Security Practitioners Must Keep Up with Changing Roles
Frederick Scholl, Ph.D., Cybersecurity Program Director, Quinnipiac University
May 3, 2019
As digital technology penetrates virtually all business processes, the roles and responsibilities of information security practitioners are undergoing major changes. While data confidentiality was the highest priority over the past decade, newer responsibilities highlight data integrity and data availability. In addition, practitioners must increasingly venture outside the traditional tech silo and interface more closely with the business. Newer job descriptions reflect this need. Some of these job descriptions will show up in print; others will be unspoken but discovered in face to face interviews.
There is no hard and fast roadmap to prepare for these new responsibilities and opportunities. Figuring out what is going on is like the fable of the five blind men and the elephant. In this post I will present evidence of changing roles from three sources: former Facebook CSO Alex Stamos; current job descriptions from Indeed.com; and a recent analyst report from Gartner. In fact, organizations change very slowly, so my comments are a guide for future security positions. But I have no doubt these roles and responsibilities will materialize.
Stamos’s 2017 Black Hat talk is still one of the best overviews of where the profession needs to go. 1 He highlights that the profession overall hasn’t lived up to its potential. Why? Too much focus on technical problems instead of human harm from vulnerabilities. Every technology person needs a healthy understanding of risk management. Secondly, instead of exclusive reliance on traditional security roles Stamos wants more focus on defending against “Abuse”, the technically correct but malicious use of technology. Most security professionals are focused on misconfigured technology that allows “bad guys” in. Third, Stamos asks for security professionals to develop more empathy for users. They are not the weak link but are our customers. Security nihilism must be abandoned. Finally, he argues that security professionals must be more effective in engaging the world. In this case “the world” consists of everyone outside the security profession; developers, business users, outside customers and so on. These aspirations represent qualities that anyone can acquire, given focus and observation. Start your journey by listening to his presentation.
I use Indeed to follow cybersecurity job trends in the trenches. The NICE Cybersecurity Workforce Framework 2 has attempted to structure cybersecurity jobs and skills into discrete buckets. The Framework describes 32 Specialty Areas of cybersecurity work, including things like Test and Evaluation and Systems Development. These are primarily focused on activities within the security technology silo itself. I wanted to look for some current job descriptions that might address Stamos’s suggestion to “engage the world”. So, I searched on “Business Information Security”. This role isn’t found in the NICE framework. Here are some of the newer roles I found:
- The BISO role (Business Information Security Officer); part of global information security, but working closely with a business unit’s CTO and CIO.
- The BISA role (Business Information Security Advisor); defines, plans and executes the strategy for business security. Strongly contrasting with the traditional role of IT security.
- Information Security Business Control Manager; strategic management and oversight of remediation metrics end to end.
- Business Information Security Officer; Drive Information Security program requirements into the Line of Business and monitor compliance.
- Head of Business Information Security Office; provide relationship management to all corporate units for enforcement of IT Security policies and standards.
- Senior Manager, Business Information Security Office; responsible for managing a team that provides risk management, reporting, and tracks findings.
- Information Security, Contracts and Proposals Manager; collaborate with internal departments to ensure consistent management and timely delivery of all proposals and contracts related to information security language.
- Business Information Security Official; responsible for educating business functions on information security services and processes.
These eight roles all require strong technical background, but also require much more interaction with business units than before.
Market analyst firm Gartner also has defined new security roles, based on its interactions with clients. Their recent research considers the pervasive application of technology and the types of security professionals that will be needed to protect this technology.3 They find that traditional cybersecurity teams are not prepared to address risks that new digital business initiatives introduce. As such, roles, staffing frameworks, competencies and skills all must be revised to manage new risks. According to Gartner, 30% of businesses will add at least two new security roles within the next two years. Some of the possible roles they highlight are:
- Digital Risk Officer (DRO); leadership to bridge non-IT business initiatives with digital risk management policies.
- Chief of Staff for Security; interacts with functional and business unit leadership to set strategic direction in alignment with business objectives and priorities.
- Data Security Scientist; data security uses a data-centric security strategy that prioritizes datasets and mitigates evolving business risks, such as regulatory compliance and threats from hacking, fraud and ransomware.
- Security Ombudsman; this role tasks an experienced technology professional with upholding the interests of constituents — users, employees, consumers — by expressing and defending what the organization's security should prioritize.
- Digital Ecosystems Manager; coordinates risk and privacy assessments and helps the DRO communicate across the organization's ecosystem to vendors, supply chain, regulators and other external players.
Other roles identified in the report include: security audit manager; threat hunting/modeler; vanguard security architect (full stack); and security marketer.
That’s my view of the career elephant, as of April, 2019. The only missing element is your point of view. Start there, consider the research I have suggested and take your first steps in the direction that seems best for you.
- Stamos talk starts at 45:50: https://www.facebook.com/security/videos/10155111383296886/
- National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, August 2017.
- “New Security Roles Emerge as Digital Ecosystems Take Over”, Gartner, June 29, 2019.