Today, at the (ISC)2 Congress in Atlanta, I sat down with Richard Nealon, and put the (infosec) world to rights, discussing the transformation of the information security professional, the future of the CISO role, and how information security needs to get more value from its pound (or dollar, or euro).
Currently working in e-discovery and contract management for an Irish bank, Nealon describes himself as an infosec ‘Jack of all trades’ and has been actively involved as an (ISC)² volunteer for over 10 years.
The ‘Jack of all trades’ role is one that we spend some time pondering, as Nealon considers it an endangered model. “At the moment, we have to be a jack of all trades, when in reality, we should be focusing more on specialisms.”
This requires a redefinition of “what we call ourselves as cybersecurity professionals”, says Nealon. “Youth coming into the industry can’t fill the jack of all trade roles, but organizations need to give these young professionals a break, invest in them, help them to learn.”
If a company does require a ‘Jack of all trades’ type – due to budget or posture – “they should train up young professionals into this role.” There’s a loyalty issue today, Nealon tells me, “with companies less likely to invest in their young staff.” This, he insists, needs to change.
Calling on New Skillsets
Nealon considers that the industry has followed “a personal journey” whereby requirement for technical skillsets has given way to a requirement for budget, resource and management skillsets of late. “We have to question whether we’re qualified to do these things”, he counters.
Attracting people from other disciplines is key, he notes, listing management, education, communications, and social sciences as essential areas. “As careers progress, we focus more on these areas”, he considers.
“We’re still trying to modify a career that no-one chose”. He uses himself as an example of someone who “kind of fell in to the industry by accident”.
Now, though, he considers, due to the Bachelor programs available, “more people are choosing this as a career.” And it’s this generation, he insists, that need to dive deeper into a particular specialism.
Good Security Architecture
The role of the CISO, considers Nealon, is “to make sure that good security architecture is in place. And this is something that appears to be missing from the industry at the moment.” Security controls, by nature, are not agile, so knowing “how they are structured is the only future for the CISO”, Nealon says.
“They can’t know where all the data is and how it has been controlled any more. Pandora’s box has been opened, data has been disseminated, and we can’t put it back in the box.”
What a CISO can do, he says, is understand the controls and access around that data. “Complexity is the enemy of good security. Common sense goes a long way in information security.” Remaining focused on business drivers is always good practice, he adds.
A Disposable Society
Nealon describes the information security industry as “hoarders of legacy systems”. We need to stop putting in security controls we don’t actually need. “We hoard legacy applications in this industry”, he says laughing.
“Getting the maximum value out of your money is so important. You don’t need 100% perfection, but it needs to provide value-add”.
The first world, considers Nealon, is bad at getting the maximum value. “We’re a disposable society. In the third world, they suck all the value they can out of every product.”