As recently as five years ago, if you worked for the tech department of most organizations, your job responsibilities were pretty clear-cut.Â You were expected to fix the hardware when it broke, “fix” the software when someone crashed a program, and install updates and software as necessary. The skills required were cut-and-dry, and the surprises were pretty minimal. As far as information security was concerned, it was usually enough to simply hand down security measures and escape back to the sanctity of the IT “cave”.
We’ve come a long way, baby.
In the past few years, everything about the field has changed. Not only do job descriptions look drastically different, but the environment in which those jobs are taking place has changed. Budgets are smaller, the threats to organizations are greater, and the skills that are required have broadened. People in general are also more tech-savvy, which makes the job both more and less difficult. On one hand, IT is dealing less and less with people who are completely unfamiliar with computers and the internet; on the other, a little bit of knowledge can be a dangerous thing. People sometimes know just enough to create problems, and not enough to be able to fix them on their own.
In addition, we’ve come to the realization that it’s no longer enough to simply possess technical skills; IT workers now need to work with the rest of the organization to make security measures more successful. As I’ll discuss further below, success is much more likely when members of the organization are included in the process, rather than simply having security measures foisted upon them.
However, what this means for infosec employees is that they need a whole new set of skills, including the ability to communicate the value of what they do to fellow employees and to management. Job security is far from guaranteed for any member of the organization. Involving the rest of the organization in the development of security measures ensures buy-in from the organization for the measures and makes the success of these measures far more likely (and by extension, of the IT department as well).
How does involving those being affected by security measures in the process, make those measures more likely to meet with success? First, simply by going to the employees themselves to get information about they do their jobs, security measures become more specific to the people they’re actually supposed to help. A system that is designed around the people who are going to be using it is far more likely to be effective than one that isn’t.
Second, as people become more involved in the experience of creating these security processes, their fear of the measures that are introduced is diminished, making them more likely to comply and to be successful with such measures. They become partners in the security effort, and invested in its success.
True, change can be scary. But the opportunities inherent in such change make this an exciting time for the field. It’s not so bad out here after all.