How is the Security Profession Doing?
I spoke on a CIISEC panel a few months ago about the state of the information security profession. This post is based on remarks I made there.
How is the profession doing?
First of all let’s look a the dictionary definition of profession:
Humor aside, about the similarities of much of information security as an avowed religious faith, I think it is fair to say that the criteria of a profession being something that requires specialized knowledge and a whole body of persons engaged in a calling could be fairly applied to information security. However, despite the great efforts of many associations and professional organizations, it's hard to describe us all being involved in a profession in the same sense we regard the professional domains of lawyers, doctors, accountants, and many branches of engineering. Our field is relatively young so this state might be expected. But, if we were to strictly define the information security profession as a discipline that bridges science and practice, upholds standards of professional expertise and determines minimum codes of conduct then I think we have much work to do. Information security is a collection of practices, associations, sub-fields and a loose body of evolving knowledge. There are many interconnections to other fields, from mathematics, computer science, engineering, and to various of the social sciences like economics and psychology. Despite some massive effort and momentum, a lot of which has been very positive, progress is still slow in unifying the various sub-fields into a profession. However, there are many positive changes as security has become self-evidently critical in the past decade or more, such as the increased embedding of security and controls into platforms and services. There is increasing focus from other engineering disciplines, not least software development, infrastructure engineering and operations in the field of security and controls engineering. In some cases this focus is being driven by groups not classically affiliated with the information security profession. This is not a bad thing, we’ve always said security is everyone’s responsibility so we should be pleased when people take that to heart.
Where do we go from here? What are the likely trends going forward?
As we continue to digitize our lives, businesses and societies we will have progressively more need for secure and resilient systems. We absolutely need a coherent professional structure that organizes the body of knowledge in the information security field. Before thinking about the right model of the profession it is worth re-examining what success might look like.
Specifically, our goals are to create secure products not just security products, to create ambient control and invisible security where security is baked-in not added on and where we don’t just strive for automation but get closer to autonomic operations. To achieve this we can't be a walled-off profession with gates to control entry. Rather, all of these laudable goals require embedding practices and expertise into other areas. So this might signal a shift that a more codified information security profession is about three things:
Relentlessly giving up of sole ownership and embedding discipline and objectives into other areas.
Amplifying architectural (including a systems view of the world) objectives and independent risk management practices to ensure a holistic view of information security/risk management.
Act as a tremendously strong bridge between science and practice: encoding science into practice and stimulating research into areas where practice is weak.
To this end, the goal of the information security profession should be more like how we structure the medical profession rather than, say, accounting or other more homogenous fields. The more I think about what we collectively need to do the more I like this medical analogy because medicine operates as a multi-disciplinary field of practitioners, scientists, manufacturers, standards bodies, regulators and public health professionals. The medical field’s roles are a lot broader than doctors and not everyone who enters the profession to make a difference in peoples lives aspire to be doctors. The medical profession (not to debate here about the macro-economic structure of various countries health systems) is generally meshed together reasonably well.
What should people starting their career in information security be thinking about?
Shifting gears now to some advise for career development in the profession we have today. Generally, for most information security roles, you need to have engineering skills or at least an engineering mind-set. This doesn’t mean you have to be a coder to be successful, nor does it mean there aren’t vital roles at all levels that are non-technical. We have, in many respects, come full circle. When I started in information security (decades ago) you had to be an engineer and build things because there weren't many products or services to buy. Now in many roles, you have to be an engineer because you have to automate, glue things together and actually contribute as a peer with your colleagues in development, infrastructure or operations. This is especially true as more of our environments are declaratively managed in a, so called, "controls as code" way. Now this doesn't mean that we should think of information security as purely an engineering centric activity. Clearly, it's not. It is very much a business/mission problem intertwined with many other disciplines associated with human factors, risk, and other dynamics. But just as, say, a financial risk manager needs to know the nuts and bolts of accounting and financial practices then an information security practitioner needs to know technology to a certain level. There are many other skills that information security professionals need to develop outside of the core body of knowledge of security and a general (in some areas deep) appreciation of many parts of technology. These include maintaining a healthy curiosity about how organizations work, how their systems hang together, the incentives and leadership processes of the organization [how to get things done] and a broad ability to develop and utilize relationships to partner across the organization to manage risk. All of these skills can and should be apprenticed from the entry level up.
Are we doing enough to create/train enough cybersecurity professionals?
