I explained to him that most "computer security experts" in my experience know little about computers and nothing about security, but rather have just attended classes and tested their way to certifications designed to boost their resume but not their job performance. The ensuing discussion about what "secure" really means took an immediate turn away from computers.
A few weeks ago my daughter's school sent her home with a packet of fund-raising materials. She was to around to my friends and colleagues (since her friends parents all got the same packet from their kids) and sell holiday wrapping paper, chocolates, etc. to raise funds for the school. The children were baited with various prize rewards based on their sales volume. She picked up nearly $500 in sales in two afternoons, and had roughly $300 in cash in her envelope on the appointed day to return the orders to the school.
Rounding down to $100 per student for arguments sake, consider this: the school has more than 900 students. Is their security system adequate to protect $90,000 in cash?
My colleague reacted strongly to this statement, he has two children in the same school. He had not considered the ramifications of collecting large amounts of money in an insecure location with a large group of children, especially his children, and was surprised I had. That's when I got to pull the punch line: there is no such thing as computer security, there is simply security as it applies to computing.
No amount of training in computing techniques, code walkthroughs, design methodologies, or security APIs is ever going to make you a security expert. Security isn't even about the technology, it is about how a system interfaces to the world around it and how these interfaces might be abused by miscreants.
In actual fact, I've spent too much of my life implementing and later designing computer systems to really be effective as a "computer security expert." The real experts are the (former) miscreants now working on the side of angels; those who have the ability and mindset to probe the weaknesses in a system and then report them to the originators so they can fix the system, rather than exploiting these weaknesses for their own amusement or personal profit. I am awed by these geniuses.
That said, I'll probably still pull the "computer security expert" card when I visit with the school Principal to discuss his endangering the life of my child.
No comments:
Post a Comment