NATIONAL HARBOR, MD. -- What does the future of information security threats and technologies look like, and how will that affect roles and staffing in the IT or IT security organization? If experts at the Gartner Information Security Summit here are correct, IT security jobs will become less about security technology and much more about risk management strategy, as threats either max out, in one scenario, or become so complex that security jobs will change nonetheless.
Indeed, for dyed-in-the wool techies, the fun's done. Maturing technologies and services will co-opt much of the hard technical work of protecting the enterprise, and the demand for low-level proficiency will largely be filled overseas in cheap labor markets, they said.
In a series of keynote sessions, speakers drove home the point that instead, IT security professionals increasingly will be asked to act as advisers to senior business management on risk management strategy.
"Can you effectively report to senior management what the overall current risk position is of your organization, at least within the scope of IT? You will be asked to," said Gartner Inc. analyst F. Christian Byrnes.
If security technologists hope to thrive, Byrnes said, they will need to master disciplines more typically associated with the business: risk management, relationship management and process management. Understanding the business -- the mantra for aspiring CIOs -- is a prerequisite for chief security information officers, too. Security executives will need the written and oral communication skills to translate information risks into imperatives that business management can grasp and act on -- and ultimately own.
Two scenarios for security pros and risk management strategy in 2016
The future laid out by Byrnes assumes that the rate of new threats requiring new technologies for detection or prevention will decline by 2013, leading to an overall reduction in demand for on-site technical security staff by 2016.
"What does that mean? Well, an increase in demand for staff with surface-level knowledge of security technology, but perhaps a decreased need for technical depth, at least for many of the technologies that currently exist," Byrnes said. "The most growth for technology people will be for outsourcers in low-wage locations."
A second scenario for 2016, as described by Gartner analyst John Pescatore, assumes that the information security threats are at least as complex as they are today, if not more so. In this future, internal users pose the biggest risk to the enterprise through their use of hard-to-control technologies, from cloud computing to crowdsourcing, that leave the enterprise vulnerable to attack or manipulation. This in turn will prompt more regulations, keeping security professionals gainfully employed.
But even in this second scenario, the way that information security does its job will change, Pescatore said.
Information security jobs that are fading
So, which IT security jobs will stay and which will fade? According to Pescatore, many staffing positions will indeed be outsourced -- or adapted to reflect the entwinement of IT and business processes. The vulnerability researcher of today will be replaced by Vulnerability as a Service by 2016. The firewall/intrusion prevention expert will be supplanted by a communications search manager, responsible for keeping all the enterprise's communications secure, not just the network. The event monitoring staff will be supplanted by Incident Reporting as a Service. Penetration testing will become business process security testing. Instead of data classification, companies will require usage monitoring of sensitive data. Demand for security architects will peak in 2015, as that role migrates into enterprise architecture teams.
I've seen this increasing trend of having to become more of a manager and less of an engineer.
Ben Greenberg, security engineer, Hogan & Hartson LLP
Ben Greenberg, a security engineer at law firm Hogan & Hartson LLP in Washington, D.C., who attended the session, expressed dismay at the direction his profession is taking.
"I am a geek and always will be. I've seen this increasing trend of having to become more of a manager and less of an engineer," Greenberg said.
The hands-on work of the security engineer has given way to researching solutions and telling others what to do, he said. For example, Greenberg and colleague Wesley Hinkle, also a security engineer, recently analyzed intrusion prevention systems for the firm's two dozen offices, an implementation, in fact, that's slated to be outsourced to a managed security provider.
Was there anything he found enticing about becoming a business-savvy manager of risk? "The salary appeals to me; everything else I find repulsive," Greenberg said.
Let us know what you think about the story; email Linda Tucci, Senior News Writer.