We are doing more and more but it will likely never be enough if we just focus on this. We now have many training programs, certification frameworks, degree or advanced degree programs. This is a marked difference from even just two decades ago when most people stumbled into the field from adjacent disciplines, or like me, were software engineers that happened to work on security functionality in systems and then gradually did more of the security and less of the general software engineering. No matter how well we do here we will never be able to match the supply and demand needs by just focusing on the supply-side.
We need to train more cybersecurity professionals but just as importantly we need to 10X the productivity of the people we already have. Productivity is not just about automation and tool improvements, it's about the whole spectrum of process design. If done well this can also have tremendous career path and training benefits by having more realistic entry level positions and an apprenticeship approach which in turn will increase the number of people in information security. We also have to make more effort on identifying the cyber talent we already have and completing their cross-training. In my experience development, infrastructure, operations, help and support desks, and business units have some of the best latent talent for many organizations. Finally, and this is one of the most important points, we have to keep developing a culture of diversity in all its forms. Diversity is an essential prerequisite to avoid group-think, to be able to fully represent our communities of users and customers and to be able to call upon a deeper and broader pool of talent. Diversity is therefore a core part of effective risk management and a lack of diversity is an increasingly strong anti-pattern for organizations that might be building up potential for surprising risk events.
Are we educating government, business and IT leaders enough?
Leaders need to think of this as a business/mission systems and process problem and not just sporadically express tone at the top and add some budget. There needs to be a relentlessness in approach to use the tone at the top, to drive the buzz at the bottom and to overcome the muddle in the middle of priorities. There's no one magic fix. Rather it's a sequence of specific activities that drive and sustain cultural change. For example, imagine if the Chair of the Board and/or CEO in every business presentation asked the line of business leaders to talk about their security strategy and what adjacent benefits that brings as part of each business product review or proposal - without having the CISO be the person that does that. Such action from above can create systems-wide effects, in this example, because it will create two dynamics, first, that the business leader will engage the CISO (or Business Unit “CISO”) in preparation for the presentation and, second, that the search for adjacent benefits will shift the mindset of the business leader from defense to offense in how security can be used as an actual enabler of business or mission.
How should we think about information security vs other technology or business risks?
I don't have a well-curated data set about this, but my experience of working with or advising 100's of major global organizations over decades has made me conclude that the major technology risks in order of impact and cost are:
Failed projects or extensive strategic opportunity cost from failure to move quickly enough in modernizing / digitizing IT and businesses
Outages associated with failed software or hardware driven by changes or otherwise
Inability to handle major resiliency events from weather, seismic, conflict to pandemic disease
Information / cybersecurity events
Information security/cyber events are, of course, immensely significant because unlike some of the other risks they can be an existential threat and so this ranking might not capture the true risk. But, if we keep on with the hyperbole of information security being the only major risk then we not only fail to manage our actual portfolio of risks, but more importantly we miss the opportunity that comes from using the mitigation of those other risks to drive even more powerful mitigation of cybersecurity risks. For example, reengineering your software pipeline to produce higher quality, more systematically tested software with the ability to push and roll back change seamlessly multiple times a day. This not only improves business agility and reliability but is a path to 10X'ing your software security program.
We need more work to create a more integrated profession. If there were four signals of success that would indicate progress it would be:
There exists one or more professional associations that provide a two-way bridge between science and practitioners such that more practitioners are able to apply research quickly. There is emerging private work like this and this as well as fine public-sector work like the NSA Science of Security program.
There is a reasonably well accepted taxonomy of roles that includes experience hierarchies to create more entry-level positions in all sub-disciplines with an apprenticeship culture to eliminate unnecessary "gates" and promote development of all types of people.
There is an accreditation framework to provide various degrees of required qualification / professional accreditation to certain (not all roles). I don’t think it’s necessary for all security activities to be conducted by “accredited” individuals but for certain domains (e.g. safety critical) and certain roles then a minimum bar of professional qualification and conduct is important. For example, I feel more qualified because of my Chartered Engineer designation and all it entailed to get that and sustain it than I do from my CISM.
There is an international coalition of professional associations to create a necessary amalgam of activities to achieve items 1 to 3 on this list, and perhaps even a consolidation of those associations into fewer and better structures to drive forward the profession.
Bottom line: it’s hard to conclude we are operating in a well-ordered profession today. We are largely a collection of disconnected sub-professions in a wider field without a coherent structure. There are efforts to bring this together (like CIISEC) but even that has not had enough time and momentum to effect the necessary impact yet. If I were to posit an approach it would be for the profession to be more like the medical profession rather than a narrow domain like accounting. There is much work to be done.