Who’s Job Is It, Anyway?

In security, we’re not only expected to be Jacks of all Trades, we need to maintain a high level of mastery in each area, as well. We must be able to design secure networks, provide system and database level hardening for all platforms, expertly guide developers in writing secure code, oversee incident response and disaster recovery, and even know about the physical locks and environmental controls.

It definitely takes a special kind of person to make it in this industry and most of us started out as hobbyists, before professional options even existed. We gladly take on these responsibilities, to the point of excluding other teams who specialize in each technology. As much as we love having our egos stroked, though, this trend is not sustainable and it doesn’t enable the success of the organization.

In today’s world, the primary function of security needs to be evangelism. By educating infrastructure specialists in security principles, we can leave the implementation details to people who have spent years specializing in their specific technologies. Like it or not, these administrators, engineers, and developers have far deeper knowledge in their areas of expertise than we could ever hope to gain, as they have dedicated their educational pursuits to one focused area, rather than trying to do it all. It is our job to enable the success of these experts, as we introduce security concepts and help to foster a passion for security in those best able to bring these concepts to life.

Conversely, infrastructure specialists need to start taking responsibility for understanding security concepts. Confidentiality, integrity, and availability affect every area of business. Given the tremendous impact of security breaches and the public attention this topic has received, it seems absurd that in many organizations, these specialists are not held accountable for this critical area of knowledge. By effectively evangelizing to leadership teams in our organizations, we can bring passion for security and set a new minimum bar for job requirements.

Imagine a world where security topics are considered a piece of knowledge as fundamental as the OSI model and are integrated into the core requirements for each infrastructure role. In this world, security teams would have a well-defined role of oversight, advisement, and evangelism, while working in harmony with infrastructure teams, rather than sitting in an isolated silo, only coming out every once in a while to tell someone, “NO!”. It’s not enough to shape our own world; we have to bring our message to the masses if we ever hope to get ahead of the fight.