Superhumans: a.k.a. Information Security Professionals
Once upon a time there were computers – monstrous, mystical machines which whirred, purred and had tape spools which rotated randomly at high speeds! These hot machines were housed comfortably in air conditioned dust-free environments with geeky and nerdy whizkid operators, sorry, engineers.
As the geeks grew older the computer became a small PC – eventually becoming part of human life. From a functional ‘supporting’ role the computer department now fits into the smart phone that fits into one’s pocket and does more data handling than before.
The whizkids also evolved into domain specialists. Earlier there were hardware or EDP specialists and now there were specialists in databases, software, hardware or what-have-you. In fact there are infinite specializations in each OSI layer so this is mind boggling. With maturity in technology, there evolved well defined roles, responsibilities, education, certification, hiring and assignments; all based on the specialization demanded. In time, came the demand for system security at a time when the only threat was a virus infection or rogue users.
At the beginning of the century technology innovation exploded! In it’s wake more malicious havoc has been unleashed on mankind in a decade than has seen since inception! The exponential growth of threats, attacks and disasters there was the skyrocketing requirement for IT Security skills!
IT Security morphed into Information or Cyber Security to keep pace with Internet growth, technology innovation, computer penetration, mobile devices.
Information Security demands have created super-humans – those front-line professionals (the CISOs, IS Managers, Consultants) are super know-it-alls, by virtue of their job profiles. They live on the cutting edge of technology, analyzing risk, enforcing controls and carrying out measurements and audits.
The super-humans are specialists in everything and their word is ‘gospel’ – if not accepted they unleash the FUD weapon “if this is not done… hell may break loose”. The InfoSec superhuman has super communication skills and can make a Chihuahua look like a dangerous rabid wild dog.
Using a plethora of tools for both process and technology control our superhuman digs into every department to carry out a “gap” and “risk” analysis that can scare any Board. Their VAPT and Threat report can send a CxO into ICU and the Incident Analysis and Forensics reports are the stuff that make heads roll.
If that is not super power, then wait… there is more. The superguys are skilled in everything under the sun: you name it and they know about it in-depth and can give you a nice FUD laden presentation bound to make you lose sleep.
Mind you the Security superhuman never works against the interests of the organization and is usually the most loyal person. And yes, this quality comes with ethics and honesty.
The Information Security professional knows almost everything – audit, networking, system internals, application development, network/security architecture, law, process design, standards, databases, OS’s, Applications, Forensics, Law, HR, DLP, SIEM, IDS/IPS, UTM a list that goes on and on. Surely this is someone with superhuman intelligence and (oh yes!) stamina – because the IS guy is on call 24×7 and can be with you in a jiffy.
There is no choice but to evolve into a superhuman being since the organization has come to expect an off-the-cuff solution for every issue they face. InfoSecMan/Girl can troubleshoot any incident, configure/harden any device, close vulnerabilities anywhere, handle people, legal issues etc etc. Routine stuff for our Information Security Superhuman. Another example – ask for consulting advice and he/she can fill you in from DOS to SCADA with ease, or fly from SAP-land to SalesForce-country from EC2 to hybrid cloud. InfoSecMan/Girl wears a tattoo on the forehead saying Virtualization and his/her second name can be Audit or Risk.
Living up to such expectations is tough and is taking a toll on the IS professionals and shows up in weak audits, data breaches… but there is still hope and it lies in maturity. Like wine, as the profession matures specialization will happen and the jack-of-all will have to step back and into a management or pre-sales/sales role. Maturity is not yet close at hand in view of the slow acceptance of security and the continued practice of small budgetary allocations.
For now, anyone entering the InfoSec domain must be mentally prepared to become a superhuman being. Also, must sleep lightly, be available, continuously upskill, and lastly – Perpetually welcome adversity or success with a warm smile.
Name: Dinesh O Bareja
About the author: Information Security Professional in Enterprise Security Design / Architecture, GRC + SIEM, DLP, SOC technology