Archive

Archive for July, 2010

Human Capital Crisis – v6.

July 28th, 2010 jmolini No comments

Another group of computer security sages has evaluated the information security situation worldwide and proposed finding and training more technical security professionals.  You can find the CSIS report here.  Look back on the history of information security and you’ll find that this is at least the 6th crisis in human capital we’ve faced.  The emphasis this time (as has been stated before) is on hiring and training technical professionals who can perform security incident response and defense against the escalating attacks on national infrastructure.

I have to admit that my first reaction to this document was to think that they are saying, “The pipes in our building have been leaking for years.  We have to find more plumbers!”  It seemed that they were saying that finding more humans to address technology problems was essential.  I’m not sure that we have the option to scale our human resources like this.

They compare the crisis to 19th century medicine, but there is a flaw in that argument. We didn’t engineer the 19th century human.  I’d say that the problem is more similar to the early 20th century automobile manufacturing process.  Henry Ford solved the problem of escalating complexity of manufacturing by standardizing and componentizing the design.  We should do the same for Internet security.  I’ve already talked about an idea for Digital Borders.  There are other ways to significantly reduce the number of attacks coming across the wire and it’s clear that we could cut the amount of crime in half with the money we’re currently spending on monitoring alone.  Some people will scream, but that’s the Internet. Right?

I wish people would speak more about ways to solve technology problems with technology, but I guess I’m an inherent optimist.  We could engineer our way out of many of our security problems, but I will also admit that it’s probably easier to just hire more plumbers.

Of course, it is also summertime and this is a blog, so I’ll answer the other side of their argument in my next post.  In a couple of days, I’ll address their concerns about the current state of certification.  In the meantime, please let me know if you agree or disagree with my first take on the issue.

Jim Molini, CISSP, CSSLP

Categories: Software Security Tags: