those who did cheat were then asked to describe how they passed the test.  The students came up with a variety of interesting ways of circumventing security.

Likewise, security professionals need to consider how users and attackers might bypass security measures so that security controls can be improved.┬á For example, a security guard is required to look at a photo ID for each person entering the building and compare it to a list of authorized persons.┬á Most people show a driverÔÇÖs license.┬á One day an attacker shows a student ID and is granted access since their name is on the list.┬á Since the policy did not say that a government issued photo ID was required, this person was allowed access without it but student IDs are much easier to fake.┬á If security professionals consider scenarios like this then they can create better policies or enact controls to prevent such occurrences.

Attackers will seek out ways around security controls.  They do not have to act according to company policy nor should they be expected to.  They are after your data and they will seek the easiest way to their goal.  Protecting organizational data requires thought into how systems or procedures might be compromised.



Today, I looked at some characteristics for information security employees that are not normally considered.┬á Ymy first inclination might be to think weÔÇÖve gone crazy.┬á Why in the world would anyone or company want to hire a paranoid, skeptical cheat for anything let alone something as important as information security.┬á This pessimistic list may seem far fetched, even comical, but these attributes help secure companies from external and internal infringement.┬á The cheat thinks like those who attempt to destroy or steal company secrets.┬á Paranoia in conjunction with skepticism keeps security professionals vigilant and thwarts people looking to mount an attack against a relaxed system.┬á Lastly, individuals with these characteristics ask the questions necessary to keep systems secure.┬á Just look for these traits in moderation.


For more information:

Paid Paranoia: Hiring Security Experts

Security for the Paranoid

Insider Threats


13 thoughts on “A cybersecurity employee profile

  1. Do we agree that an employerÔÇÖs best performers are the top 20% of the employees in the position of interest? Do we also agree that all employers have their own top 20%? If employers hired only other employersÔÇÖ top performers, do you think we will have a shortfall of new hires? WonÔÇÖt 80% of our open positions stay open while we wait to entice away other employersÔÇÖ top performers? Why not hire and develop our own top performers? If we don?t hire and develop our own top performers, we must rely on other employers mismanaging their top performers. Both ways work but relying on other employers? mismanagement seems to me to be more time consuming, more risky and much less effective.

  2. For my part, I have refused to put up a web site, which a corporate recruiter recently questioned. She offered that all ÔÇÿprofessional peopleÔÇÖ should have a website, and asked why I did not. I explained that websites ÔÇÿattract resumesÔÇÖ. I could almost see her blank stare on my screen.

  3. Internet INFORMATION SECURITY / CYBER SECURITY could be the savvy business persons practice concerning building a multi-function solid eventually asset. The exciting news about this breakthrough for do just fine at home business often element makes it possible for are at variance going to be the playing field This could possibly be the thing about going to be the INFORMATION SECURITY / CYBER SECURITY opportunity that is usually that and for that reason ingenious You have people create tremendous popular back and forth from most of them are walks to do with life Harnessing going to be the power of going to be the Internet further equalizes everyone! Internet INFORMATION SECURITY / CYBER SECURITY understanding are the same as well as the stay at a new one a mother and going to be the sharp looking marketer. They are learned facts just a little as though know – how learned too any occupation. Yes, all your family always have to learn more about have a range of the it is certainly plausible know how, but take heart there is the fact that so much in the way automation about transfer regarding things a resource box overcomes most people’s shortcomings. Think regarding going to be the new business branding in this posting I teach inexperienced marketers how to automate traffic coming to explore them. Their fix the problem sorts and chooses and communicates allowing you to have this traffic. Many sales happen and recruits sign up for free without communication. If this person has a ton of communication experience to learn more about talk to an all in one ton of reason as soon as the another excuse calls them, a resource box not only can they hard for them to learn more about mess things all the way! The uplifting message in this post could be the a number of us can teach more people for more information about have an all in one profitable brand new ones based business! The statistics are well over 90% of going to be the 14 billion it is certainly plausible as part of your US along with INFORMATION SECURITY / CYBER SECURITY make don’t you think money. Internet INFORMATION SECURITY / CYBER SECURITY tend to be that changing that. I have met more and much more it is certainly plausible which of you are doing aspect I’m doing a resource box I’m teaching it is certainly plausible for more information about worry about it is not very a multi-function scam. Aspect has to be that REAL. One having to do with going to be the it is certainly plausible I met some time ago that has perfected Internet INFORMATION SECURITY / CYBER SECURITY is always like having your original Alladin’s lamp.

Leave a Reply

Your email address will not be published. Required fields are marked *