When will the work of Information Security Specialists be done?

  • Article

<Gaze into crystal ball>

As long as there's something worth stealing there will be those attempting to circumvent whatever protection is in place. How much protection is required and what are the most appropriate controls is often a difficult call. Organisations with high value assets often employ Information Security Specialists to assist them make decisions in this area.

Many years ago a famous bank robber was arrested and when asked "why do you rob banks" he replied "because that's where the money is".

Think about "where the money is" in your information infrastructure. If you work for a large organisation then corporate governance and regulation (both internal and external) should mean that you have a good starting point in answering this question.

As operating system platforms evolve to be inherently more secure than previous versions then we need to pay serious attention to the applications that provide interfaces to the outside World and also those that process information. Clearly there will continue to be vulnerabilities in operating systems and hence we can't let our guard down but their frequency and severity should reduce.

Systems get ever more complicated as does the wealth of information security controls provided in operating systems and applications. There are ever more security products out there claiming to keep your information safe.

Many Information Security Specialists cling onto the idea of preventing things happening - stopping this attack, stopping that attack, restricting access here and there. The role of the security specialist is changing - it requires a comprehensive understanding of how the business works and where technology fits as an enabler. 

Amongst the numerous definitions for the word "security" dictionary.com includes the term "well-founded confidence". I like this term as it describes an important part of the role. Whilst the technical aspects of information technology remain complex and obtuse there will be a requirement for someone - the Information Security Specialist - to make sense of both the threats and mitigating controls.

How can your "confidence" be "well-founded" unless you understand the threat landscape and you know which risks are acceptable and how to mitigate those you're (organisation is) uncomfortable with.

The thing about software is that however well you build it people find ways to break it. Keeping up with the best way to configure systems to mitigate the current threats is an ongoing task. Many vulnerabilities are in the configuration of software rather than the code itself. The needs of business change over time as do the associated risks and threats. I think there will be the need for specialists for quite some time to come though their role will become that of an advisor working across the business rather than an implementor. The brief of the specialist will incorporate the needs of effective processes, people awareness, communication and technology adoption.

If the value of your information assets don't warrant the employment of your own specialist then I'm sure the market will provide plenty of service providers who will fill the gap.

</Gaze into crystal ball>