Mike Rothman has a nice post today
Great, 2.7 million people that have no idea what's going on So what? - It must be good to be the ISC2 nowadays. If you believe the survey they commissioned Frost and Sullivan to do, there will be 2.7 million security professionals by 2012. The survey also goes into a bunch of skills these security professionals need. Amazingly enough getting a CISSP is top of the list. I'm kidding.
Mike' post references this dark reading article called Market's Message to Security Pros: Adapt or Die. I agree with the sentiment, in fact I wrote a post almost three years ago called Message to Security: Evolve or Die.
I think the answer, instead, is for security to operate like a software development team. Develop approaches that allow for rapid prototyping and deployment of ideas, and be able to replace outdated concepts quickly.
Say what you will about software developers (and security people love to throw stones at developers), but they are good at delivering. Maybe its time to start learning from what they do.
Ok, now back to Mike Rothman
I think there will be 0 security professionals in 2012. That's right, ZERO. I think there will be network folks that specialize in security, and also some data center folks and even more application folks that are security specialists. OK, these are word games and a bit of semantics, but I think it's an important point. If anyone thinks their only job is going to be security in 4 years, I suspect they'll end up as a petroleum product sooner rather than later. OK, maybe not 2012, but I'm with most of the big mouth security pundits in saying security as a business will be going away within a reasonable long term planning horizon (7-10 years). So start practicing, "I do secure networks." Not "I do network security." There is a big difference.
I could not agree more with the secure networks instead of network security! This distinction is absolutely huge. I would agree with Mike's conclusion, but I think this is more best case rather than realistic end game. I think there will still be a place for infosec, just that a lot of lower level problems should be removed (best case), by people taking initiative and doing their job.
Another reason I like this approach is that it is asset centric not threat centric, as Butler Lampson says "all trust is local." Software security does not succeed without developer buy in, database security does not succeed without DBA buy in. As Ian Grigg says "Its your job. Do it....Get comfortable with having to learn yet another discipline...You need to be an adept in many more aspects"
I think security is likely to still have a role, perhaps in addressing cross cutting concerns, but a hopeful best case is I build secure networks, I build secure apps, I run secure databases. Maybe the role of infosec evolves to something closer to what Robert Garigue referenced as the Charlemagne - ability to teach and lead across disciplines. The closer to Rothman's zero we get the better off we'll be.
Comments