, 15 tweets, 3 min read Read on Twitter
I finally realized one of the things that bugs me about most security "certifications" out there. Computer security is warfare. No, really, it's war. There's an opponent who doesn't care about you, doesn't play by the rules, and wants to screw you as fully as possible. 1/
Now, you can do pretty well as a programmer or sysadmin if you're middle of the road, because that's not an adversarial game. Security _is_ adversarial. In warfare, you don't survive if you're second rate, you die. 2/
You don't want to fight for a second rate general, either, he'll get you killed. Computer Security is pretty much the same deal. There's a smart, skilled, ruthless opponent, and you need to be smarter, more skilled, more ruthless. 3/
And it's just not possible for everyone to be above average. In fact, these days, a shocking fraction of "security professionals" I interview can't even program, can't tell you what a buffer overflow is or how SQL injection works or what XSS is. Like, at all. 4/
I had a guy tell me, while I was interviewing, "gee, I knew this for my CISSP, but I've forgotten." Well, no, this isn't about signaling the way college was, you needed to learn that stuff _and remember it permanently_. You can't just learn for the exam. Only most people do. 5/
And who is on the other side of these guys? People who know very well what a buffer overflow is, and people who eat and breathe exploits, and people who know just how bad your staff is. People who aren't going to nerf their attacks just because your side is unarmed. 6/
What happens in combat to the side whose soldiers don't know what end of the gun to point at the enemy? They don't survive. Same thing in information security. If you're having trouble getting your CSS quite right, you get all the chances you want. But this is adversarial. 7/
And even among the people who _are_ reasonably smart, and have technical skills, not everyone has the right instincts. You need to see what the holes in your defenses are, which means you need to think like an attacker. 8/
And quite frankly, most people just don't have that in their blood. They can't look at an object in their midst and think of 20 ways to use it to cause mayhem or destruction. So you need to be _better_ than normal CS types _and_ you need to have the adversarial stance. 9/
Now what do I learn when I see that someone has a CISSP? That at one point, for a brief period, they managed to get a passing score on a standardized test. Not that they know the material _now_. Not that they have the stuff in their blood. 10/
Now I know what you're thinking. "Aren't you being a little harsh? I mean, the average company doesn't have people who are that good." And then you pick up the newspaper, and see that even the EU can't keep its diplomatic communications safe, they got stolen. 11/
Most organizations have terrible security. You don't want to use average companies as exemplars. The average company is going to end up on the front page of the Times or the Journal because they believe they don't need better people and don't need to patch twice a day. 12/
This is warfare, and you're facing _professionals_, who are paid to spend their time, all day long, figuring out how to shiv you silently while you're not expecting it. Remember that. _Paid professionals_. _High quality paid professionals._ 13/
Most people just don't have that mindset. Especially not senior management, who still ask silly things like "we're a hotel chain, we sell paint, why would anyone try to break into our systems?" They don't think about the problem the right way. 14/
I worry that by the time most organizations get that what they're doing isn't hiring an accounting clerk but hiring a talented officer/engineer with a taste for blood, we might not have a civilization left to defend. Getting the message out is also, it seems, really hard. 15/15
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Perry E. Metzger
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!