On Sat, 30 Mar 2002, Sean Donelan wrote:
A basic security mindset is a combination of paranoia, a talent for contingency planning, and an understanding of business need.
My suggestion was to include a couple of courses in the curriculum.
1. Engineering Ethics How to play fair Right and wrong, dealing with conflicting responsibilities 2. Engineering Paranoia The world doesn't play fair Bad data, safety factors and progressive collapse
I'm not sure you can really teach someone the right combination of ethics and paranoia to be successfull. I can teach anyone the technical stuff, or give them a really thick book. But best practices aren't a substitute for understanding the business and sound judgement.
The problem is good security people have to cover alot of ground, and be at least /good/ in all of it. They have to have a solid understanding of all the systems and networks they are protecting as well as the customer requirements and business cost/beni stuff. One issue I see is a general lack of understanding with employers as to what is needed. The idea of the paranoid block everything type that must be restrained seems stuck in many minds. Unfortunately, this leads to issues, total ICMP blocks, bad ECN handling, etc. As well as very little drive for people to learn what they need. I think it comes down to being able to deal creatively with a lack of total control, and find ways to limit what you cannot eliminate. If the balance cannot be found, you end up with security problems, or performance issues, pissed customers and broken networks. -- I route, therefore you are.