Click to learn more about author David Schlesinger.
Deep down in the basement of your enterprise; in the hidden and dark places amid humming servers and racks of mysterious blinking equipment resides your cyber security staff. Pony tails, Red Bull cans, and black T-shirts identify some of the most devious and clever people in your company. Devious because they must learn to think like hackers to be able to foil them. Clever, because they know how to wield strange and complex cyber tools to find and fix security problems, perhaps even fix data problems.
You see, most IT professionals seek to present accurate and timely data to their customers when it is needed to conduct business. While this is certainly needful and rewarded, it is often done at the expense of any protection for the data against misuse, unauthorized alteration, or theft.
Alas, the world has changed. The Internet travels everywhere: Asian schoolgirls and European thugs are both interested in what is behind your firewalls. Some peek in for mere curiosity and others for data theft and sale on the dark web.
(Note: If you don’t know about the “Dark Web” and you might want to do a web search on “Dark Web,” do not use Google for this search. All your Google, Yahoo, and Bing search requests are kept forever and traceable to you. Use duckduckgo.com; a privacy web search engine. Who knows, “Dark Web” might one day be of interest to some agency of some government and all past searches for this might be called in and looked at. Your name and IP address would be among them. They might then review every web search you ever made. This is a little chilling. Duckduckgo.com does not log IP addressess. Just sayin’…)
But I digress – back to the basement.
Cyber security folks are usually up to their backsides in alligators so they will be very busy, but they are always willing to help those in need. To get together successfully with them you must choose your cyber confederates wisely. There are three types of folks in the average cyber security group, and they fall into these broad categories:
- The Totally Paranoid: They feel that every email, document, and web page is out to get the unwary user. They went all data to be classified as Tippy-Top-Secret, and all data and users to be encrypted and only open their computers using a pass phrase of 27 random characters or longer, and then add the secret numbers from their personal security dongle. They are well intended but somewhat fanatical and would stop the business if they had the power to implement all their ideas. Avoid them please.
- The Technoids: This group is so immersed in the technical part of cyber security that they do not fully comprehend business at all. They wish to left out of all business discussions, as that is not their job. Data is for others to manage, do not give them work to do that they do not understand nor want to understand. They are usually found typing in complex codes by night or day. They think Linux is simple. You may pass this group by, they actually think in binary code.
- The Gamers: These are security professionals who have fun doing what they do. They treat the cyber battle as a game and play it as hard as they do World of Warcraft. They have energy, professional training, and creativity. Given the challenge to work with data professionals to protect information they will be delighted. Bring along Type 3 cyber security professionals to meetings when new applications are planned. Tell that about the data you are using, and point out the data that is sensitive to laws and policies such as HIPAA, PCI, Sarbanes-Oxley, EU/45, etc.
You may find resistance to adding them to the meetings from other business analysts and developers who have always viewed security as a burdensome add-on. This attitude is often because:
- They invited security type 1 or 2 to previous meetings. (Disaster!)
- They excluded all security people from all meetings and considerations until the day before product launch. When the security people finally exposed all the insecure processes they built, the developers had to fix them at the last minute and they felt this to be onerous and slowing them down.
By including the Type 3 cyber security professionals in the beginning, they may provide insights to problems before they are enshrined in code. Security can then be built into the system architecture to make it secure from the start and very often faster. You see, sometimes the non-security folks add complexity to a system in the belief that complexity somehow increases security. This is not true. The best security is slick, fast and easy to use. It takes work and creativity to accomplish this, but you and your team are up to the task if you have a Type 3 on your team.
The Type 3 cyber security folks will also come up with some off-the-wall knowledge that may astound many. For example, they may suggest that some developers stop using old compilers that introduce security vulnerabilities, and change to more modern and secure compilers. (Are you listening Microsoft?)
Or the Type 3 person may point out that a standard programming routine that everyone now uses in their code is actually easily fooled into elevating hackers user privileges, and suggest a more secure method of programming.
And finally, their knowledge of how to use clever cryptographic signatures, rather than highly sensitive information, as primary keys often simply eliminates an entire host of weaknesses and security vulnerabilities.
Cooperation, building in security, and creating potentially faster and more secure systems is a win-win for all.
Look for type 3, lead them upstairs blinking in the light, give them Red Bull. Become their friend and they will even tell you how to change your router’s master password.