Problem solve Get help with specific problems with your technologies, process and projects.

The evolution of the information security specialist

The role of the information security specialist is changing. Expert Jay Heiser explains why -- and how to adapt.

Yesterday's network security architecture doesn't cut it anymore. Firewalls aren't obsolete, but clearly the moat-and-drawbridge approach to Internet defense is less effective than it used to be. Defenses are changing and evolving to meet the new vulnerabilities, threats and operational realities of enterprises.

The same can be said of information security specialists -- those of us who are highly trained in the mysterious art of enterprise protection. Our once-specialized tasks are being shifted to mainstream IT admins not through a cycle of obsolescence, but an evolution of form and function.

The security practitioner isn't necessarily going the way of the dodo bird. We're surfacing to take on emerging threats and problems-securing Web services and pleasing regulators. At the same time, the operational necessities of contemporary enterprises are forcing admins -- and even users -- to take on greater security roles. Today's WAN has so many doors, we can no longer expect to have a security specialist standing guard at each one.

But, how do you maintain an acceptable level of risk in the face of a rapidly changing environment?

To advance the infosecurity profession, we must continue to obsolesce ourselves in productive ways. We do this whenever we package our knowledge so nonspecialists can effectively apply it themselves. We've already done this with firewalls, AV and access control, and some of today's most interesting product developments are taking SIMs, network management tools and IDSes/IPSes in the same direction.

This pattern of steadily increasing reliability is common in technology. Cars were so unreliable in the 1920s that drivers had to be their own mechanics. Today, cars can easily go for several years with virtually no specialized service. Likewise, it's now easy to provision a secure Internet connection without having a firewall specialist on staff. Increasingly capable security software, appliances and managed security services are offering expert-level security knowledge at commodity prices.

These successes will lift some of the daily operational burden off of our shoulders, which isn't necessarily bad news. The evolving nature of technology always offers new opportunities. Instead of wasting time addressing solved problems, we should pay attention to the new problems brought about by greater levels of connectivity and portability-like developing reporting processes that provide useful understanding of our organizations' risk profiles. Managing a firewall is relatively trivial compared to 10 years ago, but fine-tuning an IPS system for near-zero-day attacks is an entirely different proposition that, for now, requires specialized attention.

The maturity of our profession won't be measured in terms of how we recovered from attacks or reduced vulnerabilities. Our success will be measured by how well we enable the nonspecialists to deal with threats on their own. Rather than giving them the proverbial fish, we will succeed by teaching them to fish.

About the author:
Jay G. Heiser is a London-based VP and research director at Gartner Research.

Next Steps

Tech apprenticeships might be the solution to the developer shortage


This was last published in November 2004

Dig Deeper on Information security certifications, training and jobs