Security practitioners must keep up with changing roles
Frederick Scholl April 30, 2019
Frederick Scholl April 30, 2019
While data confidentiality was the highest priority over the past decade, newer responsibilities highlight data integrity and data availability. In addition, practitioners must increasingly venture outside the traditional tech silo and interface more closely with the business.
Newer job descriptions reflect this need. Some of these job descriptions will show up in print; others will be unspoken but discovered in face-to-face interviews.
There is no hard and fast roadmap to prepare for these new responsibilities and opportunities. Figuring out what is going on is like the fable of the five blind men and the elephant.
In this post I will present evidence of changing roles from three sources: former Facebook CSO Alex Stamos, current job descriptions from Indeed.com and a recent analyst report from Gartner. In fact, organizations change very slowly, so my comments are a guide for future security positions.
But I have no doubt these roles and responsibilities will materialize.
Stamos’s 2017 Black Hat talk is still one of the best overviews of where the profession needs to go.1 He highlights that the profession overall hasn’t lived up to its potential. Why?
Too much focus on technical problems instead of human harm from vulnerabilities.
Every technology person needs a healthy understanding of risk management.
Secondly, instead of exclusive reliance on traditional security roles Stamos wants more focus on defending against “Abuse”, the technically correct but malicious use of technology. Most security professionals are focused on misconfigured technology that allows “bad guys” in.
Third, Stamos asks for security professionals to develop more empathy for users. They are not the weak link but are our customers. Security nihilism must be abandoned.
Finally, he argues that security professionals must be more effective in engaging the world. In this case, “the world” consists of everyone outside the security profession: developers, business users, outside customers and so on.
These aspirations represent qualities that anyone can acquire, given focus and observation. Start your journey by listening to his presentation.
I use Indeed to follow cybersecurity job trends in the trenches.
The NICE Cybersecurity Workforce Framework 2 has attempted to structure cybersecurity jobs and skills into discrete buckets. The Framework describes 32 Specialty Areas of cybersecurity work, including things like Test and Evaluation and Systems Development.
These are primarily focused on activities within the security technology silo itself. I wanted to look for some current job descriptions that might address Stamos’s suggestion to “engage the world”. So, I searched on “Business Information Security”.
This role isn’t found in the NICE framework. Here are some of the newer roles I found:
These eight roles all require strong technical backgrounds, but also require much more interaction with business units than before.
Market analyst firm Gartner also has defined new security roles based on its interactions with clients. Their recent research considers the pervasive application of technology and the types of security professionals that will be needed to protect this technology.3
They find that traditional cybersecurity teams are not prepared to address risks that new digital business initiatives introduce. As such, roles, staffing frameworks, competencies and skills all must be revised to manage new risks.
According to Gartner, 30% of businesses will add at least two new security roles within the next two years. Some of the possible roles they highlight are:
Other roles identified in the report include: security audit manager, threat hunting/modeler, vanguard security architect (full stack) and security marketer.
That’s my view of the career elephant, as of April 2019. The only missing element is your point of view. Start there, consider the research I have suggested and take your first steps in the direction that seems best for you.
Quinnipiac Today is your source for what's happening throughout #BobcatNation. Sign up for our weekly email newsletter to be among the first to know about news, events and members of our Bobcat family who are making a positive difference in our world.Sign Up Now