Ohh great post! Some thoughts [the subtext is “I’m excited you’re writing about this”]
I agreee, Infosec is under rated in EA
Specifically in orgs that have dual-use information on their computers.
More specifically, I’m in favor of air gapped networks for orgs that have strong AI capabilities. I’m aware this is a “big ask” and that nobody would take it seriously today. But if we’d have more infosec professionals who could help set up very secure networks, that would probably help, I guess.
Common misconception: “information security” is a single profession
Sometimes people want to “get into working on information security” but this seems (if I may exaggerate to make a point) like asking “how to get into working on computers”. It’s a big field!
I think the post does a good job in distinguishing some of the sub-domains, I’d like to add to it:
Building information security systems VS using information security systems
Naive example: Are you writing code for a new anti virus product or are you making sure the anti virus that your org bought is set up correctly?
(I think EA mainly needs the second option)
Attacking vs defending
(I think EA needs the latter, and I’d caution against “practicing attacking for years as preparation for defending” which I think people sometimes do. Not certainly a mistake, but not something I’d do by mistake)
Deciding what the org’s policy will be vs implementing a policy that you can’t change
For example, are you trying to convince the CEO that people in the org should not install chrome extensions except from a specific white list, or are you trying to get the 100 employees to install a “chrome extension blocker” (or whatever) on their computers and get it done in a week?
(I think, though uncertain, that EA needs both)
University degree?
This post has a heading “how to enter [tech profession X]” and has a sub-heading of “entering with a degree”. Is this a recommendation for people to get a degree? Is this just noting that if someone already has a degree then they might have an easier time? I don’t know if your post might be (unintentionally?) nudging people to persue a degree, maybe
(My background, anyone cares)
I spent 6+ years of my career doing information security, mostly as a software developer, including in the IDF and in 2 infosec startups.
Air gaps can function in networks that don’t need to have much data coming in or out. This used to be the case for industrial controls systems and maybe weapons systems. But even when I’ve talked with industrial control systems experts on it, they recommended against it, because the gap will be plugged due to operational necessities whether you like it or not. Often it ends up being dirty USB drives bypassing your security that you have no control over. I strongly believe that the volume of external data processing needed by AI research means airgapping is impractical.
If someone has enough IT skills to get an entry-level position, I would encourage them to take that route. If they don’t, then I would nudge them towards a degree that both will help to motivate them and to gain a credential to help them get in the door.
I agree these are problems, but disagree they don’t have solutions.
(I was in the IDF where we did things to address these problems)
Also, the goal of defense is making offense very costly, it’s not “making offense impossible”.
We did, for example, allow data transfer, but there were limitations on it. Specifically USB drives were not allowed at all, and blocked from use on the computers themselves. If you wanted to transfer data, you couldn’t bring your own usb drive, you had to use a specific organizational protocol for it.
Sorry I’m not giving specifics here. My main point is that I’ve seen solutions to such problems in a real working air gapped network that I personally used for my development work
Also, I hypothesise EA needs more “head of security” people who can do everything from “explain to the CEO that the cost of stealing all of our intellectual property right now is around $100k” to “decide on useful policies and help the employees not be too annoyed by them”, including “here are tradeoffs we can chose to make, and here are clever ways we can get extra security at very low cost”. Another non trivial task is “hire people who actually understand security”.
Do you have opinions on whether I’m right here?
If so, it might be worth thinking about how to get more such people. Seems hard
I think you’re right here. It tends to be senior people who have that capability, and there’s not enough of them in the industry. What makes this especially hard for us is that EAs tend to be younger and early to mid-career.
The section “How to enter infosecurity” has one section which discusses how to enter the field with a university degree. But it also notes: “However, you shouldn’t think of this as a prerequisite — there are many successful security practitioners without a formal degree.” The following section discusses how to enter the field without formal training.
Whether any given individual should pursue a degree depends on a bunch of individual factors.
Your suggestion that EA orgs should have a “head of security” of some sort sounds plausible in many cases. But a lot will depend on the size of the organisation, its specific security needs, what other duties this person would be responsible for, etc., so it’s hard to be generally prescriptive. As the review lays out, there’s likely to be an ongoing security needs for many impactful orgs for the foreseeable future, and expertise in this domain will be needed at a variety of levels.
