Some Security Things Never Change

There is a myth surrounding the Information Security Profession that all practitioners willingly buy-in to: that the profession is constantly changing; that no day is ever the same; that you have to be smart and agile to keep up. It’s a nice myth, and makes us all feel good as we run around like the proverbial chicken without a head — but I’m sorry to tell you that it really isn’t true.

When a bunch of Security Pros get together for a bit of group therapy, we all talk about the same stuff — over and over and over again. It doesn’t matter what industry we work in, or how long we’ve been doing this work, or what country we work in. It’s the Same. Stuff.

Some Examples:

Security Pros talk a lot about the best way to get Senior Leadership buy in for the things we are trying to do. Less kindly, we talk about how we can help Senior Leadership “get it”. They’re smart, and often wanting to do the right thing — but they have no idea how to evaluate information security risks and activities and threats against everything else going on in their environment. They mostly didn’t grow up, professionally speaking, thinking about cyber stuff (some didn’t grow up with computers at all), and they’re not about to start now. Our Executive MBA programs don’t talk about this stuff either — so future generations of Senior Leadership will likely be in the same boat, leaky as it is. This won’t change anytime soon.

Not only will vendors continue to spam our communication channels without regard to our sanity, they will also continue to sell their product like it’s a religious awakening. Theirs will be the product to end all products. Theirs will be the single pane of glass that we absolutely must add to the 25 other single panes of glass we already have. Theirs will be the product that can replace most other products in which we’ve already invested. Theirs will be the one bringing petabytes of sourced, important data to our screens, to be consumed automagically by someone. Security products and services continue to be a multi-billion dollar industry, still immature and misunderstood by the financial angels funding these products. This state of affairs won’t change any time soon either.

We don’t have enough security staff. We don’t have enough diversity in our workforce. We don’t have unicorns who can know all the old stuff as well as know all the new stuff. There is nothing new about this. The security industry has been under-resourced since before it was an industry. The lack of diversity is a reflection of societal norms (as long as new parents see the need for gender-reveal parties we will continue to lack gender diversity in tech) which won’t change any time soon. As long as educators think training someone to code will help them prepare for a career in security, this won’t change any time soon. As long as HR and recruiting professionals treat security as just another technology job, and peg career training and salaries to this assumption, this won’t change anytime soon.

We have too many regulations that don’t have anything to do with the way information security management actually works. We have lawmakers proposing legislation without understanding the space, who think that by talking to the CEO of a social media company, or the Security PhD from a name-brand university, that they will get all the input they need to make useful regulations. As a result, we have regulations based on data type, based on geography, based on privacy principles. We don’t have regulations based on ethics, based on contextual risk management decision making, based on the fact that information is valuable and is a free-market commodity to be bought and sold to the highest bidder. Given the disheveled state of politics globally, this won’t change anytime soon.

So, what’s a self-respecting Security Pro meant to do with this unchanging sea of inefficiency and frustration?

In short, get out now. Certainly an option to consider — but for most security pros I would suspect that this is probably the last thing to consider. People never enter this industry because they think it will be easy. No, they embrace the challenge of climbing the mountain, even if they never get to see the summit.

Some security pros who are at the peak of their career might think it a good time to “retire” — to move into something a little less stressful. The reality is, if you care enough about Security to be in the industry in the first place, you’re not likely to go far enough away from it to leave the stress behind. Which brings us to the section option:

I’m starting to see this already. General security practitioners are leaving their typical day job to focus on just one thing. New companies dedicated to workforce development, non-profits working on regulatory reform, companies providing board training on cyber security for executives. These are all terrific, and I applaud everyone involved in these endeavors — they’re certainly needed.

Someone needs to remain to carry on the operational work of protecting a company or institution. So, what does that leave?

Just keep doing what you’re doing. Continue to invest time in Risk Management frameworks to help executives make good decisions. Keep investing in Internships and other workforce development activities. Build partnerships with your lawyers and lobbyists, to help you navigate the compliance of information security. Let your phone roll directly to voicemail to avoid the vendor deluge of calls.

This, I think, is where most security pros are today. Tolerating these issues as a minor annoyance while they get on with the business of protecting their assets.

It’s a nice thought, but sooner or later you’re going to have to acknowledge that no matter how hard you try, you’re limited by the 800-lb gorilla of dysfunction that is the Security Industry. So what is left?

Quit whining about it (note to self…) and acknowledge that these unchanging, challenging things are part of the job. This doesn’t mean to ignore/accept them. To the contrary, it means that you have to embrace and work with these factors.

There’s a lot of vendors? Great. Make them compete. Use the glut of providers to enable and enhance the skills of your team, to be an extension of your workforce. Automate where you can, negotiate where you cannot.

Need to work with your executives? Great. Make it part of your day job to spend time with them, educating them about security while you get educated about their job. Enjoy the relationship. Consider it part of your professional development plan.

Need more skilled staff? Collaborate with non-security teams across your organization, even the completely non-technical ones. Find people who are curious, and train them up. Allow job-sharing, job-shadowing, and on-the-job training.

Tired of the regulations? Set your security strategy to achieve the highest common denominator, not the lowest. Stop spending time on the exceptions, and start spending time on the common. Get to know your federal representatives. Let them know you are available as a resource to help them navigate the emerging tidal wave of legislative proposals.

Embracing these things means letting go of other things, like being the technical SME in the room. It means allowing others to make risk decisions about security, even if you disagree. It means presenting yourself as an industry leader, not just as a company leader.

To stay a security professional, in light of the never-changing nature of the industry, requires that you change. Change your focus, your skill set, your communication style. Change your security strategy, your short- and long- term career path, and your coaches/mentors.

If you don’t want to change, you will likely need to change anyway, because the runway for you to remain successful is growing short. Sooner rather than later you’ll need to decide what your next steps are — to embrace the nature of the industry and stay, or go.

Are you ready?

Cyber Security, Technology Ethics, and Humanity. What else? I can be found on Twitter @CisoHelen