A plethora of security articles has appeared in the mainstream IT press over the last few weeks that makes me believe that security is one of the new buzzwords that you can expect to hear a lot more about in 2016. As a security practitioner and someone who has done this for well over fifteen years it's bizarre how something that we do as business as usual is now getting some attention. For over a decade we were the people you didn't talk to, or if you did you did it through gritted teeth knowing we would try to hold you to a better standard or a greater ideal for the common good.
Any and all focus on security best practice is welcome. As we all witness the explosive growth of container based cloud provisioning gather pace it's circumspect to hope that this due diligence around security will filter down through programs in organisations to build in security as a de-facto standard building block and process rather than retro fitted to shore up poor code or poor deployment / management practices.
That's not to say by having the best security folk and best practices you can't get hacked from internal or external threat or fall prey to a security vulnerability. What it does mean is that you have the plan as to how to react, how to behave during an outage, what steps to take during a fix process and how you learn from that experience, growing from it. Sharing that knowledge is even more important in the Open Source space.
Please though don't fall into a trap. Having a CISSP does not make you a security professional. Having a CISSP on board your staff says you have someone who can pass an exam and who has an understanding of how a proprietary network environment and elevated threat levels and reaction capabilities to someone hosing your Cisco / Juniper / (add other vendor kit here) will have on your ability to provide service.
Any qualification that allows it's students to keep qualified by collecting points attending conferences is devalued by stupid brand marketing folk who allow such a practice. I've met some great people who also had CISSPs and I've also met some self styled pen testers, auditors and "security professionals" with CISSPs and other exam qualifications who communally couldn't find their arse with both hands. Those same people also knew how to pass exams but who had never had actual realtime experience in the trenches with developers and operational datacentre folk to get up to speed with emerging threat.
Certification is important. Want to hire good folk or get your CISSP folk up to speed with real life threat from bleeding edge threat actors that impact actual platforms now ? Get them to sign up and study for the CCSK exam. Amazon get their staff to, so do Microsoft and HP and I personally rate the material and the exam and it will allow you to get your staff to be at a point where you have a proper belts and braces ability to deal with threat and react realtime rather than a post mortem. No this isn't an advert for the Cloud Security Alliance or a trolling attack on CISSPs it's a call to arms to employers to look outside the box because sadly the hackers are better qualified than ever before,
So while you're eating your Thanksgiving meal or preparing for a quiet Christmas think about how you can increase your security skills and also maybe think about joining an Open Source project to see how security issues and vulnerabilities are managed in the wild.
Happy Thanksgiving 2015 and have a great time with your families.