The Evolving Information Security Landscape

In today’s environment of common nomenclature such as anti-virus, anti-spyware, phishing scams, and identity theft, it would be understandable that a newcomer to the information security profession would believe that the information security profession as it exists today has always been around. It makes perfect logical sense that organizations would invest heavily to protect their information, right?

While we may wish this was universally the case, we know that the information security profession has evolved from a need to protect sensitive information within the large computers (considered large at the time) utilized by the Department of Defense, specially the Air Force, to today’s environment where information is a key asset within the business environment. William Hugh Murray has done an excellent job in his chapter in the new book on security leadership published by ISC2 entitled, “CISO Leadership: Essential Principles for Success“, where he traces the key elements which have shaped today’s information security profession. This column highlights the key points of evolving career path further defined in book.

Information Security Must Meet Revolutionized Business

The Internet has revolutionized business by not only making trade easier, but by making markets more efficient. The initial markets were consumer markets such as ‘Ebay”, “PayPal’, and Amazon, but today these efficiencies and business or consumer presence are felt in almost every industry and commodity market. The storage costs of information have been dramatically reduced and Moore’s law still holds (cost of computation halves every 18 months and cost of storage halves every year). The Department of Defense was concerned that as more and more computers were used to share information and applications, and more and more information was stored, that individuals without the proper clearance may have access to sensitive, classified information. As the cost of computing and storage dropped, there was also an increase in the privacy concerns with more users able to access more information. The threat of this ‘information aggregation’ has been recognized over and over in recent years through legislation. The Final Security Rule established in 2005 under the Health Insurance Portability and Accountability Act (HIPAA) was enacted largely in response the concern by congress that as healthcare transactions were automated and standardized, that the privacy of the electronic information needed to be protected.

The Security Career Path Is Evolving

It is interesting that the first 12-16 educational years of our lives appear to be somewhat laid out for us – we go to elementary school and learn basic skills, emerge into middle school with a greater focus on mastering science, math, and foreign language skills, and then on more complex subjects in high school. We make life-defining choices as young adults to pursue our interests through college or the mastery of other skills through on-the-job training. The security profession can be broken down into 5 distinct phases:

In the early years, called phase zero, we are learning, and society foots the bill. We subsequently get jobs and begin to ‘pay back’ to society with the skills learned. Because we are still learning, pay is usually less than the true economic value during this period. A similar phenomenon happens within the security profession itself. The first 3-5 years are spent learning, and while we are contributing to the corporations served, this is still a skill-building period. This first phase, as shown in the table below, is called the ‘dues paying phase.’

Phase Career Timeline Activities
0- Entry Pre-job Obtain educational requirements in high school, college
1- Dues Paying 1-5 years Skill building, experimentation
2- Masterwork 5-10 years Demonstrated competency, leading projects
3- Establishment 10+ years Managing projects, individuals in “dues paying phase”, most time of one’s career
4- Leadership 15+ years Vision, initiative, creativity, charisma

The 2nd phase is that of “masterwork”, where the skills have attained maturity and the individual is recognized by their peers as being competent. Here the economic value is increasingly rewarded through promotions into positions of increasing responsibility, such as a lead security analyst or a senior technical position. The individual then enters the “establishment” phase, where they are competent and provide mentorship to others in Phase One. Most individuals remain in this phase and have successful careers utilizing their knowledge and experience and sharing this with others.

The Chief Information Security Officer (CISO) and Chief Security Officer (CSO) roles have emerged over the past few years and represent the recognition of the leadership role within the executive ranks. These positions are typically filled within an organization, however, in cases where an organization desires to revitalize a security program, these positions may be filled externally. Higher academic degrees such as a MBA or MS in Information Technology or Security are usually desired in these roles. While many people make the establishment phase in their careers, a fewer number aspire to the leadership positions represented by phase four.

The Future

Careers are a journey and while the newly minted college graduate with a degree in information assurance may feel that the information security profession is well defined, the reality is that it is quite young as a ‘profession’ and still being refined. There will be bumps and career missteps along the way, as the prediction of the impact of mergers and acquisitions, outsourcing, loss of contracts, security incidents, economic conditions, and senior leadership changes cannot be predicted with certainty. So, what is the moral of the story? Work hard and continuously grow security and business skills, have passion for the profession, believe in your capabilities, and be content with whatever the current “career phase” is, while identifying and developing skills towards success in the next phase. In the end, our success is defined by the passionate journey we embrace, and not by our destination.

One Comment

  1. Nick Bartosh Apr 25, 2008 at 10:39 am | Permalink

    The security profession is indeed a young profession. Young enough, in fact, that a number of leading organizations still do not recognize it as an entity unto itself. It is instead, bundled into the IT infrastructure where it enjoys a backseat view of the organization. This will continue until organizations begin to realize the value of their data vs. the value of their technology.

One Trackback

  1. By Interesting Links - 04/17/2008 at Infosec Ramblings on November 30, 2008 at 3:12 pm

    […] The Evolving Information Security Landscape | – An interesting read. I particularly like the career path part. […]

Post a Comment

Your email is never published nor shared. Required fields are marked *