Advice to Security Pros: Learn ChineseCareer Insights from Stephen Northcutt, CEO of SANS
Further, Northcutt advises, "Learn and live by the security axiom: protection is ideal, but detection is a must."
In an exclusive interview on careers in information security, Northcutt shares insights on:
- On how he started his career;
- Opportunities and gaps he sees in our professional training system;
- Advice to today's security practitioners.
SANS Technology Institute is a postgraduate level IT Security College, and Northcutt, its CEO, is an acknowledged expert in training and certification. He founded the Global Information Assurance Certification (GIAC) in 1999 to validate the real-world skills of IT security professionals. GIAC provides assurance that a certified individual has practical awareness, knowledge and skills in key areas of computer and network and software security.
Northcutt is author/coauthor of Incident Handling Step-by-Step, Intrusion Signatures and Analysis, Inside Network Perimeter Security 2nd Edition, IT Ethics Handbook, SANS Security Essentials, SANS Security Leadership Essentials and Network Intrusion Detection 3rd edition. He was the original author of the Shadow Intrusion Detection system before accepting the position of Chief for Information Warfare at the Ballistic Missile Defense Organization.
UPASANA GUPTA: : How did you start your career within education and training in information security?
STEPHEN NORTHCUTT: I had been working in Unix system administration and networking for 10 years before I accepted a position in information security. One of my first observations was that security seemed to be all art and no science. Experts would tell you what you could or could not do, but not why. At the time I was working at the NSWC Navy Lab at Dahlgren, and many in the population were engineers; they were very bright people, well educated, and they did not appreciate being told what to do without the reasoning behind the direction. We started a brown bag lunch series, you brought your lunch, and the training was over the lunch hour. We supplied home baked cookies and milk and explained how a sniffer worked, right down to code examples or the Power On Self Test steps for a Windows DOS system and why it was possible to insert malware in the boot-up sequence. It worked well and I have been a strong proponent of education ever sense. Later, we even started our own conference series, ShadowCon, which is something I really miss being involved with.
GUPTA: What motivated you to establish the GIAC certification series?
NORTHCUTT : I moved from the Navy Lab to take a promotion at Missile Defense Agency (then called BMDO) and work in the security group there. To this day, I remember looking at a resume of a gentleman applying to be our lead IDS analyst. It showed a lot of high end experience, so we hired him. Then, it turned out that he had no practical skills. A few events like that firmly convinced me there needed to be a way to show that someone meets a minimum standard, and to that end I think the GIAC trustmark is extremely useful for employers. One of the things we wanted to do with both SANS and GIAC was to have training and certification which helped you do specific job tasks, such as manage IDS/IPS, configure a firewall in a perimeter, audit an IT system or perform a digital forensics investigation, because these are examples of tasks that you hire an employee to accomplish.
GUPTA : What factors do you attribute to your success?
NORTHCUTT : The success of SANS and GIAC comes down to one thing: hard work. We made the courses technically difficult and the exam process very challenging, in fact, too challenging in some cases, and that drew elite students, people who were willing to really dig in and learn practical hands on techniques. And when they would meet their fellow students and realize they had a strong pragmatic technical bent in common, they got excited, and community began to form. And as people progressed in their careers and did their own original research, they became courseware authors and instructors, and we were able to increase the breadth of course offerings. It has been exciting to have a "front row seat" to watch people become thought leaders in information security. It is such a charge to have someone come up to you at an ISSA gathering or RSA and say, "I took your IDS course back in '92" and then realize they are a CISO today.
GUPTA : Where do you see both opportunities and gaps in our professional training system?
NORTHCUTT : Let me share opportunities first. One size does not fit all. I would love to be able to give a student exactly and only what they need. Do you remember the Matrix, when Trinity needs to learn to fly the helicopter and they download exactly that lesson. Well, I doubt we will get to that point in my lifetime, but hopefully in the next 18 months we will be able to do the first primitive efforts along this path. With psychometrics, a discipline of statistics that helps create far better exams, we should be able to develop assessment tests to determine what a person knows and then deliver a custom course that only covers what they need to learn.
The biggest gap isn't courseware or technology, it is management discipline. It is best illustrated by a quote in the recent CSIS document, A Human Capital Crisis in Security, by Sandia fellow Jim Gosler: "There are about 1,000 security people in the US who have the specialized security skills to operate effectively in cyberspace. We need 10,000 to 30,000." I have no idea if this is correct or not -- I have my doubts -- but I am one of the managing partners at SANS, and we talk talent acquisition almost every week. Management has a responsibility to make sure the organization has the talented people that it needs to operate.
There are four keys here: cost, supply, fit and retention. If there are only two experts in the world on a skill you desperately need, you are going to pay a very high price for those experts. And if there is a reasonable supply of talent, your cost goes down. As to proper "fit", a certification means you meet a minimum standard, but if you have a certification to repair aircraft engines, you probably aren't a good fit for a job that needs expertise in digital forensics. Yet, we do this in security: We take someone with a general, broad-based certification like the CISSP or GSEC and say that is proof they have the qualifications for this job that needs specific skills. And lastly, for retention, we have to give them interesting work as well as train them. This is where the Gosler quote, if correct, is scary because it would indicate an epic failure on management's part to recruit and train.
GUPTA : What role does training play in defining the information security profession today?
NORTHCUTT: Training is the fastest way to learn a skill, it beats the heck out of trial and error; but, we also need to make sure we have some way of assessing whether an individual simply sat in a classroom or, in fact, mastered skills. One type of training we need more of is on-the-job training because that covers both the security skill and the policies and procedures of the particular environment. Be very careful about assuming that someone knows a subject area if they have never been trained or assessed. A couple classic examples are: Unix/Linux admins thinking the fact that they have access to root means they know how to harden a box, or firewall administrators who think that just because they can drag-and-drop rules, the ruleset will actually work properly. In many cases, these individuals think they know what they are doing while, in reality, they are opening the doors to attackers.
GUPTA : What is your advice to up and coming security professionals?
NORTHCUTT : Learn Chinese; you are going to need it. Learn and live by the security axiom: protection is ideal, but detection is a must. Confidentiality, integrity and availability are always important, but master the skill of knowing which one is most important for a given business, system or file routine. The two most likely things to destroy your organization are a malicious insider and a failure in access control, so pay attention to those issues. Never be too busy to monitor new account creation, and if you don't have time to read the log files, take note of their size, and anytime they are abnormally small or large, make the time to peek at the contents. Start with either of the well-respected base certifications, CISSP or GSEC -- that will open doors for you. At this point it is almost impossible to know all the domains of security, so focus on one (endpoint security, digital forensics, incident response, etc.) that is important to your organization, and develop solid skills before learning another area.