There is no shortage of Infosec professionals.

There is no shortage of Infosec professionals, as recently bandied about in various news circles and blogs.  But there is a shortage of companies willing to pay for the talent.

Number wise, how many people attend Blackhat?  5,000?  How many people attend the two big US SANS events? 10,000?  And a lot of folks can’t make it every year, so the rough number is a lot larger.   Admittedly, most of them have jobs, or limited talents, but that’s the glory of a free market.  Pay them enough and they’ll come work for you.  It’s a good system, because the talent gets drawn to where the most demand is, and then lower position jobs come open, for personnel with lower skill sets.

The problem is, some people want the talent they get in a 10 year veteran, in a middle to low salary range.  Not going to happen.  It takes years to train people up in security.  There’s no magic certificate.  Security talent is less numerous than some professions because it’s *hard*.  Infosec folks never stop going to school.  Worse, school’s expensive.  It takes a lot of personal time to pick up the general skillset.  You can make a firewall technician fairly easily, but they won’t know how to spot a lot of attacks; you’ll be on the growth curve.

But there is no shortage of talent, just a shortage of cheap talent.

The Kato Method

Clouseau and Kato. Red Team and Blue Team. Building kaizen in to corporate security practices.

There’s a rule in operations that during an event, you are only going to be (at best) 50% as good as you were when practicing.  Which makes practice and critical evaluation very important to anyone in an incident response field.  Whether we’re talking law enforcement, fire response, or computer security, the same rule of thumb applies.  Most computer security response teams train informally, if at all, on an annual basis.  That’s not nearly good enough, otherwise your company wouldn’t fail that annual penetration test every year.

In the classic films about the Pink Panther, Inspector Clouseau’s butler Kato tries to keep his boss on his toes by constantly plotting surprise attacks.  The ongoing potential for conflict is Clouseau’s unorthodox training regimen.

While the Pink Panther was just a movie, there’s potential in the idea of having a Kato.  Because real computer security incidents happen infrequently, there is opportunity for practice by internal team members.  Most companies get their practice annually in the form of a penetration test, which isn’t nearly enough.  These tests usually involve external agencies, and transfer of knowledge is questionable at best.  There simply is not time during an engagement to provide the service and educate the client’s personnel.  Likewise, there may be annual training, but it’s limited, and thin, and not integrated into an ongoing practice, which means it atrophies.

But what if Kato was on your payroll?  If your internal security personnel were encouraged to test the defenses, they could learn a great deal.  What if they were given bonuses for gaining access?  Sure, they know the layout, that’s half the purpose; you might be a victim of knowledgeable hackers.  By having your internal people test on an ongoing basis, with appropriate protocols, naturally, you get into the habit of constant vigilance.  By trading off roles in the process, you ensure no one person becomes a bottleneck in the security profile.  Your company becomes much, much more capable.

And it’s great management.  You get a real opportunity to establish some team spirit, and boost individual pride.

Take a tip from an old movie, and get a Kato process going in your company.  Clouseau considered it a best practice.

This blog and it’s contents copyright 2010 Digital Trust, LLC.  All referenced trade mark and copyrighted materials are the property of their respective owners.  Republication of this post is permitted provided it is strictly on internal corporate messaging systems; no public re-use is permitted without licensing.  Any republication or reuse is forbidden if the Digital Trust name or this paragraph is removed.