Blog

Another Inflection Point

By David Mortman

Rich Mogull recently posted a great stream of consciousness piece about how we are at an inflection point in information security. He covers how cloud and mobility are having, and will continue to have, a huge impact on how we practice security. Rich mentions four main areas of impact:

  • Hyper-segregation
  • Incident response
  • Active defense
  • Closing the action loop

The post is short but very very dense. Read it a couple times, even – there’s a lot there.

I would add another consequence of these changes that has already begun and will continue to manifest over the next five to ten years. That is the operationalization of security. This is partially because security is increasingly becoming a feature rather than a product itself. Over time we will see more and more of today’s dedicated security jobs evolving into responsibilities of other roles. We already see this with patch and AV management, which are increasingly owned by the Operations rather than Security teams. Similarly, we will see development and QA picking up functions that previously belonged to security folks. Dedicated security folks will still exist, but they will fall into a much smaller set of roles, including:

  • Advisors/subject matter experts – architects and CISOs
  • Penetration testers
  • Incident responders

And in the case of the latter two, they will increasingly be experts brought in to handle issues beyond the capabilities of regular teams, or to satisfy requirements for third-party assessment. In many ways this will be a return to how security was in the mid-90s. Yet another example of Hoff’s Hamster Sine Wave of Pain….

h/t to Gene Kim for feedback as I wrote this post.

No Related Posts
Comments

Agreed. We have done this and it is working. Two of our NOC engineers have MS degrees in Information Assurance and another comes from a military info sec background. They are network and operations staff but they get security and do a great job with patching, FWs and IDS etc. A bigger hurdle is the SDLC but that is in process where we intend to interject vulnerability scanning into the QA / release process. Security is everyone’s responsibility and it is definitely the way to go but it often leaves me with sane predictable days (and less interesting).  The CISO level role is also going to have to adjust – depending on the org it may not be hyperactive or needed full time in the weeds once the new model is in place. I am navigating those waters now – wish me luck.

By ET


This is very true.  We are seeing this trend in many of our customers.  They are pushing the tactical operations tasks to other groups.  We have several customers that want their staff to learn how to pen test the right way, and the need for some level of IR/forensics capability in-house is on many customers’ wish-lists.  The security teams moving towards a more advisory position within their organization definitely have more job satisfaction and are a more valued part of the business.

Great post.

By Jeff LoSapio


David,

Right on. I’d argue that this is a very good thing. Very few people I’ve met in the security field enjoy or even tolerate repetitive tasks, but in order to operationalize security at scale everything needs to be an infinitely repeatable task, with very little room for imagination.

Distilling everything possible to checklists and handing it off to operational experts is better for everyone. This frees-up the dynamic thinkers to tackle other big problems, and it makes sure that what we’ve already learned is being carried out in the least astonishing way possible.

By chort


I’ve been saying this for a long time. Security as a standalone discipline just doesn’t make sense for a lot of roles. 75% of security people today will either move to more risk advisory roles, handle the “specialist” security ops roles, or become ops people themselves. Many will also transition to work within service provider environments, I think - IT is not a core competency for most organizations, and people, along with IT assets, will move to outsourced providers. Not today, not tomorrow, but somewhere down the road.

By Shack


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.