Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Why Don't IT Generalists Understand Security?
Newest First  |  Oldest First  |  Threaded View
Page 1 / 4   >   >>
User Rank: Apprentice
9/23/2015 | 1:08:50 PM
Entry into Info Sec is difficult.

I have lots of coworker who are IT Gen. like myself, but have no interested in security or even care about it. There only concern is getting what they need to do quickly and efficiently done. I on the other hand am intrigued by security, but and limited by what few certs I can get and book knowledge I can obtain, getting actual experience is almost impossible. Companies expect to hire fully formed professionals with all the knowledge that they will need. Even with growing security concern and using cloud based service to help with companies security concerns it seem there will need to be lots of new professionals in the industry to meet the demands of the market with the increased rate and severity of attacks. Only issue is there are very few entries into the security world. Companies are not likely to spend money on training IT Pros. to do the work that is needed so the industry needs is to create people that meet those needs can create better training to get users up to speed with current Sec Pros.

User Rank: Apprentice
7/9/2015 | 5:09:30 AM
Re: IT professionals
The IT Generalist, dows not want to deal with security. 
User Rank: Apprentice
7/8/2015 | 3:43:15 AM
Re: IT Generalists Can Understand Security But Should They?
great news
shirishkunder re
shirishkunder re,
User Rank: Apprentice
7/7/2015 | 4:01:57 AM
Re: IT Generalists Can Understand Security But Should They?
Although I do agree that Risk Management is a critical part of Information Security, I'm not sold on remaning it as such.
User Rank: Ninja
11/4/2014 | 3:47:08 PM
IT Generalists Can Understand Security But Should They?
I started out in the 90s building my own systems (early Red Hat, Slackware and Radio Shack) because I couldn't afford license fees for the software everyone else I knew was using.  That led to work in the industry as a software tester, then builder and automation engineer, to project manager and build/release manager.  Now I'm on my way back down in the tech trenches, doing builds and testing and a host of fun security-related tech at home.  It's fair to say that since the 90s I became an "IT generalist" over time, with a minor specialty at each new job.  However, going back down the ladder, I'm learning that while my experience across the board in IT helps me appreciate what everyone else does, it doesn't mean I should formulate opinions or direct others to do things within their area of expertise.  In fact, I feel more strongly today about "each thing (or resource) in its place" than ever.  I liken IT Security to the military, and I think that all of us "generalists" don't need to understand security more deeply that this:  Shut up and listen to your IT Security team.  They are there to keep your data safe and maintain the integrity of the company you work for.  It's like being caught in a terror attack:  Do you need to understand why it's happening, or the mechanics of how the military sent in to protect you works?  No – respect the SMEs (subject matter experts) and jump when they tell you.

I think that is why I am so focused on software security now that I'm older.  Testing software opened up a new world to me and I broke lots of code; exploits could have been written off some of the results I got out of my stress testing.  Writing code for test automation also opened my eyes to a whole new world of tech, and built appreciation for programmers and what they do; especially from the perspective of writing secure code.  But never once did I feel I "understood" security and could speak to it as an expert.  I shut up and I do what the security teams tell me to do, from patching my systems to cease/desist orders against my ISO downloads :-)  Do I want to understand it fully?  Sure – and I have lots of lab time in over the last couple years that has allowed me to develop both practical systems security knowledge and combative security tactics.  But I'm still proud to be an "IT generalist" because my brain is just too interested in too many things tech to stay on one track for long.

Why don't IT generalists understand security?  Maybe because they shouldn't have to.  They can, but really all that's important is that they respect that IT security is a necessary function, and that when they are told by someone from that function to do something that will protect them and their office mates, they do it.
User Rank: Ninja
10/16/2014 | 10:57:07 AM
Re: Understanding
@Sara Peters

"You say that's going to change. How long do you think it will take?"

