While attending the SANS event in Orlando this week I had a chance to meet a fellow who works at a company that is a StillSecure customer.  I had never met this particular guy before, so I asked him how long he had been working in security at the company.  The answer I got reminded me of an old quote from the move "The Producers" -

-Who d'ya want? -I beg your pardon? -Who d'ya want? Nobody gets in the building unless I know who they want. I'm the concierge. My husband used to be the concierge, but he's dead. Now I'm the concierge.

This guy had worked at the company for a number of years in the network department. They had a "guy who did the security".  He is the one that bought the StillSecure product.  Evidently a while back the security guy left the company.  It is not clear whether he quit or was asked to leave, but the bottom line is they had no security guy. Instead of hiring another security guy, they made this poor SOB the security guy.  He inherited a bunch of security products including our own and a bunch of "open source stuff".  This guy didn't even know where to begin.

After floundering around for a while, he made a smart move and signed up for some security training from SANS and is just beginning to realize how much he doesn't know.  But it will still be some time before he is in a position to handle the security at his company, that by the way has SOX issues to deal with.  I suggested that perhaps he look into some MSSP service to help him out.  I am going to try and help this fellow out as much as I can, but he has a tall order.

How many others are out there in the same boat?  How many people have had the security role thrust on them, without the training or expertise to make it happen.  The greatest tools in the world, won't make up for this lack of skills and experience.  Is it any wonder that we have a breach a day announced and our security seems to be in such disarray? We should let security be handled by security professionals or else we deserve what we get!

While attending the SANS event in Orlando this week I had a chance to meet a fellow who works at a company that is a StillSecure customer.  I had never met this particular guy before, so I asked him how long he had been working in security at the company.  The answer I got reminded me of an old quote from the move "The Producers" -

-Who d'ya want? -I beg your pardon? -Who d'ya want? Nobody gets in the building unless I know who they want. I'm the concierge. My husband used to be the concierge, but he's dead. Now I'm the concierge.

This guy had worked at the company for a number of years in the network department. They had a "guy who did the security".  He is the one that bought the StillSecure product.  Evidently a while back the security guy left the company.  It is not clear whether he quit or was asked to leave, but the bottom line is they had no security guy. Instead of hiring another security guy, they made this poor SOB the security guy.  He inherited a bunch of security products including our own and a bunch of "open source stuff".  This guy didn't even know where to begin.

After floundering around for a while, he made a smart move and signed up for some security training from SANS and is just beginning to realize how much he doesn't know.  But it will still be some time before he is in a position to handle the security at his company, that by the way has SOX issues to deal with.  I suggested that perhaps he look into some MSSP service to help him out.  I am going to try and help this fellow out as much as I can, but he has a tall order.

How many others are out there in the same boat?  How many people have had the security role thrust on them, without the training or expertise to make it happen.  The greatest tools in the world, won't make up for this lack of skills and experience.  Is it any wonder that we have a breach a day announced and our security seems to be in such disarray? We should let security be handled by security professionals or else we deserve what we get!