Recently, I sat down with my attack and penetration team (the guys that break into stuff), and I was reminiscing about the old days of penetration testing. It got me to start thinking that, as the industry evolves and shifts toward technology to provide for the commoditized tasks, the industry needs to shift away from the monotonous work of running tools to more strategic thinking.
The good ole’ days
Back when I did penetration testing in 1997, there were not a lot of tools available. Thus, I had to “custom” develop scripts and exploits almost every time I encountered a new environment. Take Metaspolit for example… I didn’t have a framework that allowed me to take advantage of a knowledge repository. The closest thing I had was milw0rm, and at least half of the exploits were theory based with non-working scripts/exploits.
As with every industry, security has evolved, and what we did ten years ago hasbeen replaced by better technology and automation. Take the finance world: ten years ago if you were able to perform regression analysis and determine the beta (slope) of stocks as it relates to systematic risk, you were a rock star. Today, you can go to Google, and it has all the calculations already done for you.
So what does that mean? Well, in simplest sense, we need to start to think strategically as an industry and provide value beyond what we used to do.
The Current State of Information Security
In security, the next several years are going to be critical. Currently, the industry is struggling to get budget, enable business and develop solutions that help to secure organizations. Individuals are too focused on coming up with the next-greatest hack or tool to find vulnerabilities instead of aligning with the business to develop more strategic, business-focused solutions. As an industry we need security professionals that are more business focused.
Shift in mindset
Depicted in the graph above is effectiveness mapped to global knowledge in relationship to tactical and strategic thinking. This applies to any organization for any industry. In security we are at the Breakeven Point (BEP), and the value we provide over the next several years needs to be adjusted for organizations to get a positive Return on Investment (ROI). Ten years ago very few people had the ability to perform penetration tests. Today almost every security minded person has the experience or technical certifications to perform them. In marketing, they call this an activity that has reached maturity. The value is lower, along with the price one is willing to pay (WP).
Beyond Security: Part 2 – Provide Irreplaceable Value to your Organization
In the second segment of Beyond Security, I will discuss the difference between strategic vs. tactical thinking, and how the security professional can evolve to integrate with business goals.
Beyond Security: Part 3 – How to Align Security to Business Strategy