Home > Uncategorized > The Media and Cybercriminals

The Media and Cybercriminals

I recently read an article in CNNMoney.com (http://money.cnn.com/magazines/moneymag/bestjobs/2009/snapshots/8.html) in which Gregory Evans, a self-employed information security consultant based in Atlanta, discussed what he does for a living. Describing the job of computer/network security consultant as the “eighth best job in the world,” CNNMoney.com reported that Evans describes himself as a “cybercrime fighter.” He said that his job is to counter threats against computing systems and networks from threats such as hackers, viruses, worms, and spyware.

From what I read, Evans is a personal and professionally competent individual. At the same time, however, I found out that he has a sordid past, one in which by his own admission he broke into one computing system after another. Here we go again—the media glorifying another individual who has a history filled with criminal activity. Lamentably, this is not the first time this kind of thing has happened, and it will not be the last.

The media is not the only entity that does this kind of thing. I remember that not all that many years ago I was doing some consulting for a very large financial organization. The lead technical person in information security had achieved considerably notoriety from all his previous hacking and phone freaking activity. He was ostensibly very knowledgeable about information security, but when I realized who he was, I got a sinking feeling in my stomach. I did not find out that I would have to work with him until I was on site at this client’s facility. Had I known in advance, I never would have accepted the consulting job. How could an organization with so much at stake have allowed someone with such a background to work there (in information security, yet!) How did this person ever slip through a background investigation? Truly there was something wrong in the state of Denmark.

The media may send the wrong message, and financial and other institutions may make the wrong decisions, but what gets to me the most is when information security organizations have former cybercriminals speak (often for exorbitant prices) at conferences and meetings. I’ve written a previous blog entry on this disturbing trend, so I won’t say anything else here except that no matter what incentives are offered to me, I will not speak for any organization that has at any time brought computer criminals in to speak at any of its conferences and meetings. There are lots of speaking opportunities out there—why serve some organization that is not serving the information security profession well?

So I want to propose what I believe is a new idea. Why not make having professional certification such as CISSP certification a prerequisite for the privilege of speaking at information security meetings and conferences? This would weed out individuals such as Evans who have engaged in previous criminal activity, because having done so disqualifies anyone from becoming CISSP-certified. Additionally, this would preclude having individuals such as product managers and marketers from security vendors from being able to speak at professional information security events. Don’t get me wrong—I have a lot of respect for well-seasoned product managers and marketers, and I love talking to them at trade shows. But these individuals typically have minimum credentials in information security. They are usually neither teachers nor mentors in our field. Furthermore, they typically “hawk their wares” one way or another when they speak. If they do not directly make a sales pitch for whatever product they represent, they often indirectly do so by stating the requirements for a certain type of product and then “mentioning” that their product fulfills these requirements.

I do not know what to do about the media making ex-computer criminals look so good, nor can I really do anything about organizations hiring these criminals. But I know what to do about professional organizations bringing these and other unqualified or undesirable individuals in to speak. You can vote with your feet, as I do, and I hope that you also consider doing this.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.