The World According to Mitch

I was approached about a job recently by a company I have worked with in the past. While speaking with the recruiter he told me that one aspect of the position was Identity and Access Management (IAM). He then told me that the client had specifically told him that “This job is NOT related to IT security at all  – specifically ‘we do not want to hire a security person.”

When I laughed he asked me what was so amusing? I explained to him that most large organizations have a cybersecurity department that holds the overall responsibility of cybersecurity, but that does not change the fact that anyone at the level we are discussing – in fact, anyone at any respectable level in the IT space – must be, to at least some degree, a security person. There are absolutely no exceptions to that rule.

In the modern world there are too many threats to our organizational integrity to not think about security in everything we do. A few examples:

• An IAM manager should not create accounts or grant access without the due diligence to ensure the account is authorized, that it follows the principle of least privilege, and that the credentials are shared in a secure manner.
• A server administrator cannot deploy a server without hardening it, deploying proper protections, and ensuring that it is properly patched and maintained.
• An application developer cannot develop code that is not secure and then hope that cyber threat actors would not find the weaknesses.

The list goes on and on. Cybersecurity is everyone’s business, and while not everyone needs to be a CISSP, every single IT professional needs to be well versed in secure computing. Come to think of it, so should be every single computer user.

In the physical world it is easy to see where dangers may lurk, and if you are aware it is possible to reduce the risk of falling pray to them.. We look both ways before crossing the street with the signal so we won’t get hit by cars; we don’t walk in dangerous neighbourhoods. The list goes on, but in truth the threats in the physical world (what some call meat space) are quite limited in comparison to the threats in cyber space. A burglar needs to be in your immediate geography; a cyber intruder can be on the other side of the planet.

You get the picture. We need to educate ourselves and our users of the steps we need to take to keep ourselves safe… but before we do that we need to be sure that the systems that we implement are secure. We cannot ask them to keep our data secure if the systems we give them to use are not secure.

I currently have at least eight cybersecurity certifications. That might make me more of a ‘security person’ than the average candidate for the position in question; that does not mean that every other candidate should not be at least a little bit of a security person. At the very least, they should take a Security+ class. At the very least, go through the ISC2 training to become Certified in Cybersecurity. Why? None of us know what we do not know. Cybersecurity is everyone’s business. A user who does not take care of their system is a disaster waiting to happen for the organization; an IT administrator who does not make sure the systems are as secure as they can be is, with today’s threat landscape, is turning your business into the easiest target for every cyber criminal out there.