The Future of the Information Security ProfessionExperts Weigh in on What Matters Most in Security Organizations
From a traditional, technology-oriented role safeguarding critical information assets, the career is progressing toward integration with the strategic thinking of organizations. Led by President Obama, the U.S. has embraced cybersecurity as a national priority, and as such the nation's businesses, academic institutions and government agencies are focused as never before on information security and assurance. Among the necessary capacities now:
"It's [now] a profession that requires security practitioners to focus on the business need for securing data, understanding security and risk from a business perspective by extensively interacting with the business community in understanding -- what is it they really want?" says Steve Katz, who bears the distinction of having been the world's first Chief Information Security Officer. A prominent figure in the network security discipline since 1985, Katz has served as the senior security executive for Citibank/Citigroup, JP Morgan, and most recently Merrill Lynch - and has been a force in raising the visibility and shaping the direction of the security industry at industry and government levels.
In looking into the future of information security and speaking with experts, as well as examining the soon-to-be-released results of the Information Security Today Career Trends survey, these qualities emerge at the top of the list for information security professionals in 2010:
- Data protection and classification from a business perspective
- The effective integration of information security practices into key business and risk management efforts
- The need for specialization and differentiation
- Proficiency in fraud and forensics investigations
- The need for grounded academic focus and educational program
Each of these five qualities is explored below.
1. Data Protection and Classification
Veterans within the security field say the future of information security lies in effective data protection and classification. "Security practitioners need to understand the business need for securing data, business processes and the way data is handled in business within an organization," says Jennifer Bayuk, former CISO at Bear Stearns & Co., who became an independent consultant after the company was acquired by JPMorgan Chase last year. "Focus needs to be given to the manner in which data is classified, which should reflect what business thinks the data is, and not what security professionals think it should be".
Ultimately, the challenge starts with going back to the fundamentals and addressing questions including:
- Where does critical data lie?
- How should the data be protected?
- How data is shared?
- What data is leaving the organization?
- Who is accountable for stolen, lost data?
- What's the risk to the business if data is lost, stolen or disclosed?
- What are the regulatory implications of a data breach?
- Who controls the most recent version of the data?
- What expectations there are with respect to how and by whom data can be accessed, handled, stored, transmitted, processed and disposed?
- How are business partners protecting the data?
Security practitioners going forward will need to invest time and effort in understanding data handling and classification from a business perspective, Bayuk says.
"A business understanding of security is crucial in today's marketplace and goes a long way in making individuals valuable to their organizations".
2. Integration of Information Security Practices into Key Business and Risk Management Efforts
Security practitioners need to understand what exactly they need to protect and why. They need to have a deeper insight into what is the acceptable level of risks for their organization and business, adds Katz. Risk cannot be assessed just from a technological risk point of view. There are many factors beyond technology -- market risk, strategy risk, credit risk and finance risk -- all of which have to be put in place to truly create a risk profile of the organization. The risk management effort, therefore, needs to be in sync with the business needs, encompassing a strategy that is equipped with effectively addressing business risk within the organization.
In the recent career trends survey, for instance, 73% respondents indicate that understanding current risk issues and staying on top of the game is one of the critical skills necessary for advancing their information security career.
Security professionals and leaders, therefore, need to understand how risks affect their own particular role and how that fits within the overarching risk management process within the organization.
"Think like a professional to be a professional; if security practitioners do not view information risk management seriously, nobody else will," says Katz.
3. Fraud and Forensics Investigations:
The forensics profession today is growing very fast due to the increasing number of cyber crime activities that are taking place throughout the world . "Forensics is broader in scope than people anticipate it," says Keith Barger, Director in KPMG's Forensic practice in Houston, Texas. It involves high profile investigations, applying tools and methodologies to data analytics, data mining, recovering deleted files, tracing internet activities, intellectual property theft, investigating foreign corruption practices act, performing expert witness services and anti fraud practices.
In the current job market, demand for such experts is increasing in United States, where many companies are facing real-time cyber crime activities.
4. Specialization and Differentiation:
"A vision for the future of information security also leads toward specialization," says John R. Rossi, Professor of Systems Management / Information Assurance, US National Defense University.
Rossi emphasizes the need for security specialization for specific functional disciplines. Pointing to how both the medical and legal professions have grown from basic and generic needs to very specialized fields, where each area today is handled by a specialist, Rossi says that, "If this happens in the security business, we will develop highly specialized experts in securing individual functional areas. This may increase the overall level of protection quality, and such an evolution may be inevitable in the future."
This is clearly a shift from generic skills to specialized expertise within specific domains in security where the future of security will eventually be, both within the government and the private sector.
Differentiation among security professionals is another area that is changing within the security profession. "Security certifications are so well marketed to professionals today that being certified does not exclude or distinguish a security practitioner any longer" says Lee Kushner, President, L.J. Kushner and Associates, LLC, an executive search firm dedicated exclusively to the Information Security industry and its professionals. "There are large groups of certified professionals available in the job market and going forward there will need to be a distinction criterion which will truly differentiate talent".
Differentiation and personal branding requires a good combination of three components: "Your experience/qualifications, your public demonstrations, and your network," says Kushner and adds that security professionals will need to give importance to internal branding by:
- Thinking about the industry affiliations and groups they want to be associated with;
- What are the leading edge conferences they want to be attending and participating in;
- What kind of education and training they want to be investing in to enhance their overall qualification.
5. Grounded Academic Focus and Educational Program
Compelled by a driving need for information security and privacy, the National Security Agency (NSA), in cooperation with the Department of Homeland Security (DHS), established National Centers of Academic Excellence in Information Assurance Education (CAE) in 2002. The purpose and vision of the National CAE programs is to reduce the vulnerability of the national information infrastructure by promoting higher education in information assurance and producing a growing number of professionals with Information assurance expertise in various disciplines.
"There were about a dozen of CAEs when the program started, and today there are close to 106 academic institutions that are part of the program and approved as CAEs," says Michel. E. Kabay, Program Director, MSc in Information Assurance, School of Graduate Studies, Norwich University. "An indication of a growing appreciation within the student community toward serious security education, thereby, enabling them to make this commitment".
The career trends survey shows strong emphasis by security professionals toward academic studies: 23% of respondents say a graduate degree is now the minimum requirement for entering the information security profession, and 42% of respondents indicate they will seek academic training in 2010.
Today, information security education prepares students to have an integrated and multi-disciplinary perspective on information assurance, keeping both the business side and technology in mind. Security students are learning to build conceptual frameworks and models with differing perspectives on information security and with a set of ethical decision-making principles for deciding how best to implement information assurance in various environments.
"The best schools, including Norwich, are helping our students learn how to learn: to be adaptable, flexible, life-long learners who will serve their employers well by analyzing ever-changing technological and business circumstances and articulating the implications for security policy and technology," says Kabay.
Or as Rossi says, in the context of the information security profession's evolution, "Evolve or become history, left behind."