This article can also be found in the Premium Editorial Download "Information Security magazine: Reflections on the impact of Sarbanes-Oxley."
Download it now to read this article plus other related content.
A Dynamic Decade
Information security has matured as a profession in a mere 10 years, despite waging an endless game of catch-up with threats, legislation and the demands of business.
Where to begin? Well, at the start of Information Security's journey in December 1997, there wasn't a security profession. At least not as we understand it today. The chief information security officer was a notion whose time had not yet arrived. Compliance wasn't the bane of corporate security's existence, and macro worms were, well, around.
"The most obvious thing is that 10 years ago, there was no profession," says AT&T senior vice president and chief security officer Ed Amoroso, a veteran of the industry who in his early days at Bell Labs was immersed in a think tank surrounded by UNIX giants Dennis Ritchie and Ken Thompson. "You could be a techie, but there were no CISOs, no senior executives in a company. Now it would be almost impossible to find a large or medium-sized company or government agency that did not have a management-level security staff."
The emergence of the Internet
| as a ubiquitous business medium touched every facet of IT, and caused the growth of information security as a profession. Guardians like Amoroso and his peers in the enterprise had to learn a whole new lexicon between 1997 and today, and transform the way they looked at their jobs. As more business moved online, it became less of an imperative to protect networks and individual systems, and more about aligning what they do with overall business goals. Risk management became more than a term used by liability companies and financial professionals. Security pros were forced to think in these terms, and build programs to address what has become an organized criminal element targeting not only customer data, but invaluable intellectual property as part of sophisticated corporate espionage. Nations are also suspected of using computers to attack one another, not causing bloodshed but stealing secrets and threatening critical infrastructure.
"We have gone from a lot of malicious, exploratory, vandalism types of hacking to the realm where there is significant economic activity," says luminary Gene Spafford, founder of the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University.
This was first published in January 2008