What is it and why should I care?
Information security is a quickly growing field that is changing rapidly in many ways. We are tasked with securing all sorts of technologies and those technologies are moving quickly.
The implication here is that even to maintain the status quo requires significant work. However, we don’t want to just maintain the status quo – we actually want to improve. How, then, should we proceed?
What should I do about it?
We have to work hard to consistently improve. Technology is a field that requires a lot of effort to stay current, but that effort pays dividends with experience. I recently had a conversation with a colleague where we discussed how quickly things were moving, but how similar the technologies were, particularly when you look across platforms or deployment models. There are certainly differences about mobile from the web, but there’s a lot that’s the same. If you account for web and desktop, there are even more similarities. Similar ideas have been bandied about when discussing the cloud and mainframes.
I certainly understand that there are nuances to most technologies that make them unique or valuable in some way (else they don’t gain traction). However, it remains that exposure to different situations (experience) gives you a significant upper hand in this space. Below are a few thoughts about what I’ve seen to be successful with this approach.
1. Learn the fundamentals
This is the core of every good security person I know. Their quality is often directly reflective of their understanding of core principles. This is logical when you consider that we repeat technological decisions repeatedly. A good understanding of what we do and why we do it is essential to being a good security person over the long haul.
2. Work with lots of things
Try to get exposure to different technologies, platforms, toolsets, development methodologies, risk analysis techniques, etc. The more you see, the more you can build a mental framework around which to base your decision making. You see the components for what they are and how they fit together – a powerful piece of information.
3. Build a nice toolset
A natural extension to having a good grasp of the fundamentals and getting exposure to different things is that you build a solid toolset. You may be a specialist (that’s great), but work with others and try to understand what they do. That knowledge lets you further understand your role in the process and gives you a way to add even greater value.
4. Look for novel solutions
Even though it’s rare, there are good new ideas that come along. Many of the best ones in technology were generated in the 50’s and 60’s, but there are still good new things that come up all the time. Be on the watch for good ideas that can fundamentally improve how we secure systems. As one friend put it, look for things that make it cheaper for us to secure things than it is for the bad guys to break things.
In conclusion, security (along with technology) is quickly evolving in the particulars, but pretty steady in the fundamentals. In order to improve the overall security of our systems, we need to stay ahead of that curve. We can do that by having a solid understanding of the basics, getting exposure to different tried-and-true techniques and solutions, and then finding those new solutions that move us forward. Following these steps we can make sure that we are moving the field forward and that we never stop improving the security of our systems.