Cybersecurity: An Industry of Professional Divide
Cybersecurity: An Industry in Divide
The observations displayed in this post are of my own and not connected to any affiliates in my network. With that being said, I have noticed that throughout the industry I have mainly interfaced with three types of individuals, "the forced", "the absolutists", and the "what ifs". These are generalizations and not applicable in all situations. This post looks to explore the positives and negatives of each, potentially helping you decide which you relate too or which you'd like to become.
The forced -
These individuals have come into the security space potentially through being voluntold (military term for doing a job you dislike) or they desired to dabble with security. They are typically hit or miss when it comes to security. It may be due to their own lack of desire, or lack of experience, they have been provided in their career. Regardless, they do not have malicious intent, they aim to do the best they know how, and they often provide improvement but it tends to fall short of any substance. They still support a function inside an organization and provide marginal improvement versus none at all. As a result, these personnel are riding out their time, doing just over the bare minimum of a security professional to keep in the loop, they sometimes, but rarely hold certifications (not that certs make or break people, but its an indicator of motivation to move forward and continue to learn).
The absolutists -
These individuals come from all walks of life, military, government, college, and self-study. They typically have multiple certifications and they live and breath security in one way or another. Prior to going to sleep for the night, they read the most recent breach prior to going to sleep, they coat their cereal boxes in articles so they can read them in the morning, their lives are security. This obviously may seem like a great attitude and overall it is! Their downfall is also their strength, their love for security does not mix with whats good for business. They have to have all anonymous FTPs removed, 802.1x on every port, and every vulnerability patched on every system. As a result, in any large organization their to-do list is five million miles long and completely unmanageable, most likely will never reach completion. In conclusion, their hearts and minds are in the right place, however, their counterparts, and the business, is unable to meet their desires and requirements. They often get very frustrated with the business and are convinced the business does not care about security.
The what ifs -
Without trying to generalize, this group typically comes from some type of consulting background or strong mentorship, they have been in different types of industries and sizes of businesses. They have seen the good, the bad, the ugly, and the unicorns of security programs. They are not quick to say that every anonymous FTP needs to be removed nor do they say that 802.1x is required on every segment. They simply respond with "what risks does this pose"? An anonymous FTP with sensitive information or username and passwords should most likely be re-configured correctly and determine the root causes. However, an anonymous FTP for a printer that is on a non-sensitive segment, obviously not best practice, but most likely far from the lowest hanging fruit in the environment. The "What ifs" then ask, what is the chance of someone locating it? What type of information will they get out of it, or can they use it to pivot into another segment? Unlike the absolutists they do not jump to a conclusion without knowing all of the facts. Their approach typically takes a longer to reach a conclusion and more work on their part, but places less strain on the actual business. Furthermore, their recommendations and determinations may be mis-interpreted or mis-leading resulting in less effort.
Conclusion -
Each of these groups have their positives and negatives just like anything in life. They surround our daily cyber filled lives, they make important decisions that protect our data, and they advise the leadership of the companies that support our lives. As time goes on, I think these personalities will merge into a hybrid of "what ifs" and "absolutists". However, there is a good chance that "the forced" will be forced out of jobs or into retirement in their cybersecurity career.
Feel free to share, comment, disagree, or provide additional security personalities!
Very well written. The way things are headed, most organizations are going to find themselves in 'The Forced' category...best to start asking "What if?" before you have to ask "What now?"
Delivering unparalleled results for Fortune 500 organizations through passionately leading culture change and driving transformative initiatives in technology and cybersecurity maturity.
8 年Sergio, did you say FireEye, Inc.? Yes it's pretty comprehensive solution, and if implemented properly gives a wonderful and detailed & real-time insight of all traffic in/out of network and most importantly how it's behaving or what it's doing. Few years earlier, I had managed their outsourced tech support operations. However, if security teams don't act on time, even great tools and solutions fail to help organizations in time when security incidents occur.
The strength and weakness of both, our vulnerability and security, lies in the algorithm...
8 年I'm a lil guppy that managed to survive with salt water in a huge ocean, but... The biggest misconception is the title "Cyber-Security". Anytime I've utilized a security detail in any fashion, they were well prepared to eliminate a threat if needed. We have Cyber Defense, in the sense that we build the strongest wall we can and wait to be attacked, then figure out how to better defend, block, deny, but never stop or eliminate the attacker. This trifecta of profiles can be applied to many industries. I've come to be aware of the "forced", empathize with the "absolutists" and appreciate the "what ifs" Thank you to Fire Eye for finally knocking on the door of an offensive side in the industry so we can finally have true "Cyber Security" The hybrid your speaking of should create the core of counter-attacks. Will be exciting to watch! Thanks for sharing Steve, an enlightened POV is always priceless.
Delivering unparalleled results for Fortune 500 organizations through passionately leading culture change and driving transformative initiatives in technology and cybersecurity maturity.
8 年Nice article Steve Schwartz.Just a thought.. another type could be added - 'the opportunists' who understand deeper aspects, know what works what doesn't, deliver, recommend, or suggest ideas and solutions that would work (for them or) for their customers/stakeholders and also know how to correct quickly if things go wrong. They tend to have great advisory and leadership skills and ability to bring in best ideas and synergy of all the 'what ifs' and 'absolutists'. Any thoughts?