by
James Stanger
| Oct 26, 2015
It’s fun being a techie in the security industry, and it’s even more fun to help create certs for CompTIA. Sometimes, though, it feels as if you’ve entered what I call the acronym jumble.
Over the past few months, my product management team and I have spoken at various venues about a range of topics; mostly security. It has been extremely enlightening to work with actual practitioners to navigate the alphabet soup of the security world.
For example, you have technical acronyms such as DDOS, APT and RSA. But that’s just the techie perspective. When you add in the government language, such as DoD 8140, and then start adding certification product lingo, things get even more complicated.
CompTIA recently held its annual EMEA Member & Partner Conference, which I attended. EMEA –there’s another acronym. But wait, there’s more: One day I was on a conference call when someone said, with a straight face, “Well, now that we have that TCP/IP question answered, I’ll IM someone in the OPS team about putting the ITF exam in IBT so that the people in the DoD can go through QA.” I had to put myself on mute so folks wouldn’t hear me chuckle a bit.
Right around that week, I got an e-mail from – no fooling – the IRS. Yes, folks, the United States Internal Revenue Service. For those of you not familiar with how taxes work in the U.S., the IRS contact you if they see, well, any discrepancies in your taxes. Of all of the letters that can rise up to the top of the alphabet soup of your life, the letters I, R and S just aren’t the ones you want to see. But thankfully, the e-mail I received wasn’t an audit. It was a kind note from Tim Martin, chief of the testing section of the IRS. He’s a techie, not an IRS auditor. In fact, it turns out he does volunteer work for another organization in the IT alphabet soup called AFCEA, a non-profit that promotes best practices in the IT profession through conferences. Tim was contacting us because he wanted someone from the CompTIA team to speak about the state of security in 2015.
Earlier this year, my colleague Patrick Lane visited Hill Airforce Base in Utah and gave a presentation to AFCEA members. I then spoke at AFCEA West in San Diego, and again at the Baltimore Defensive Cyber Operations conference later on. But my journey into getting to know security at a practitioner level didn’t end there. While there, I heard about the DON CIO, CINCPAC and other acronyms.
Since then, my team and I have met with enterprise CIOs and conversed with Navy CPOs. It just doesn’t stop. A month ago, I gave a presentation at the FCC with the title “Broadband Providers and Good Faith Steps.” It appears that the FCC is still working out its responsibilities with respect to the FTC. They’re looking to find ways that they can help people in the U.S. secure their privacy once their data has been captured by service providers. It felt good to represent the industry there, even when one of the directors told an inside joke about some L3 people – that’s director-level people to you and me.
I was recently able to spend some time with Tony Sager, formerly of the NSA and now with the CIS. Tony and I hosted a webinar in which we discussed the current state of security. He stressed the importance of a team-based approach rather than relying on that “security wizard” or the “scruffy IT type.” It was fascinating to spend time with these people because I learned more about how institutions in the U.S. apply security.
While all of this was stewing my mind, I had a chance to attend the Spiceworld conference, a conference in Austin, Texas, put together by our friends at Spiceworks. One of my co-workers at CompTIA, Rob Winchester, had been talking up this conference for years, and we got a chance to present. The presentation I gave was called, “Persistent Threats, Custom Frameworks: A Practical Guide to Network Security.” I had a great time, mainly because I was able to mingle with techies who get things done.
Sure, we were all engaging in acronym-speak. There was plenty of talk about new protocols and exactly where they mapped to the OSI/RM. And while I was at Spiceworld, I had a minor epiphany while I was talking with a group of security workers about implementing VPNs. One of the admins in the group worked for a homebuilding company in Utah. He said it was a struggle getting his company to invest in security measures. He was worried that some of their intellectual property and a few other areas could be at risk and wanted to address the problem.
I promised I’d send him a few things that our research team was able to create, as well as an article I had written for Linux Pro Magazine about creating custom security frameworks and mapping open source security tools to it. He was grateful.
Behind all the information and acronyms we use every day, we are all looking for a compelling, clear narrative. It doesn’t matter if you’re a director at the FCC, a guy at the IRS who volunteers for AFCEA or someone who has been tasked with enabling proper VPN access to his CEO’s home office outside of the company DMZ.
In my mind, that narrative is based on some standard that everyone can understand and implement, at least eventually; is flexible, yet not open to interpretation; is embraced by the world; is scalable; allows individuals to create custom solutions and security frameworks; and enables people to learn how to secure systems easily by applying themselves with hands-on learning.
The common theme that ties together this alphabet soup is certification. It helps set the narrative in motion. People are looking for coherence. Certification standards can help bring about that coherence.
James Stanger is Senior Director, Product Development, Skills Certification at CompTIA.