Important skills and challenges for today’s security professionals.
- Santosh Chachar
- Sep 26, 2023
- 3 min read
I am talking about the only one category of security professionals here, the ones working for protecting their own organizations, especially in small and medium organizations. And not the consultants, security product professionals, advisors, pen-testers, or auditors who solve just one piece of the puzzle at a time, with all due respect. It's just that till now I have been in the first category and have exposure there.
Skills
One skill which cannot be replaced by one person, machine or some AI/ML based fancy product, is:
The ability to correlate various aspects like technical controls(prevention to response), compliance, privacy requirements, data-specific standards and regulations, and often neglected and wrongly implemented people/awareness initiative.
To come up with relevant approaches to reduce various business risks(not just IT risk anymore) to an acceptable level, by understanding the business priorities and achieving a right balance between security and business.
Whether in work or life in general, risk can never be eliminated, it can just be reduced to an acceptable level.
Let’s take an example of how Privacy intervenes traditional Security Approaches: Privacy is not just a matter of published policies and agreements between chain of entities, left to legal and compliance teams. It permanently impacts the product architectures, data collection/processing/sharing/retention/disposal methods, and the way you build new products and features.
One of the privacy requirements is to implement “appropriate” technical and organizational measures to protect data. To demonstrate that we need to implement standards and third-party attestations like ISO 27001, SOC 2. To implement these standards you need to implement various controls, processes and security products in all your environments like on-prem, private clouds, and workloads in public clouds. You also need to align with dynamic, fast-paced and highly automated environments to reduce impact on timelines. In order to achieve that you need to modify the scope and definitions of stories, design/functional/technical specifications, non-functional requirements, bugs, testing, and existing automation to include security and privacy checks.
Challenges
It’s impossible for one professional to deep-dive into all the aspects. Keeping up with increasingly complex IT infrastructures and data-centric perimeters encompassing various geographies, third-parties, internal and external APIs, IoTs, connected industrial systems and critical infrastructures.
There is still no enough awareness and priority given security and privacy aspects, despite the high-profile data breaches every other day. There are various reasons for this, I do not wish to make a blanket statement here.
Much talked about security skills-gap is because of above skills requirements and challenges. The job-descriptions are unrealistic due to less understood and still maturing security functions.
There is also a gap in qualified Interviewers who can assess the attitude of the candidate in limited time.
Conclusion
New technology stacks needs to be understood by security professional before securing them. This is becoming difficult looking at the speed at which new technologies coming up and lack of importance given to security while building those, IoT is a classic example. Hence technology-specific experts and security teams, and legal teams need to work together. Enough priority and dedicated time need to be allocated to all these teams. Stay Relevant, Operate in the right context, and never miss a big-picture in all walks of Work and LIFE
I would really appreciate feedback and valuable inputs from the folks who have been there and willing to share wisdom for the benefit of the security community!
Comments