Truth, and the Cybersecurity Professional

In c. 33 A.D., the Roman governor of Judea, Pontius Pilate, is famously known for asking, “What is truth?”

Painting by Nikolai Ge (1831-1894) painted in 1890

This is a question that many ask today, and in the realm of cybersecurity, there are answers. But before I wade into this topic, it’s first appropriate for me to cite a dictionary definition of the word truth:

1: the real facts about something : the things that are true

2: the quality or state of being true

3: a statement or idea that is true or accepted as true

(source: https://www.merriam-webster.com/dictionary/truth)

In business, government, education, and military contexts, and when it comes to the information systems that we in cybersecurity are called to protect, the truth is the complete body of information in electronic and other forms, including business records, system and device configuration, documentation, and software.

Software, and the configuration of systems and devices, serve to record and retell the truth (e.g., business transactions, correspondence) and make that information available at a later time or in another form.

It is said that not all truth should be spoken aloud. In the context of information systems, this means that some truths (business records) require protection, as they are considered personal or sensitive. On the business side, organizations have intellectual property of various types, including patents, trademarks, trade secrets, financial records, human resource records, and other operational records. Organizations depend upon the protection and integrity of this information, as much of its existence enables organizations to continue operations in support of their mission and purpose. Much of the responsibility for this protection falls to cybersecurity professionals. However, it is also commonly accepted that all personnel have a part to play, primarily in relying on their professional judgment to ensure that information is handled properly and protected from attackers.

There is considerable information in electronic form about natural persons, and more is being created continuously. Examples include the personal financial records of individuals and other information about persons, including their health, sexual, religious, and political affiliations and preferences. The universal concept of privacy concerns the protection and proper use of such information. The protection part of privacy falls to cybersecurity professionals (and the rest of the workforce, as mentioned earlier) to ensure that truths about individuals are kept confidential. The proper use part of privacy concerns formally established statements (more truths, or in this case, assertions) describing set formal and appropriate uses of personal information.

Cybersecurity professionals’ mission is the protection of the truths as described above.

Professional associations in the cybersecurity industry have codes of ethics and conduct that guide professional behavior. The organization (ISC)² Code of Ethics includes these statements:

• Tell the truth
• Take care to be truthful

The ISACA Code of Professional Ethics includes these statements:

• Serve in the interest of stakeholders in a lawful manner, while maintaining high standards of conduct and character…
• Maintain the privacy and confidentiality of information obtained in the course of their activities unless disclosure is required by legal authority.

The InfraGard Code of Ethics includes these statements:

• Serve in the interests of InfraGard and the general public in a diligent, loyal, and honest manner, and will not knowingly be a party to any illegal or improper activities.
• Maintain confidentiality, and prevent the use for competitive advantage at the expense of other members, of information obtained in the course of my involvement with InfraGard…

These and other codes of ethics require cybersecurity and privacy professionals to tell the truth, and to protect the truth from unnecessary disclosure and improper use.

Absolute truth does exist. For the cybersecurity professional, we are expected to conduct ourselves with integrity (identifying and telling the truth) and seek to protect business and personal information (truths about organizations and natural persons). That is our mission.

References:

(ISC)² Code of Ethics: https://www.isc2.org/ethics/

ISACA Code of Ethics: https://www.isaca.org/credentialing/code-of-professional-ethics

Checkbox CPEs

Those of us with security certifications like CISSP, CISA, CISM, and others are acutely aware of the need to get those CPE hours completed each year. Typically, we’re required to accumulate 40 hours per year and that we keep accurate records of learning events, along with evidence that we did indeed attend those events. 

I was audited once, over a decade ago, and came up a bit short on my evidence. Since then, I’ve been meticulous in my recordkeeping and maintaining proof of attendance. But this piece is not about recordkeeping.

Are you finding your CPE events to check the box? Or are you pursuing new knowledge and skills?

I’ll tell you a secret: the certification organizations don’t know whether you are doing the minimum to check the box or pursue knowledge with enthusiasm.  They don’t ask, and they don’t care.

You should care, however, and the difference will show. If you are just checking the CPE box, you will not be learning much, and you’ll be a weaker contestant in the employment market. By not making a real effort to grow professionally, you’ll slowly fall behind.  While you may be able to fake it for a while, your learning negligence will catch up to you, and it will take considerable time and effort to dig yourself out of the hole you slid into. Not only will you have to spend considerable time catching up on security topics, but you’ll also have to undo the habit of doing the minimum to slide by.