Ohh great post! Some thoughts [the subtext is “I’m excited you’re writing about this”]
I agreee, Infosec is under rated in EA
Specifically in orgs that have dual-use information on their computers.
More specifically, I’m in favor of air gapped networks for orgs that have strong AI capabilities. I’m aware this is a “big ask” and that nobody would take it seriously today. But if we’d have more infosec professionals who could help set up very secure networks, that would probably help, I guess.
Common misconception: “information security” is a single profession
Sometimes people want to “get into working on information security” but this seems (if I may exaggerate to make a point) like asking “how to get into working on computers”. It’s a big field!
I think the post does a good job in distinguishing some of the sub-domains, I’d like to add to it:
Building information security systems VS using information security systems
Naive example: Are you writing code for a new anti virus product or are you making sure the anti virus that your org bought is set up correctly?
(I think EA mainly needs the second option)
Attacking vs defending
(I think EA needs the latter, and I’d caution against “practicing attacking for years as preparation for defending” which I think people sometimes do. Not certainly a mistake, but not something I’d do by mistake)
Deciding what the org’s policy will be vs implementing a policy that you can’t change
For example, are you trying to convince the CEO that people in the org should not install chrome extensions except from a specific white list, or are you trying to get the 100 employees to install a “chrome extension blocker” (or whatever) on their computers and get it done in a week?
(I think, though uncertain, that EA needs both)
University degree?
This post has a heading “how to enter [tech profession X]” and has a sub-heading of “entering with a degree”. Is this a recommendation for people to get a degree? Is this just noting that if someone already has a degree then they might have an easier time? I don’t know if your post might be (unintentionally?) nudging people to persue a degree, maybe
(My background, anyone cares)
I spent 6+ years of my career doing information security, mostly as a software developer, including in the IDF and in 2 infosec startups.
Air gaps can function in networks that don’t need to have much data coming in or out. This used to be the case for industrial controls systems and maybe weapons systems. But even when I’ve talked with industrial control systems experts on it, they recommended against it, because the gap will be plugged due to operational necessities whether you like it or not. Often it ends up being dirty USB drives bypassing your security that you have no control over. I strongly believe that the volume of external data processing needed by AI research means airgapping is impractical.
If someone has enough IT skills to get an entry-level position, I would encourage them to take that route. If they don’t, then I would nudge them towards a degree that both will help to motivate them and to gain a credential to help them get in the door.
I agree these are problems, but disagree they don’t have solutions. (I was in the IDF where we did things to address these problems)
Also, the goal of defense is making offense very costly, it’s not “making offense impossible”.
We did, for example, allow data transfer, but there were limitations on it. Specifically USB drives were not allowed at all, and blocked from use on the computers themselves. If you wanted to transfer data, you couldn’t bring your own usb drive, you had to use a specific organizational protocol for it.
Sorry I’m not giving specifics here. My main point is that I’ve seen solutions to such problems in a real working air gapped network that I personally used for my development work
Also, I hypothesise EA needs more “head of security” people who can do everything from “explain to the CEO that the cost of stealing all of our intellectual property right now is around $100k” to “decide on useful policies and help the employees not be too annoyed by them”, including “here are tradeoffs we can chose to make, and here are clever ways we can get extra security at very low cost”. Another non trivial task is “hire people who actually understand security”.
Do you have opinions on whether I’m right here?
If so, it might be worth thinking about how to get more such people. Seems hard
I think you’re right here. It tends to be senior people who have that capability, and there’s not enough of them in the industry. What makes this especially hard for us is that EAs tend to be younger and early to mid-career.
Thanks Yonatan! I was the editor of this review.
The section “How to enter infosecurity” has one section which discusses how to enter the field with a university degree. But it also notes: “However, you shouldn’t think of this as a prerequisite — there are many successful security practitioners without a formal degree.” The following section discusses how to enter the field without formal training.
Whether any given individual should pursue a degree depends on a bunch of individual factors.
Your suggestion that EA orgs should have a “head of security” of some sort sounds plausible in many cases. But a lot will depend on the size of the organisation, its specific security needs, what other duties this person would be responsible for, etc., so it’s hard to be generally prescriptive. As the review lays out, there’s likely to be an ongoing security needs for many impactful orgs for the foreseeable future, and expertise in this domain will be needed at a variety of levels.