Are your IT guys QUALIFIED to take care of your security?
The tech sector works better than any other in the global economy. Why? Tech is the only player which makes its products better, faster, and cheaper every single year. Today, a person who lives below the poverty line can walk out of a store with a smart phone that has so many transistors, 30 years ago it would have taken up a city block and cost millions of dollars. No other sector of the economy does this, and most actually do the opposite (healthcare and education for instance).
Moore’s Law notwithstanding, the reason for the unparalleled progress of the tech sector is the lack of government regulations; tech is anarchic in nature – it is completely self-governed by voluntarily created standards such as the IEEE, EIA/TIA, and ISO (to name just a few). Apart from fire/life/safety, there are basically no laws which dictate how the tech sector operates. Think about that for a moment – no laws.
However – this comes with a trade off, because neither IT people or IT Security (which are very different disciplines) are licensed – it is up to consumers and business owners to choose competent people to provide the IT & IT Security services they need. Your accountant, your lawyer, teachers, — even your hair stylist, are all licensed by the government in one way or another. It’s also no secret that American businesses are under attack by organized cyber-criminals; this fact is in the news every single day.
When you hire someone to work on your computers and network, hard questions need to be asked.
-
Do they have a college degree?
-
What professional certifications do they have?
-
How many years have they been practicing security?
-
Do they really understand the concept of risk management, or are they going to just install a bunch of “security” boxes?
-
Do they actually understand the tools they are using, or do they just run “automated scans?”
When you hire an accountant, you look for a CPA; this fact is common knowledge. But what do you look for when hiring a security practitioner? While there is no government sanctioned licensing, there are several very respectable certifications that you can ask about. One of the best known is the CISSP (Certified Information Systems Security Professional) – a grueling six-hour test that costs $600. Another certification to look for is the CISM (Certified Information Security Manager), or the GSEC (GIAC Security Essentials). Also, be mindful of more entry-level certifications such as the Security+ or Network+ — these are a great starting point, but you would not let a dental hygienist perform a root canal.
Cyber security is a specialty, not unlike medical specialists. You would not see your doctor for a heart problem, you would see a cardiologist (who started out as a doctor). The burden is on you to choose qualified security people, because the government does not license them in any way.
Choose wisely.