Information Security Must Evolve

Amrit Williams had an obvious, but well-thought out blog post on the changing landscape of Information Security. There was lots of good material, but the one that I want to talk about here is this:

Security can no longer exist in a silo or a vacuum, security programs and security professionals must align themselves with the business or face extinction.

I hope you get that impression from reading this blog as well. The attack vectors are shifting from outside your firewall to inside your firewall (which is also evolving). Threats aren't at layer 7 and down anymore - they're at the undocumented 8th (app server), 9th (app code), and 10th (user) level. And we can't protect those higher levels with low-level firewalls. This means that security professionals have to partner with developers. It's no longer adequate for security professionals to understand simply security, and for developers and architects to understand software engineering. Our knowledge has to span both, and we have to be able to leverage one another's talents.

It's no longer even enough for security to be a "scan" that takes place after the code is written. Many of the most severe flaws now are engineering flaws, not semantic flaws. We can't just teach coders to write secure code, we have to teach engineers to engineer secure processes. And even those things aren't enough - we can't just make secure code, all code has to be handled in a secure environment. Insider threat will continue to escalate as espionage continues to be lucrative. And now, there's even more at stake as information technology becomes a major part of the playing field in terrorism and counter-terrorism.

Good news security folks - your job is secure. But I promise, what you did two years ago will not be sufficient two years from now.