Written by: Joseph Salazar, Technical Marketing Engineer – Last year, Attivo Networks published a blog on “Things Cybersecurity Professionals can be Grateful for in 2018.” This year, I wanted to share a more personal view.
As a long-time (and long-suffering) Information Security professional, I’ve often looked at where the Information Security industry is now and where it used to be when I started my career. In many ways, it was a less complicated time before Y2K when a good firewall, antivirus, and IPS could keep an organization feeling confident about their security. Alas, the days of “prevent everything to protect everything“ are long gone.
Today’s security landscape leaves very little that one can call “uncomplicated.” Information security now involves a multilayered strategy that covers identification, protection, detection, response, and recovery. The adversary is much more resourceful, cunning, and persistent. The industry has gone from castles and moats to unconventional warfare. With the challenges our industry is facing, it can be easy to be pessimistic and ignore the positives, but they are there if one looks. That said, here are the things I find to be thankful for this season:
Job opportunities in information security are everywhere. There is a personnel shortfall in the security industry, and organizations will always need information security personnel. Anyone with an investigation, analysis, technology background, or a willingness to learn can work in the industry. The skills are transferable, and only the focus changes. For those with software engineering backgrounds, it’s not about making something work, but about securing it. It’s analyzing data to identify a security issue, or investigating a security incident instead of a physical crime. It’s a career that has nearly unlimited growth potential, and one that allows people to learn and use many varied skills to carve out a unique niche that meets their individual needs. Yes, the job can be stressful at times, but it is just as rewarding when one stops a criminal from getting away with fraud or preventing a security incident from becoming a data breach. I have many friends in the industry, and none of us want to do anything else.
Security is no longer an afterthought. In many companies I used to work for, information security played second fiddle to IT. The mantra of “five nines uptime” trumped patching and remediation. It was often frustrating to conduct investigations, identify an infected system, and then be unable to remediate it because it was a critical system with no backup. As data breaches and fines have increased, and profits have fallen, companies have started to shift their focus. Security is now more commonly a part of the conversation and is involved in decision-making. Information security no longer sits at the kid’s table; It is now at the main table with the rest of the adults, informing meaningful discussions and shifting the way organizations conduct business. It’s hard to recover money or repair a tarnished reputation, whether personal or organizational, because of a security incident or data breach. From executive circles down to everyday users, information security now gets as much attention as uptime. While there is still a long way to go, I’m thankful that the trend is going in the right direction.
Sharing is caring. Industries, organizations, business units, and even practitioners used to keep things close to the vest. People were reluctant to share ideas and information, and security through obscurity was a common occurrence. Thankfully, that has changed. In many organizations, siloed information is no longer acceptable. Sharing knowledge and data is much more commonplace. It’s more acceptable to share within an industry, between peer organizations, or even with other security practitioners over a drink and a meal. The
“every man for himself” attitude has drastically shifted to “a rising tide raises all boats.” I’ve always been a big proponent that everyone is more secure when everyone collaborates, cooperates, and communicates. Sure, there are regulatory and confidentiality requirements that everyone in the industry understands and must abide by, but where industry professionals can share, more often than not, they do. As an industry, we are obligated to make things as hard for the adversary as possible, and we are better off working together and pooling our collective knowledge and efforts than going at it alone. I’m glad to see that this is becoming the standard.
From all of us at Attivo Networks, and me personally, to all the Information Security professionals out there, thank you for all that you do to fight the good fight, give back to the industry, and train the next generation of defenders. Have a Happy Thanksgiving.