I finally realized one of the things that bugs me about most security "certifications" out there. Computer security is warfare. No, really, it's war. There's an opponent who doesn't care about you, doesn't play by the rules, and wants to screw you as fully as possible. 1/

Now, you can do pretty well as a programmer or sysadmin if you're middle of the road, because that's not an adversarial game. Security _is_ adversarial. In warfare, you don't survive if you're second rate, you die. 2/

You don't want to fight for a second rate general, either, he'll get you killed. Computer Security is pretty much the same deal. There's a smart, skilled, ruthless opponent, and you need to be smarter, more skilled, more ruthless. 3/

And it's just not possible for everyone to be above average. In fact, these days, a shocking fraction of "security professionals" I interview can't even program, can't tell you what a buffer overflow is or how SQL injection works or what XSS is. Like, at all. 4/

I had a guy tell me, while I was interviewing, "gee, I knew this for my CISSP, but I've forgotten." Well, no, this isn't about signaling the way college was, you needed to learn that stuff _and remember it permanently_. You can't just learn for the exam. Only most people do. 5/

And who is on the other side of these guys? People who know very well what a buffer overflow is, and people who eat and breathe exploits, and people who know just how bad your staff is. People who aren't going to nerf their attacks just because your side is unarmed. 6/

What happens in combat to the side whose soldiers don't know what end of the gun to point at the enemy? They don't survive. Same thing in information security. If you're having trouble getting your CSS quite right, you get all the chances you want. But this is adversarial. 7/

And even among the people who _are_ reasonably smart, and have technical skills, not everyone has the right instincts. You need to see what the holes in your defenses are, which means you need to think like an attacker. 8/

And quite frankly, most people just don't have that in their blood. They can't look at an object in their midst and think of 20 ways to use it to cause mayhem or destruction. So you need to be _better_ than normal CS types _and_ you need to have the adversarial stance. 9/

Now what do I learn when I see that someone has a CISSP? That at one point, for a brief period, they managed to get a passing score on a standardized test. Not that they know the material _now_. Not that they have the stuff in their blood. 10/

Now I know what you're thinking. "Aren't you being a little harsh? I mean, the average company doesn't have people who are that good." And then you pick up the newspaper, and see that even the EU can't keep its diplomatic communications safe, they got stolen. 11/

Most organizations have terrible security. You don't want to use average companies as exemplars. The average company is going to end up on the front page of the Times or the Journal because they believe they don't need better people and don't need to patch twice a day. 12/

This is warfare, and you're facing _professionals_, who are paid to spend their time, all day long, figuring out how to shiv you silently while you're not expecting it. Remember that. _Paid professionals_. _High quality paid professionals._ 13/

Most people just don't have that mindset. Especially not senior management, who still ask silly things like "we're a hotel chain, we sell paint, why would anyone try to break into our systems?" They don't think about the problem the right way. 14/

I worry that by the time most organizations get that what they're doing isn't hiring an accounting clerk but hiring a talented officer/engineer with a taste for blood, we might not have a civilization left to defend. Getting the message out is also, it seems, really hard. 15/15