This is the first post in a series on Future Proofing Your Security Job.
As I was writing Monday’s post on 14 Things a Security Organization Should Own, I was thinking about jobs that I previously held. Many of those positions no longer exist having been replaced by a tool or needing less people to do the same job.
My objective in this post and future posts is to thinking about the jobs we have today and what the role and skillset will be like in the future. Additionally, if you are thinking about heading in a particular direction in information security, you should think about the future prospects.
My Career History
The following is an abbreviated walk through a few of the jobs I previously held and how they’ve morphed throughout the years.
System and Network Administrator
My first job was running UNIX systems and a Cisco network. At the time we were buying up companies and I was connecting new offices to the corporate network. The network was frame relay and each office had some sort of infrastructure to make it all work.
Today, that role doesn’t exist. The UNIX systems have been replaced by software as a service applications and other custom cloud offerings. The network itself is now site-to-site VPN connections managed by the vendor.
At the time, I was the lone administrator focused on security. Interestingly, that role never materialized into a full-time role within the company.
If you haven’t read about my decision to become a consultant over working at Playboy, you should jump here first.
When I started as a consultant, I worked on two primary methodologies: Minimum Standard Baselines for different systems and Enterprise Security Assessments. The Minimum Standard Baselines (MSBs for short) were documents which described how to properly secure different operating systems, applications, network devices, etc. in your environment. Within 3 to 5 years of creating these documents for a number of clients, they became readily available on the internet.
The Enterprise Security Assessments role was about reviewing information security organizations for effectiveness. This activity still lives on but instead of being based on a proprietary methodology, they use ISO 27001 and other models to assess against. I actually forgot about this until a recent lunch with an old co-worker who brought it up.
I left and came back to consulting. Upon returning, I was focusing on Identity Management Strategy. As organizations struggled to meet the user and access management objectives from SOX, organizations turned to identity management to get better management of their User IDs. While organizations still struggle to manage IDs, the maturity of tools and processes in the space have reduced the need for enterprise strategies. (A number of companies probably could use a better strategy, by the way.)
Today I focus on Application Security at Cigital. Much like identity management, organizations are still trying to understand how to best approach an overwhelming problem. People need a strategy, process improvement and maturity in the area. The tools are also harder to use, return lots of false positives and are hard to integrate into the environment. Most days, I’m helping organizations build their application security strategies.
In a few years, most people will have their heads around how to fix vulnerabilities in their applications. The tools will be more mature and return more relevant data and they will plug in to the applications most people use.
I already know that — even if I’m at Cigital in 5 years — I’m probably not going to be doing the same thing that I do today. We must constantly adapt.
Next week, I’m going to talk about strategies to make you future proof. The idea that you can adapt to the changing landscape and keep up with security in a meaningful manner.
In the meantime, think about what you do today and whether there are tools, processes or maturity that could reframe your job in a few years. Will you job still exist?