Actually, SANS has been in the dialog, but they put out an article that reinforces the issue of how IT and Infosec auditors – and many consultants alike – are not delivering the proper value to the market. I wrote this article last year that ranted on the issue, and many responded through email and comments to show support of the view. This was an issue that I noticed about five years ago as ISC2, ISACA, and other organizations really focused on increasing membership and increasing revenues. Also, from my experience in the Big Four over the years, I noticed that a lot of accountants and management consultants were getting certified and managing projects that were to deliver very technical solutions. Outcomes from many of these projects really focused on the high level of IT governance and security without ever looking at the lower level issue that is affecting enterprise security – log analysis and code review. The latter cannot be emphasized enough, since lack of routine and timely code review is the main reason for numerous leakage incidents. Knowledge of log analysis, just like a code review knowledge, should be a required part of a qualified IT and infosec auditor’s knowledge set. I discuss in this link how log analysis is as fundamental to infosec audit and consulting as bookkeeping knowledge is to a financial auditor, consultant, or CPA.
When I first started thinking like this, and sharing the idea with co-workers, many responded as if I was romanticizing the old days and trying to get back from management to low-level technical work. Despite these responses, something just did not seem right – the average Big Four firm in Japan audits a couple thousand publicly traded company information systems, but not a single IT auditor could so much as study the code than ran in those systems, much less pick out a salami scheme, or point out where an error check may be missing.
Brighter days came along this past Fall, when I attended SANS Future Vision in Fall 2009 and attended a presentation titled The Most Dangerous New Cyber Attacks and How to Prevent Them by Allan Paller, a research director at SANS. In this presentation, Allan emphasized how the future of client requirements for infosec consulting will move toward lower level technical skills that will deliver high value. Instead of broad and shallow, narrow and deep technical skills in specific knowledge sets that the client will pay a premium for – in other words, most of the computing environments have a policy framework and understand the best practices, but the technical skills are not available. Hence, clients paying a higher premium for specific technical skills.

SANS recently issued a report on The Top Cyber Security Risks, and as I looked through the listing and read the report in detail when it first came out, it becomes evident that infosec is focused on everything around the problem, and pays no attention on the ultimate form of protection at this point – secure code review. Instead, the focus is reactive patching to systems that are possibly already hacked. This report also clearly points out that our most vulnerable systems – client computers – are patched the later than most server systems, therefore, exploits are now focused in that direction. Fortunately, after so clearly pointing the issue out, as expected, SANS steps forward recently stepped forward to help out. This blog further points out the issue, using the aforementioned SANS report to outline the issue – I like it. That page is amazing… how many adverts can you squeeze into a single page challenge winner. Just enjoy the article.
Please comment… 73s