If practicing information security can be a tough job, security journalism is aguably tougher. You're often not an expert, yet to you have to translate between experts and the public, the public and experts, identify a sales pitch and yet still pull out an interesting story that's worth the bits and bytes it's written on. Then repeat daily. However, a healthy dose of cynicism is always in order. Take one article I was discussing the other day - SC Magazine's coverage of the UK 'cyber reserve' force. The problem isn't the journalism, the problem is that in a specialist field the loudest voices will almost always be those with the biggest agendas.
In particular, reading takes some translation.
Francis Maude says his government is ""constantly examining new ways to harness and attract the talents of the cyber security specialists that are needed for critical areas of work".
Translation? We really don't know how to do this, and we're still trying to figure it out. We just needed some progress for the annual report so we thought we'd shout about it anyway.
ISC2 says: “Funding new research centres and denoting ‘Centre of Excellence Status' to universities that are already delivering graduate courses in this space does not begin to address the skills shortage that we all acknowledge is adding to the threat. There are already 55 to 60 graduate level courses in the UK and most students don't pursue an education at this level. More is needed at the undergraduate level where awareness of the career opportunities can help reach the numbers required."
Translation: The government should send more introductory training so people can move on and do CISSP.
And Detica says: “When we look back in five years' time we will see that the government's strategy has provided a catalyst for a series of innovative and useful activities, particularly around how industry can respond to and protect itself from cyber incidents – most notably the recent Cyber Incident Response Scheme announced by GCHQ. Nonetheless, there is still a long way to go before we can say that we are successfully countering cyber threats.”
Translation: It's great that we're one of a small number of companies to get privileged access to contracts through CIRS, but we still think there's scope to be paid more money.
All these agendas are reasonable, understandable, and in the case if ISC2 clearly beneficial to security. The question then has to be - so what it not being said?
Well, that we don't have a clue how to deliver this, for one. What it will do for another. And who will do it. And why.
All questions worthy of an answer.