One of the most common criticisms of analysts is that, since they are no longer practitioners, they lose their technical skills and even sometimes their ability to understand technology.

To be honest, it’s a pretty fair criticism. I’ve encountered plenty of analysts over the years who devalue technical knowledge, thinking they can rely completely on user feedback and business knowledge. I’ve even watched as some of them became wrapped around the little fingers (maybe middle finger) of vendors who took full advantage of the fact they could talk circles around these analysts.

It’s hard to maintain technical skills, even when it’s what you do 10 hours a day. Personally, I make a deliberate effort to play, experiment, and test as much as I can to keep the fundamentals, knowing it’s not the same as being a full time practitioner. I maintain our infrastructure, do most of the programming on our site, and get hands on as often as possible, but I know I’ve lost many of the skills that got me where I am today. Having once been a network administrator, system administrator, DBA, and programmer, I was pretty darn deep, but I can’t remember the last time I set up a database schema or rolled out a group policy object.

I was reading this great article about a food critic spending a week as a waiter in a restaurant she once reviewed (working for a head waiter she was pretty harsh on) and it reminded me of one of my goals this year. It’s always been my thought that every analyst in the company should go out and shadow a security practitioner every year. Spend a week in an organization helping deal with whatever security problems come up. All under a deep NDA, of course. Ideally we’d rotate around to different organizations every year, maybe with an incident management team one year, a mid-size “do it all” team the next, and a web application team after that.

I’m not naive enough to think that one week a year is the same as a regular practitioner job, but I think it will be a heck of a lot more valuable than talking to someone about what they do a few times a year over the phone or at a conference.

Yep – just a crazy idea, but it’s high on my priority list if we can find some willing hosts and work the timing out.

And don’t forget to RSVP for the Securosis and Threatpost Disaster Recovery Breakfast!

On to the Summary:

Webcasts, Podcasts, Outside Writing, and Conferences

Favorite Securosis Posts

Other Securosis Posts

Favorite Outside Posts

Project Quant Posts

Top News and Posts

Blog Comment of the Week

Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment comes from Fernando Medrano in response to Mike’s FireStarter: Security Endangered Species List.

While I do agree with many of the posts and opinions on this site, I disagree in this case. I believe AV and HIPS are still important to the overall protection in depth architecture. Too many enterprises still run legacy operating systems or unpatched software where upgrading could mean significant time and money. While in a perfect world I would love having all systems on the latest operating system with the latest patches, that just isn’t realistic in every scenario.

I also don’t believe that white listing can function as a complete replacement to AV, just as a compliment. I cannot speak with complete authority to this subject as I have not had experience with many products. However I could envision cases such as the Adobe exploits that might run as part of Adobe (which white listing policy might permit) yet executing embedded malicious code.

HIPS is referred to in this article as signature based, however most of the HIPS products I have used have had little or no use of signatures. HIPS products which I have experience with learn the system calls of an application and map out their logical flow. Any deviations from this flow are then blocked. This is more of a white listing technique than black listing. I may have missed some research done on the effectiveness of this technique, but I see this as a great compliment to AV and white listing on high priority systems.