February 20, 2008 - #45
Mike's
Pep Talk:
In a
perfect world, security begins at the beginning of time. Unfortunately, as AndyITGuy points out [1], the world is
far from perfect.
In today's Pep Talk, let's revisit the skills that are absolutely
critical to being a successful security professional. First, let's
focus on the technical stuff. You need to understand web applications
and a bit about web application security. That is going to be the
attack vector that is most commonly used for the next few years.
Go get that JavaScript book
and make sure you understand the fundamentals of AJAX and can see how
an XSS happens. You'll also want to familiarize yourself with CSRF
attacks.
But that's the easy stuff. As I mentioned in the 2007 Incite called
["CSO Next"] - the technical stuff is not going to determine success or
failure for today's security professional. It's the ability to
persuade, cajole, stiff-arm, and ultimately get the other senior
managers (both within and outside of IT) on board with the need to
think about security early in the process.
Back to Andy's situation because we can all learn from his post. First of all, change doesn't happen overnight. Yet with persistence and consistent effort, it will happen. Andy started with a few project managers, and then got some structural process change (his signature required to deploy an application).
As long as he
doesn't position security as Dr. No or yet another hurdle to jump over,
his rock is rolling downhill. It will gather
speed and within a reasonable planning horizon (it could be months or
years depending on the culture) security will be an intrinsic part of
all technology efforts. And that is definitely a hallmark of CSO Next.
Photo credit: Gari.baldi [2]
[3]
[4]