NATIONAL HARBOR, Md. — High-profile security breaches and massive threats like the Conficker worm do a great job of grabbing headlines, but down in the weeds at the day-to-day operation level, is the traditional security professional a dying breed?
Byrnes said there will always be a demand for security experts, but that their role is headed for a profound disruption as security becomes more integrated and “less human-intensive.”
“There will be fewer people needed with in-depth knowledge of individual technologies,” Byrnes said.
Demand for specialists in a traditional discipline like security architecture, for instance, will peak in 2015, Byrnes projected.
But that doesn’t mean that security is going away. Instead, Byrnes described an evolving landscape where security will become a mainstream issue, with baseline expectations for secure code in every application in use in enterprise and government. He looks for the nuts and bolts of security, such as testing and auditing, to become increasingly automated processes overseen by low-wage, low-skill positions that will be ripe for outsourcing.
The future of security, as Byrnes sees it, will tap into more mainstream business and communication skills, demanding technical experts who can communicate with senior management about the business impact of things like threat audits. That means translating technical data about emerging security threats into the tangible risk measurement and reporting presentations executives are accustomed to seeing, and using to inform business decisions.
“If you’re in a leadership role in information security you will have to figure out how to do this over the next five years,” Byrnes told an audience of security professionals and executives. “The new skill sets that we are developing are important to how our entire profession moves forward.”
As an analyst, Byrnes noted that he is in the business of making predictions, offering the disclaimer that he has no crystal ball to divine the future. At the same time, he was emphatic about the need to automate security processes, tying the issue to business value as it moves further into the mainstream.
“Security program management has to become an overlay on all the technological issues,” Byrnes said. “They become part of the standard of due care.”
That gradual mainstreaming of cybersecurity is not lost on policymakers. President Obama’s ongoing overhaul of the government’s cybersecurity apparatus has been the subject of widespread interest as the industry awaits the appointment of a new cybersecurity czar. Byrnes also looks ahead to an active legislative agenda.
“We’re projecting of the next 18 months we’ll see another doubling of legislation that affects information security,” he said.
Some of those bills have already materialized, such as a Senate omnibus effort to overhaul cybersecurity policy and a variety of legislative efforts in both chambers taking another stab at codifying data breach notification requirements.