Published: 13 Sep 2004
There's a train leaving for Unemploymentville, and a first-class ticket with your name on it. The good news is the train won't be departing for a few years, so you've got time to cancel your reservation.
Over the next five years, you'll see a gradual but unmistakable falloff in the availability of jobs like ISO, CISO, IT security manager and security administrator. In their place you'll see more and more titles like risk officer, application security specialist and security support desk. This change will occur both organically and through executive force. Retiring ISOs won't be replaced with new ISOs; current ISOs will shift some of their responsibilities to the network and systems support staff and be asked to take on new, unfamiliar tasks.
Three trends are driving this change.
1. Security is being baked into the core technical infrastructure. It used to be that all network security functions -- content filtering, access control, AAA, anomaly detection, etc. -- were bolted on to the routing and switching fabric through point solutions managed by specialists. Going forward, the network will accomplish more of these functions by default. Routers and switches will be more intelligent about traffic filtering, logging and authentication. VLANs will be routine for every subnet; ACLs will be shared across edge and core switches and wireless gateways using 802.1X. Network OSes will provide stronger authentication and more scalable user management. Endpoint devices will become less vulnerable and easier to update. And so on.
In a nutshell, security will become more intuitive, less specialized and more easily managed by the systems, network or data center staff. The title "security administrator" will disappear as security becomes an everyday activity for all IT staff -- just another part of what they do.
2. Security will take the form of an internal consultancy. Of course, not all security operations will be subsumed into the data center. New security technologies will still require the expertise of security specialists. The difference is that these specialists won't reside within the IT department, but rather in a centralized support organization. Like a consultancy, the specialists in this group will bill out their time to IT staff or business units requiring temporary security help -- building a new Web application using SAML, for instance.
The central office CISO will also become more like a consultant. In companies like the Bank of Montreal and Oracle, the CISO's primary function is to make sure individual lines of business are adhering to uniform security processes in everything they do. The corporate CISO and his or her direct reports have very little involvement in the security operations of IT or the LOBs. Business unit managers, not the corporate CISO, are held accountable for security lapses.
3. Enterprises will view IT risk as just another form of business risk. Many organizations, particularly financial institutions, have already reorganized security under a larger risk management function. A friend of mine works for a bank that recently decided to do away with the CISO title altogether. His title changed from CISO to VP of IT Risk Management. Now, he spends most of his time working on compliance issues like SOX and Basel II. "I went from having the title with no teeth to having lots of teeth but losing the title," he says.
The combination of these information security careers trends foretells the demise of traditional security roles and titles. The change will be gradual, but it is inevitable, especially for large organizations. For corporate ISOs, security managers and administrators, now is the time to retool your skill set for the future. The alternative is professional extinction.
Andrew Briney, CISSP, is editor-in-chief of Information Security magazine and editorial director of the TechTarget Security Media Group.
Note: This column originally appeared in the September issue of Information Securitymagazine. Subscribe to Information Security magazine.