Stories by: Andreas M. Antonopoulos

I often hear from IT executives that it is hard to recruit and retain "good security people." Many lament the shortage of skills in this area and cannot reconcile the skills offered with the positions that need to be filled. Is there really a shortage of good security people? Or just a mismatch in the skills and the jobs?

In the adversarial environment of information security, new types of attacks emerge constantly. Just recently, a very highly targeted phishing attack against CEOs used the pretext of a federal grand jury subpoena to lure executives to a site hosting malware. Let's face it: Most of the innovation in this industry is on the other side, the "dark" side. We are unfortunately forced to keep reacting to new ingenious attacks every few years.

People don't notice change when it's gradual. Sometimes, however, small, incremental changes add up in a way that isn't noticed until a change in degree becomes a change in kind.

The scientific field of biology has provided many useful metaphors, such as "virus" and "infection," for the study of malware. Many researchers have used biology and evolution science to create innovative defenses against malware, in many ways simulating the functions of biological immunity systems. I find that biological sciences and especially evolution provide some great insights into the behavior of malware, malware creators and malware defenses over longer periods of time. I also see a lot of parallels between the evolution of malware and the evolution of darknets (stealthy peer-to-peer, or P2P, networks).

There are two ways to predict the future with 100% accuracy. You either have the power to shape the future to your predictions (the God method) or you make your predictions vague enough so that they fit most conceivable outcomes (the Nostradamus method). For those of us without omnipotence and with a desire to write something meaningful, that leaves the alternative: extrapolate from in-depth research, solid statistics and current trends and hope for minimum volatility (disruptive innovation or externalities) in the outcome.

Virtualization is quickly being adopted in many different industries. As virtual machines move from testing and development roles into production, security becomes ever more important. Virtual servers are no less secure than regular servers, and may provide additional security by compartmentalizing applications.

The chief security officer is a fairly new position. We first saw it emerge in larger corporations in the late 1990s; these days, it's standard in most organizations. The CSO's role varies, but typically it combines risk management, policy development and investment in security technologies.

Security work is a lot of fun. There's always some new threat or technology just over the horizon, challenging our assumptions and existing controls. Things are changing so fast that is it almost impossible for a single person to have a broad view of security in all areas of IT. Even large companies rely on a handful of security specialists to create policies and design security controls across all applications and networks. If your security staff is spread too thin, however, they end up spending most of their time reacting to security problems rather than planning and securing emerging technologies and applications. That's one reason why managed security services are gaining acceptance.

Looking at the development of different technologies in the last two decades, I am amazed at the vast difference between how a technology was first envisioned and how it ended up being implemented.

Visiting RSA '07 last week, I tried to embrace the fact that this security conference is no longer an insiders' gathering, and tried to put myself in the shoes of a newbie to figure out what I should pay attention to in a new security job. The first mistake I made as a newbie was to wear new shoes: ouch. The second was to try to take it all in. If you accept the premise that security should be holistic and not about silver bullets, then the RSA show floor was big bucket of silver bullets. Hundreds of features disguising themselves as products, loudly touting the latest scare: "Did you know there are ogres lurking in this obscure part of your infrastructure? Anti-OGRE!" It was difficult to see what the big new theme for security is in 2007.