Fallacies in Cyber Capabilities
Author Note: I originally posted a thread talking about how I think we have a “capabilities bias” in cyber. In reality, the post should have been about a “capabilities fallacy” more than a “bias”. The good news is that the post generated an amazing conversation and led me to think through some of my arguments. In this post, I have reworked, repackaged, and expanded upon my original points based on the discussion that they generated. Hopefully this one will be a bit more accurate and thorough. I look forward to a new line of thinking and greater collaboration in exploring these thoughts. - Andy
I think we have a few "capabilities fallacies" in cyber that are partially driving the skills gap conversation. The Capabilities Fallacies includes
1) The assumption that every cyber analyst should know every skill. Everyone is looking for the candidates that are network analysts, host analysts, reverse engineers, coders of their own tools in nine languages, and amazing briefers & writers. This is the magic "unicorn analyst". Not a skill problem. This is an expectations problem. We need to build teams with complementary skillsets so (a) the mission is supported and executed effectively and (b) analysts have an opportunity to learn new skills from each other and further strengthen the overall team’s capabilities.
2) Every SOC/NOC/enterprise/lab exposes you to the same tools and has the most advanced technology and processes being presented at RSA, BlackHat, and BSides. Let’s be honest, tech is awesome but the only real tool that is used across 99% of work environments is Microsoft Office- and experience levels vary for those tools too. It is unfair to expect that candidates will have experience on toolsets that you bought or built for your environment. We should be looking at the analysts' knowledge of process and concept over specific tools. "Can you explain the theory in firewall management" is a far better question than "do you know how to use firewall X". Pay attention to the transferable security skills instead of the proprietary ones.
3) Every analyst on the team should have the same level of knowledge as their teammates. The reality is that teams should have a pyramid of skills with a baseline knowledge base across your junior analysts and a tiered level of skills and knowledge as you go up the chain of analysts. Admitting this fact and designing teams this way ensure that (a) analysts have a clear chain of command for questions/guidance/workflow (b) analysts can clearly see they have growth opportunity in the org.
4) It only takes a great leader to manage a cybersecurity workforce and relevant experience does not matter for senior leaders in cyber. We often see this in leaders that have amazing experience and track records in running different business lines. While I do not mean to diminish their efforts in their previous domains or in cyber- we as a community need to raise leaders from within our ranks that understand our challenges and our capabilities. The negative side of this fallacy is often seen when senior leaders ignore the advice of their Subject Matter Experts (SMEs) because the SME may have a difficult time explaining a complex situation to the uninitiated senior leader. We hear this in their responses of “but did you see the vendor demo that does X?” or “I used this tool at my last location so we’re going to purchase and implement it here too!”. Cyber is a unique experience at each and every location. One size does not fit all. We need leaders that are willing to grow with the organization- not hop from job to job like a frog going from lily pad to lily pad on their way across the market. Past experiences should not be ignored- they can be a great strength- but they can also reinforce biases to solutions that do not work in the present situation.
5) Recruiters should know exactly what we need in candidates and it is their fault that we are not hiring the right people. FALSE. Half the time we don’t know exactly what skills we are looking for when filling positions. How can we expect a recruiter to find the perfect candidate when we give them a list of competing skillsets (see points 1-3 above)? Telling your recruiter that you want a candidate with ten years of Windows 10 experience may be setting them up for failure- just a thought. Try being a bit strategic and realistic when setting up your recruiting efforts. Collaborate with them frequently and tune them like you would a sensor to reduce the false-positives you’re getting in your candidate pool.
6) We need more candidates with CISSP and CEH certificates for our SOC. Possibly false- depending on where you draw the line between your SOC and your general IT staff. The point here is that I see a lot of positions seeking candidates with a CEH (or a number of other certificates) that are not even close to being relevant to the position itself. My preference would be to lean on networking certificates for my CND personnel over attack certificates. I believe that it is far more important for a SOC analyst to understand how a network works than it is for them to understand how to attack a network. I keep seeing post after post on LinkedIn about “how to get into cyber” and the reoccurring recommendation is to set up a home lab with a few VMs and a Kali machine. Honestly, how many SOCs are running Kali? We need DEFENDERS.
Cyber Analyst / Strategist / Thinker / Doer
7 年Great thoughts, and you know I generally agree with all. As for #3, I like to think of teams more as big Venn diagrams rather than pyramids. As you point out in #1 there are so many different specialty areas in the cyber arena, and everyone comes from different backgrounds and brings different experience. For example, doing network/intrusion analysis on a 500-node enclave is a bit different than doing network/intrusion analysis at the perimeter of a 5,000,000-node enterprise of enterprises; some of the concepts & skills are the same, but the perspective and thought process ca be radically different. Similarly with passive monitoring vs. active response, impartial assessment or advisory services vs. vested development of policy or execution of mitigation actions, etc. While there will always be some basic junior->senior growth curve, I like the idea of a diverse team whose members bring an array of both duplicative core and diverse complementary talents to bear. I feel like every member of a team should be continuously learning from each other in one way or another.