Endangered species: Information security officers

There's a train leaving for Unemploymentville, and a first-class ticket with your name on it. The good news is the train won't be departing for a few years, so you've got time to cancel your reservation.

Over the next five years, you'll see a gradual but unmistakable falloff in the availability of jobs like ISO, CISO, IT security manager and security administrator. In their place you'll see more and more titles like risk officer, application security specialist and security support desk. This change will occur both organically and through executive force. Retiring ISOs won't be replaced with new ISOs; current ISOs will shift some of their responsibilities to the network and systems support staff and be asked to take on new, unfamiliar tasks.

Three trends are driving this change.

• 1. Security is being baked into the core technical infrastructure. It used to be that all network security functions -- content filtering, access control, AAA, anomaly detection, etc. -- were bolted on to the routing and switching fabric through point solutions managed by specialists. Going forward, the network will accomplish more of these functions by default. Routers and switches will be more intelligent about traffic filtering, logging and authentication. VLANs will be routine for every subnet; ACLs will be shared across edge and core switches and wireless gateways using 802.1X. Network OSes will provide stronger authentication and more scalable user management. Endpoint devices will become less vulnerable and easier to update. And so on.

  In a nutshell, security will become more intuitive, less specialized and more easily managed by the systems, network or data center staff. The title "security administrator" will disappear as security becomes an everyday activity for all IT staff -- just another part of what they do.




• 2. Security will take the form of an internal consultancy. Of course, not all security operations will be subsumed into the data center. New security technologies will still require the expertise of security specialists. The difference is that these specialists won't reside within the IT department, but rather in a centralized support organization. Like a consultancy, the specialists in this group will bill out their time to IT staff or business units requiring temporary security help -- building a new Web application using SAML, for instance.

  The central office CISO will also become more like a consultant. In companies like the Bank of Montreal and Oracle, the CISO's primary function is to make sure individual lines of business are adhering to uniform security processes in everything they do. The corporate CISO and his or her direct reports have very little involvement in the security operations of IT or the LOBs. Business unit managers, not the corporate CISO, are held accountable for security lapses.




• 3. Enterprises will view IT risk as just another form of business risk. Many organizations, particularly financial institutions, have already reorganized security under a larger risk management function. A friend of mine works for a bank that recently decided to do away with the CISO title altogether. His title changed from CISO to VP of IT Risk Management. Now, he spends most of his time working on compliance issues like SOX and Basel II. "I went from having the title with no teeth to having lots of teeth but losing the title," he says.

  The combination of these trends foretells the demise of traditional security roles and titles. The change will be gradual, but it is inevitable, especially for large organizations. For corporate ISOs, security managers and administrators, now is the time to retool your skill set for the future. The alternative is professional extinction.





About the author
Andrew Briney, CISSP, is editor-in-chief of Information Security magazine and editorial director of the TechTarget Security Media Group.

Note: This column originally appeared in the September issue of Information Security magazine. Subscribe to Information Security magazine.

E-mail any comments on this article to Shawna McAlearney and include your name, title and organization. Letters may be edited for space and clarity.


Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Information Security Jobs and Training,   Information Security Careers, Training and Certifications,   Guest Commentary,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Information Security Jobs and Training RSA security conference 2010: news, interviews and updates Straight from the inbox: Your infosec career questions answered Despite recession, information security certification pay continues to climb Bruce Schneier on outsourcing, awareness training Creating a personal brand in information security Feds push cybersecurity jobs, PCI DSS changes ahead. Feds announce 1,000 new security jobs Some IT security certifications are overvalued, analyst says How to prepare for an information security job interview Security industry remains resilient to tough economy Guest Commentary Google hacking exposes a world of security flaws Eliminating the threat of spam email attacks Outsourcing IT services: Is it worth the security risk? How permanent is your storage solution? Honeypots can strengthen reconnaissance and lower intrusion noise Freedom of speech or lack of professional responsibility? This year compliance, next year control Senior security member explains his position on Abagnale Computer Security Institute's leader responds to Abagnale flap Spokesman or poster child? RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Cisco Certified Security Professional (CCSP)  (SearchSecurity.com) CSO  (SearchSecurity.com) security clearance  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.