I come from the realm of academia where the bell curve is a well-known and much-discussed distribution model. The bell curve was commonly used for grading students, based on the standard deviation from the mode score. This is where the term “Grading on a curve” comes from. Grading on a curve is described by Wikipedia as:
What is interesting about people who have been graded on a bell curve is that they become very familiar with the concept of standard deviation. Standard deviation is a statistical term that measures how much variation or dispersion exists from the mean average. The larger the standard deviation, the larger the difference between each end of our bell curve. A simple example that most parents are familiar with is a child’s first year of checkups at the doctor’s office. The doctor provides information about a child’s height, weight, and head size, and the reports on the placement and standard deviation of the child. For example, my daughter was in the 50th percentile of weight by her third month, meaning she was more or less exactly average in weight. As noted, my daughter was measured across three metrics: height, weight, and head diameter. She scored very differently in all of these categories and ranged from above average in height, average in weight, to below average in head diameter. This variance in specific metrics is extremely common and something that we often see in the realm of IT skillsets. Most of us are familiar with the concept of subject specific variance, but, for some reason, organizations tend to assume that because Bob is a great Windows administrator he must also be a good programmer. Although it’s often true that an intelligent individual is intelligent in multiple related fields, it’s also common that the lack of specialization will cause the job function to vary throughout a person’s career. To offer a final personal example, I have always been near the top of the curve in logic skills but much closer to the bottom of the curve in “grammer” skills (the misspelling of grammar was not originally intentional, but it proves the point well), both of which are required for my job. I must be able to not only understand a program, but also be able to document and articulate logistical problems to customers in a clear and concise manner. The point I am making is simple; most of us have a variety of work-related skills, but some of these skills are above average, while, conversely, some of our work-related skills are below average. Take a quick look around your office. The reality is that we actually hire people based on the principal that we hire people with varying levels of skills. Hopefully, we work for a company that does a good job on properly placing personnel. If so, then we hire people with strong accounting skills and make them accountants, and we take individuals with strong management skills and make them managers. In the realm of Information Technology (IT) and especially IT security, this becomes an even more interesting conversation. Within IT and IT Security there are a large number of knowledge-specific contexts. There is an ever-growing number of not only programming languages but also development frameworks that require understanding of both specific syntax and context. The security implications of this reality require an even more in-depth knowledge of frameworks and context. Furthermore, the group of individuals assigned to any one taskforce often have access to a large distribution of skills within that group. Fifty percent of the team members within the group will be above the group average and 50% will be below. To be clear, this mean score absolutely does not imply that 50% of your development team is inadequate; it simply means that 50% of the group is underperforming compared to the group’s normal distribution. Or, in other words, every other person you meet within any given group is below average for the group in any given skillset. We should consider how this may impact the security posture of our enterprise.
Insider Threat Modeling
To bring this conversation back to the realm of IT security, it is fairly common knowledge that the insider threat is one of, if not the largest, concern within any large enterprise organization. Although we have often heard of the angry admin, we don’t often consider the unintentional threat. Let’s be honest, it’s difficult for individuals and corporations to accurately self-reflect and identify potential weaknesses. Although this may be difficult, it doesn’t negate the need. We must account for our potential shortcomings and the security ramifications both as individuals and corporations. I don’t believe the following is an exhaustive list, but here are some interesting questions that we would like each enterprise to consider:
- Are my below-average developers working on projects that require above average skills?
- Are my below-average system administrators deploying IT solutions that are business critical?
- Are my below-average personnel adequately supported by policies, procedures, budgets, schedules, and other means to deliver work-products of acceptable quality?
- Are any of my above average developers below average in security mindedness?
- Are any of my below-average security mindedness personal working on projects or solutions that require a high assurance security mindedness?
Training and Assessment
As a personal aside, I believe that many of the world’s problems boil down to a lack of education and training. Addressing IT security and a secure development life cycle is certainly an issue that requires proper education and training. To put it bluntly, if everyone were properly educated and trained on how to securely perform their required job tasks, then CA Veracode would be out of business. Yet, IT security is a rapidly expanding field. The business of training developers and appropriate staff on security is a growing concern for organizations to the point that it is creating a new market space. Companies like Mad-Wise are now offering general training materials and security content that many employees across multiple industries receive as part of corporate required security training. Typically we watch a short film and then we are asked some very generic multiple choice questions about the security videos that we recently viewed. I would like to be clear that I believe these videos and training are important and necessary. I would also like to be clear that they do not provide us the required information that we need to answer the questions that I am proposing enterprises should ask themselves. In addition to our annual security due-diligence reminders, we also need in-depth security assessment that is context relevant for how an employee is related to the enterprise security. We do not need to assess the night watchman for his ability to prevent SQL injection. It is, however, critical that he understands physical security and appropriate measures for staying alert to maintain a secured physical perimeter. This security assessment should strive to identify an acceptable baseline as well as a ranking of employees for required core competencies. The goal of this ranking should not be to chastise any employee that is lacking, but to be able to identify areas in which the company is inadequately training, and to be aware of flaws that the lack of training has introduced into the organization. Although we do need to take stock in our employees’ job relevant skills, corporations also need to take ownership when skillsets are deficient. After all, it was a corporate decision to hire and train the personal as an initial investment in the corporation. It is reasonable to expect the corporation to provide a means for ongoing education and training to ascertain that employees remain competent for job core tasks. This is especially relevant as job responsibilities evolve and change. If the company and its IT ecosystem is to evolve, it behooves the company to ensure personnel are appropriately informed, trained, and equipped to enable them to perform their job functions to the best of their ability.
If we ask the right questions and accurately assess the corporate skillsets we have available to us, we then have enough information to start addressing the curve of skillsets at a corporate level. As an Application Security Consultant with CA Veracode, I have seen numerous organizations fail to inventory and offer training resources. I have also had the good fortune of seeing some organizations actively participate in proactive security assessment and training. These latter organizations not only accurately assess their human resources and identify leaders, but also identify the strengths and weaknesses of each individual. In short, some enterprises identify skills within individuals because they understand that some individuals may be strong in certain skillsets and languages, while needing training in others. Ideally we would compare the assessed skill sets that we have against the industry as a whole (so that we could know we are above average). However, the lack of detailed, publicly available security skillset information make this difficult. When the assessment of strengths and weaknesses is completed, we can begin to understand the risk that lacking skills may present to the enterprise. When this information is coupled with an open culture of training and consistent improvement vs. a culture of segregation and elitism, we can begin to raise the skillsets of those below average to an average for the job required sills. Through the magic of statistical analysis, we will always face a future in which half our developers are below average, but we will have raised our average versus that of the industry at large, making the majority of our developers and the products they create superior within that broader context. To provide an open culture that raises the skills of all employees, it’s important to have open pathways to receive security training and assistance that encourage employees to recognize and expose weaknesses. Furthermore, it’s essential that a path to receiving group or individual training is available for those identified as needing training to be able to raise the group average in a particular skill set. Without open paths for individuals to improve their security relevant skill sets, we are allowing the enterprise to remain at risk from the lack of skills required to create a secure enterprise.
It’s important to recognize there will always be above-average and below-average people within an enterprise. Ignoring this fact can have implications on our enterprise security. If we remain afraid to face our own weaknesses, we are actually creating risk within our organization. By taking an honest look in the mirror at a corporate level and aiming to better ourselves, we can improve our overall security.