Padding Your Resume

It’s a popular notion that everyone embellishes their resume to some extent. Yes, there is probably some truth to that statement. Now and then we hear a news story about people “padding their resumes”, and once in a while we hear a story about some industry or civic leader who is compelled to resign their position because they don’t have that diploma they claimed to have on their resume.

Your resume needs to be truthful. In the information security profession, the nature of our responsibility and our codes of ethics require a high standard of professional integrity. More than in many other professions, we should not ever stretch the truth on our resume, or in any other written statements about ourselves. Not even a little bit. Those “little white lies” will haunt us relentlessly, and the cost could be even higher if we are found out.

– first draft excerpt from Getting An Information Security Job For Dummies

Hard copy vs online verification

Today, in an online forum, someone asked why ISACA still uses paper based certification applications instead of moving to online verification. The person argued that other organizations had gone to an online verification system.

My response:

I can understand why this is still a paper-based process. Moving it online would provide many opportunities for fraud. While I believe that 99.9% of CISA/CRISC/CISM applicants are honest, a purely online system would provide an easier opportunity for someone lacking the necessary background or experience to fabricate it – including verifiers. How could you prove that the verifiers are genuine?

Maybe, someday, if we ever get to a reliable online identity system that provides a solid tie between a real person and an online identity, I think that ISACA should stick with the paper model.

I am sure that ISACA has had this discussion, and will continue to have it from time to time.

LinkedIn skills endorsements adds buzz but not much value

I now view other users’ profiles with some skepticism and wonder whether they really possess those skills or not.

I’ve been a LinkedIn user for about eight years, and I’m highly appreciative of its business networking focus. LinkedIn has facilitate many fruitful business opportunities that might not have happened otherwise.

LinkedIn has been adding new features, and one of the newest is the Skills feature. A while after adding Skills, LinkedIn now provides a means for users to “endorse” the skills of their connections. Upon first glance, I thought this would be a useful feature that would help to add credibility to one’s claims of business and technical skills.  That is, until I started receiving endorsements from some of the people I am connected with.

I’m grateful to my connections for endorsing my skills – make no mistake about it. However, I’ve received many skills endorsements from connections that do not actually know whether I have those skills or not. While their endorsements seem to strengthen my credibility, I now view other users’ profiles with some skepticism and wonder whether they really possess those skills or not. If people are endorsing my skills without actually knowing whether I have them, how do I know whether others have the skills they claim, even when endorsed?

LinkedIn is just another tool that people can use to embellish their resumes. While LinkedIn has great potential for helping people find each other based on their profession, location, skills, and other criteria, LinkedIn is no substitute for other methods for determining whether businesspeople actually possess the skills they claim.

Open Networking is a violation of the LinkedIn terms and conditions

It really irks me when I see people on LinkedIn who connect with anyone who is willing to accept a connection.  This is a blatant violation of the intentions – and the terms and conditions – of LinkedIn.

I connect only with people I know. I am VERY hesitant to connect with people who are promiscuous linkers, because I do not have any way to know which people in *their* network are trustworthy.

Today I saw a posting on a LinkedIn group that read,

“Lets expand our network together. Open Networker Accepting All Invitations.”

I responded,

“In my own opinion this violates the LinkedIn terms and conditions. And I’m surprised to hear this from a CISSP and CISA who is supposed to uphold two different codes of ethics that require honesty in all professional dealings.

In LinkedIn, we are supposed to connect only with people that we *know*, NOT with everyone who will push a button. The LinkedIn Terms and Conditions, section 3, reads:

‘The purpose of LinkedIn is to provide a service to facilitate professional networking among users throughout the world. It is intended that users only connect to other users WHO THEY CURRENTLY KNOW and seek to further develop a professional relationship with those users.’ (emphasis mine)

How can you reconcile your requirement to abide by the LinkedIn terms and conditions, your statement, “Open Network Accepting All Invitations” and your codes of ethics that require you to respect laws, regulations, and rules?

As security professionals, we are supposed to lead by example. Otherwise, how are we supposed to expect others to do so if we PUBLICLY and brazenly violate them ourselves. Doing so compromises our ability to be effective in our professional work.”

The LinkedIn terms and conditions also says:

“Any other use of LinkedIn (such as seeking to connect to someone a user does not know or to use LinkedIn as a means of generating revenue through the sale of contacts or information to others) IS STRICTLY PROHIBITED AND A VIOLATION OF THIS AGREEMENT.”

Can this be any more clear?