Some years ago, in a tower block not so far away, I had the privilege to take part in the first Top Gun event Institute of Information Security Professionals (IISP). Subsequent events which have built on this theme have delivered interesting anecdotal data.
At these highly entertaining and educational programmes, the IISP members form three groups: the hackers, the defenders, and the moderating control. The premise is simple: the defenders of the business act to protect their information assets from the hackers. The moderators keep the programme moving, steering the scenario accordingly to ensure challenging activities on both sides, fairness, and within the bounds of Heisenberg, Schrodinger, et al., to make the goings-on as realistic as possible. Now I'm not going to go into the scenario, how it works in detail, or some of the rises and pitfalls that either reward or dog both sides. I would hope that one day every serious security professional has the opportunity to take part in the exercise. So if you want to know how to break the ice as the game gets more difficult, or you might want to know whether the Kobayashi Maru scenario can be applied, all I can say to you is, 'spoilers'!
The observed psychology of the players is thus: whilst the defenders settle into a security organisation that you could easily document to satisfy an ISO auditor, the hackers unsettle to a hierarchy free, commune of fizzing ideas. You might think, at first glance, this was inevitable. However just think about the people involved. These are budding, or experienced information security professionals who understand the need for governance and creativity to live in harmony. Some of them even wear ties!
But what seems to happen is an immediate polarisation in the team styles and the award of epithets. But this is necessary. It should be possible to allow creativity within the boundaries of good practice. Good behaviour within the reporting structure... and little personal sandboxes of maverickness (made-up word). There's a need for individuality, cooperation, and singularity at the same time. Welcome the opportunity to collaborate. The more we create new standards the more the non-security professional will reject them or stare at them like Buridan's ass. And all these good intentions create interfaces and that's where the criminals saunter through whilst we argue whether we call it change control or configuration management. So let's keep our hierarchies and matrices flexible and let's focus more on less. Why do we have to wade through, ISSA 5173 and IASME, ISO/IEC 27001 et al and The Stand of Good Practice, ISO/IEC 27001 and BS 10012 (Specification for Data Protection), ISACA/ISC(2)/BCS et al. qualifications, TIGER/CREST/CHECK, moving ever further from ISO/BS this and that into fewer...
One thing is for sure. The variation of skills and talents required to defend Information Systems from the criminals, or move beyond the Faraday cages and the firewalls, is legion. Each system's hack diminishes me for I am part of the systems. There is one grace. Knowing what you need to know and your own unknowns and knowing what other skills and support you need to draft in... rather than Frankensteinian (I am at it today!) creations which need chaining down to stop them wandering further and further away from the original objective (See the Risk Reckoner, 18 July 2012 - Don't it always seem to go...). The first and last defence is the person and that is well established in IISP model. All else is detail.