Dumb Luck: Why Security Breaches Are Like Playing Russian Roulette

roulette“The future masters of technology must be light-hearted and intelligent. The machine easily masters the grim and the dumb.” Marshall McLuhan

This quote has been a long standing personal favorite because it really illustrates on many levels the need to embrace the “Life Learner” concept; always pushing to enhance your own skill-set and capabilities. It also suggests that we must always strive to embrace change adapting to any and all challenges or obstacles before us. Humans have been quite good at doing this.

All this being said, logically it would be no surprise that one of those obstacles would be intelligence. If a person lacks the necessary intellectual capacity to master a given task, much less to excel at it, how do you think their performance will be demonstrated over time? The interesting thing about an individual’s capabilities is that we are all very good at doing just a few discrete things; much less so with quite a number of others and horribly with a few more. This is a fact when you examine standard deviation metrics associated with human capabilities.

We have developed over time to leverage the community for the greater good because instinctively we all realized that due to this natural distribution, we would not survive alone. Our ability to master the environment depends on the intelligence quotient of whoever is delegated to the task or challenge at hand.

Intelligence tests are one of the most popular types of psychological tests in use today. On the majority of modern IQ tests, the average or mean score is set at 100 with a standard deviation of 15 so that scores conform to a normal distribution curve. This means that 68 percent of scores fall within one standard deviation of the mean that is, a score between 85 and 115, and 95 percent of scores fall within two standard deviations which is a score between 70 and 130.

To now apply this model to information security. A big challenge is that when we are faced with is a long standing global talent pool deficit in information technology and especially so in security. To make matters worse, when we apply the standard deviation to the mix, what we undeniably find is that out of our existing pool of professionals nearly half fall on the high-side of average and nearly half fall on the low-side average. There is a real minority of outliers who are truly gifted. As you’d expect and not really worth mentioning would be the bottom of the barrel candidates who have no business being in the business!

As this applies to security breaches, which I might add has taken an estimated jump of 62 percent this year alone, how do you vet candidates or evaluate existing team members? How do you decrease your security risks by identifying the appropriately qualified candidates or consultants? Outside of administering intelligence tests which would give you a general idea of only the intellectual prowess of the person and not their security aptitude or psychological tests that determine a person’s penchant for behavior, etc., where do we go?

I’m not aware of a specific battery of examinations available today that would increase the odds of success here in the global battle for information security. Sure, there are a plethora of security certification examinations available but these do not test our ability to think creatively or logically under fire. They do not benchmark the candidate against their peers do they?  The medical school student who finished last in his class is still called doctor right? What would help hiring managers increase their odds?

Although it does take more effort, I suggest developing a profile on your candidate pool for starters. We already spend time checking a person’s employment history, criminal background, academics, credit history, etc., why would we not examine other aspects of a candidate more closely?

Ask questions and include things such as:

  1. Have they made obvious contributions to the advancement of the profession?
  2. Are they published in their field? Publications, blogging and other meaningful content to the profession can tell you a lot about the attitude, proficiency level and other important attributes; or not, the person possesses.
  3. What tangible professional leadership roles have they been successful at and why? Are there any negative indicators?
  4. Have they been consistent in their career progression and focus? People with natural aptitudes generally already recognize it and they are actively pursuing it. The caveat is still going to be the obvious professional contributions and intellectual facets still.
  5. Are they making any attempts to mentor or otherwise share their professional wisdom and experiences? Many professionals do this through outreach activities, trade organizations, consulting and other public facing activities.

The numbers don’t lie and the toll from cyber security breaches is only getting worse. When we are faced with shortages in the talent pool and when things are exacerbated by standard deviation, we are faced with really just a couple of questions. First, do we do nothing (either out of negligence, complacency or despair) essentially playing Russian Roulette with our customers, employees, shareholders, etc. or do we enlist the assistance of obvious professionals supporting the industry to bridge the gap increasing our chances of security success? While you might not be able to afford or find your own “Big Gun” security professional but you can always afford purchasing some range time.

Some other blog posts on the subject may be found here: