Why Security Talent Capitalization Rate is Low
In my last post I introduced Malcolm Gladwell’s Capitalization of Talent concept and concluded that the capitalization rate of SCADA security talent in the control system community rate is low. Here are some reasons why in no particular order:
- Security 101 is dull – All too many control systems are at the point where they need to get security patching, user management, anti-virus updates, firewall rulesets, hardened configurations, … under control. This is important, but not exciting work. A lot of the ‘excitement’ in the first couple of years with a new client is more related to the personal and personnel issues of getting understanding, buy-in and huge initial improvement in the security posture rather than any cool technical work. [Also seeing the process being controlled can be very cool] It is in years 3+ when the challenging and fun technical work gets started. We would have a tough time keeping our technical talent if we didn’t have longer term clients far along the security curve and research projects to go along with the assessment work.
- Security talent is not valued – Many of the skills that would make one talented in cyber security also can be applied to other control system endeavors. People will tend to focus on what is rewarded. There are exceptions with passionate people, but they are a happy exception.
- Little sense of community, peers, training – There are now a number of SCADA security 101 events, guideline documents, webcasts, etc. But the talent we need is going to become quickly past this and bored with it. It is still necessary because the majority has not grasped and implemented 101 level security. However I’m still surprised at how little advanced work is out in the public after ten years in the SCADA security world. It is why we started our SCADA Security Scientific Symposium [S4]. If you are potential talent in an asset owner or vendor, you are going to have to be a trailblazer because there are not the groups discussing advanced topics that you can learn from and work with . . . yet.
I will say that there are huge opportunities for interesting and important security work in control systems. We have a surplus of interesting and practical research work we want to do as a consulting and research practice. If I was working for an owner/operator I’d really be focusing on highly customized anomaly detection, forensics, and more granular and stronger authentication.
Author: Dale Peterson
Posted: December 21st, 2009 under Big Picture.
Comments: 2
Comments
Comment from Bryan
Time: December 23, 2009, 3:53 pm
Dale – these factors feel right on the mark to me. Especially the idea that security skills are useful across other control system endeavors.
Perhaps a there is room for a few other issues that further constrain talent capitalization:
Weakest Link…since security as a system is limited by the weakest link, some may feel a sense of diminishing returns. Why invest in talent if the effort won’t really make a difference to the overall system?
Low Likelihood…risk management approaches (frequently promoted as an important security skill) are essentially flawed for incidents with very low likelihood. As above, investing in security talent to address issues perceived as highly unlikely may not be the most effective approach to increase overall system security.
Contrary to any limitations, a call to improve capitalization of security talent is a good sign. To quote Ross Anderson’s conclusion in Security Economics and Critial Infrastructure:
“Security is hard. Control systems are hard too. Control systems security will be harder; but most governments now accept that it has to be tackled.”
Pingback from Digital Bond » The New Year
Time: January 3, 2010, 8:40 pm
[...] NERC CIP meets the law of unintended consequences. There are a large number of frustrated control system security professionals about to be unleashed on the community. Every electric utility has been forced to grow a few professionals with control system and security expertise. Some of these came from the IT side; others came from the control system side. Many have been battling with their organizations to do the right thing in terms of security and the spirit, rather than the letter of compliance. Not a small number have been losing to the approach of finding ways to severely limit the cost and corresponding security effectiveness of NERC CIP regulations. These people are and will be looking for work in 2010. When they land in an organization that cares about security we should see a significant improvement in security posture. This may be related to the capitalization of talent. [...]
Write a comment