As information security becomes increasingly operationalized, will security specialists still be needed?
I field an awful lot of questions along the line of, "Who should the information security staff report to?" A more apropos question would be, "Should there even be an information security function?" Those who have just finished multi-year struggles to break into the interesting field of infosecurity aren't keen to hear that they might soon become obsolete.
In the early '90s, the burgeoning Internet attracted not only some pretty interesting new Web technologies, but also a growing number of businesses and hackers. Given the embryonic state of network security knowledge, and the almost nonexistent market for protective products, it was natural that security would become a specialty area. Corporate infosecurity pioneers spent a lot of time cobbling together firewalls from scratch or poorly documented kits. Although it took relatively less raw skill, cleaning viruses off of hard drives and floppy diskettes was the second biggest security time sink. Security was a time-consuming, hands-on function that emphasized personal knowledge.
Protecting the enterprise from Internet attacks and the workstation from hostile code remain im-portant tasks. What has changed is the relative level of security knowledge that is necessary.
Firewalls are no longer a do-it-yourself project--they are appliances. The biggest challenge with hostile code is ensuring that the protective software is rolled out to every system and kept updated. Both technologies have been subject to an ongoing process of operationalization. They are not so much security challenges now as efficiency challenges--an inevitable evolution as market forces continually encourage simpler administration.
Security doesn't represent a productivity improvement, and, as such, the expectation is that it will constantly be working toward its own obsolescence. And, this dynamic is not unique to security--Gartner has suggested that the IT department itself may someday become redundant.
The point is not that machines are going to take over the world and run it without our help, but that non-core functions need to continually improve their efficiency. If they don't represent an obvious competitive advantage, the pressure will be on to buy a service from the most efficient provider. The corporation no longer has any reason to make its own firewalls from scratch, and the arguments for outsourcing firewall management are compelling.
Such a rapidly changing environment has several implications for those who choose to make their career within it, but stability is not one of them. Security specialists need to be constantly looking for ways in which their knowledge can be captured and bottled up. As infosecurity eventually finds its true purpose, the concept of success will be increasingly understood as the creation of processes and technologies that can function autonomously. Dependence on the personal attention of a specific individual is a symptom of organizational immaturity and will increasingly be recognized as such. Ironically, the most useful security people are those who constantly find new ways to make themselves obsolete.
Infosecurity is a profession for the agile--those who realize that success means growing themselves into obsolescence--not the complacent hanging on to a shrinking opportunity. Your job is not to defend your turf, but to give it away.