On the cheap
Big company gets people barely able to do the work and pays them peanuts.
Who wins? Certainly not security.
GCHQ's communications security arm, CESG, has been accused of leaving a gaping hole in the government security advisor profession by axing its accreditation scheme. The CESG Listed Advisor Scheme (CLAS), the accreditation programme for private sector consultants providing information assurance advice to the public, is to be …
This post has been deleted by its author
Is someone suspecting a chance of being snowdenundered?
Or is this a Channel Dash thing?
The first thing that the high command did with the officers in charge of the photographing of the Keele Canal was ditch the boy in charge (amidst rumours of corruption no less.) It sounds crazy to imagine the Navy giving the Germans that on in the middle of WW2 but it was either them or replacing battleships with flyboys. And the RAF was sincerely out of favour back then.
Follow the money...
Oh, wait. its a secret.
My experience of CLAS (and other security) consultants has been less than good. The conversation usually goes something like this.
Q: What do we need to do to become XXXX standard compliant.
A: Conform to standards as stated in the documentation
Q: Can I see the documentation
A: It can be found on site XXXX
<spent 1/2 day finding the documentation, usually not on site XXXX but on site YYYY with requirements for yet another login>
Q: What does ambiguous term XXXX mean?
A: That is open to interpretation.
Q: What is the current interpretation?
A: I'm not sure..
Well, sadly, there were always some crap ones.
But get yourself a decent one.... and the first answer turns into a dialogue about whether or not you really need to meet the standard in question, and whether more proportionate or approriate controls might be better instead, what suits the business best, what the actual threats and risks are, what the organisation's appetite for risk acceptance is, and so on.
More security, less impact on the business, less cost, less dogma....
If you have ever had a CLAS consultant that was really GOOD, your experience will have been very different.
CESG are, of course, correct that the new scheme is open to independents. It's just too damned expensive for them, that's all.
CESG are, of course, correct that the new scheme is open to independents. It's just too damned expensive for them, that's all.
CESG could have had good quality from the start if they had implemented the CLAS concept as its inventor had suggested. Instead, they had to throw in some requirements that had nothing to do with security but everything with politics. The appalling lack of quality in CLAS specialists was of their own making.
I know because I had to help plenty of these idiots get out of trouble so they could finish their glory projects without anyone being the wiser that they nearly crashed and burned. IT, security and politics do not make a good mix, especially with politics in control.
As a freelance security consultant, although I could easily jump through the hoops to get my CLAS badge, it takes time and (quite a lot of) money. In practice, the only organisations that have demanded I be CLAS registered have been gummint (or businesses working for gummint who have the same restrictions imposed on them), and then I simply go through an intermediary consultancy who add a substantial mark-up and I just do the work anyway.
This sort of idiocy happens all the time in both the public and private sectors. In the private sector it's usually just the difficulties of dealing with beancounter central in order to get on the 'approved supplier' list. No matter how many times I point out to them that I don't get paid until they're happy with my work and in the (incredibly unlikely) event of my company going bust, they're exposed to no risk whatsoever, I still get the same 20 page form and endless wait for credit references to clear, so I don't bother and go through an intermediary who are already 'on the list'.
I think my record is 4 intermediaries on one overseas job. "Blimey, you're expensive" they cried. "If you'd hire me directly, I could do the same work for very much less than half the price" I replied. But both they and I know it's pointless trying to change the bureaucracy at the heart of large organisations.
I did my time on the gravy train. Being asked to write accreditation documentation. But those types of individuals were not very good at seeing that the technology was there to support a business purpose. Very talented in their ability to comply to a standard but that doesn't make you secure...just compliant.
Only good thing about CLAS was the easy pickings list for head hunters to go through when looking for their next "talent".
Anonymous. My peers will probably know who I am.
Yes, anything to stop the client being able to hire independent consultants. Those bastards seriously damage our profits by promoting competition and encouraging clients to ask embarrassing questions about why our services are so expensive. Lobbying money well spent, I'll say.
CLAS was a strange beast - basically a badge the indicated you had some relevant IA experience and had been to a few days of CESG training on risk assessment. Oh, and had paid the fees...
Like all badges, some holders are more worthy than others and there are good and bad CLAS consultants out there, but it had become less valuable over recent years. Nowadays it just gives (some) HMG accreditors a nice warm feeling to be talking with a CLAS consultant...
... I find the CLAS bods to be useful to work with. Not all of them certainly. Definitely not Paranoid Pete or No Opinion Nev. But the rest are vary from pretty good to excellent. So this change sound like a big, big mistake as we will be sent the tea boy/girl in the future at twice the rate.
Hmmm, hasn't the Chinese PM been in town recently...
This post has been deleted by its author
The changes to HMG IA consultancy are sensible and were really needed, but the CSC scheme has not got up and running (and to be honest the paperwork required to get onto it, which is still not in issue is far too complex). Now we have a situation where HMg departments and their suppliers simply do not know where to turn.
Having said that, I'm picking up more CLAS consultancy work now than before CESG took me off the list earlier in the year.
I have seen people consult on government IT that I would not trust to operate a cheap calculator without double checking, and it is part of why government IT is so appalling.
CESG should not stop the scheme, but improve the clearance and expertise model.
Certifying companies is frankly a stark raving bonkers idea. There is simply no way you can guarantee the expertise of a company, nor their loyalty - that is a matter that is always going to be person specific. If they really intend to do this for anything above BC level clearance they deserve the problems they are undoubtedly going to have.
I'm surprised only one person has mentioned the CCP scheme, which is the de facto replacement for CLAS and has been in development for quite some time. Certification provided by BCS and others, requires similar proof of experience and independent supporter validation as well as relevant industry certifications/exams. Not sure why the author of the article doesn't detail this more, and only mentions the CCSC which is for companies.
Have a look at http://certifications.bcs.org/category/15865 for more information....
Shame CCP is dying then.
It's too expensive. Too arbitrary. And nobody wants it (or at least, nobody requires you to have it). To be honest, the "ex-CLAS" badge is more useful than a handful of CCPs.
And now CESG is vanishing, I expect CCP to go the same way....