When we turn on the TV or come out to this site and read that senior people responsible for the care, management operation and security in some poorly secured data environment was hacked for 83 Million customer records, when they along with their CEO's and others responsible been indicted for neglegence. That's when it with change.
Marc Eggers
Marc Eggers,
User Rank: Strategist
10/15/2014 | 8:06:10 PM
IT Generalist - so bad?
As one of those "IT generalists" who has returned to my security roots and is delving back into it, I have to say that I think the issue is less a question of "Do IT Generalists understand security" as it "Why dont' we have more IT generalists who know what they are doing". Now, I am not talking about the business users who are considered generalists because they have superuser rights or can go into admin panels and change passwords, but I am talking about the IT Generalists who are able to support their company in any way that is needed.

I think that there needs to be a return to the generalist mentality. Hear me out before you decry my statement. I am not advocating a return to the single person IT department, but I do think that cross-functional understanding improves everyone's performance and facilitates communication so that everyone is on the same page. How often has there been a problem because a programmer didn't build in enough security assuming that the firewall or vpn would protect them? How often has a firewall been misconfigured because it was quicker or easier to get it up and running that way? How often has a project been completed only to have someone find an architectural concern or security flaw in the design that would have been able to be eliminated from the start had input been sought from someone in a different sector?

It is disheartening to see the silos that are built up around all the different areas of IT. How often have you heard a programmer design a website or an application that does not understand assembler or network protocols? Or a system admin who doesn't question why their server is running at 75% memory usage but just throws more memory at the problem? Colleges these days are teaching programming in a very slapdash manner to get more people out there coding, but so many do not understand how the computer works to understand the difference between an int and a long, strcpy vs strncpy, varchar or nvarchar, etc. The list goes on and on. I have heard infosec professionals say that if every developer stopped using strcpy we would almsot eliminate the entire class of vulnerabilities that rely on buffer overflows. Yet we still have developers using strcpy. We have websites that are still written to send the username and password directly to the database.

I don't think that everyone needs to know the nitty-gritty of encryption or NAT tables or SQL injection or whatever it happens to be, but I think that everyone should have a more than passing knowledge that these things exist so that everyone can support one another. Security can not be one person's responsibility without the support of the rest of the organization. Everyone having a broader understanding of other's roles, responsibilities, and most importantly capabilities allows us to layer security more comprehensively than a wrapper that is thrown on as an afterthought.  One of our biggest responsibilities in security is training others to be secure and bringing everyone together and how can we bring everyone together if we aren't generalists enough to know what everyone else's skills and responsibilities are?
User Rank: Moderator
10/15/2014 | 1:25:54 PM
Re: IT vs. InfoSec

"No more security as a bolt on."

This notion no longer seems tenable. Information technology systems are going through a massive phase of disintegration, where the security controls being provided are fully agnostic to the system itself. Vendors are providing discrete products to satisfy specialized security needs. The mentality that the platform provides the full panoply of security controls is antiquated and arguably defunct.

"If security is included up front we will significantly reduce the ridiculous flaws (Bash anyone) that show up."

I question this conclusion. The bug in bash was obscure, unique, and the consequence of poor programming. I don't know what could have been done 20+ years ago to identify it. And quite honestly the bug would have been far less devastaing if there were not so many interdependencies between applications and the underlying operating system.

"Open source, freeware, whatever you want to call it should give you pause"

I do not want to resurrect the open vs. closed source debate in this forum but will point out that, just as my "German" automobile contains Chinese/Taiwanese electronics and was assembled in Mexico, the "closed source" product in your environment most definitely contains a variety of open source code and even code purchased from others.
User Rank: Moderator
10/15/2014 | 11:33:25 AM
Information technology generalists don't understand security because they don't understand information technology.
Sara Peters
Sara Peters,
User Rank: Author
10/13/2014 | 12:34:15 PM
Re: There's no middle ground
@bearinboulder  Great, great points. I'd considered how this chicken-egg problem -- can't get a job without security certs and can't get the certs without the job -- affects the so-called "security skills shortage." But I hadn't thought about how that issue impacts how security is viewed/treated within an organization.
Page 1 / 4   >   >>

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file