This is a guest post by Adrian Asher, CISO at London Stock Exchange.
At a recent Balabit Partner Conference I was speaking at I was asked a question about the growing talent crisis we have in Information Security. How within the next 5 years there will be a gap of over 2 million vacancies.
Now I’ve heard this question before and of course, I have heard the standard answer (invest in growing staff, education, etc) but I, of course, decided to take the road less trodden!
“I think that’s underestimating it”
Why do we have a talent crisis in Information Security
I firmly believe that the talent crisis is not just lack of appropriately skilled people, but also of the current people that we have. Many of the people in Information Security today have never written code, never designed an application and certainly not designed and operated for the cloud.
Yet over the next decade, those are exactly the skillsets we need. Understanding now the infrastructure components will all but drop away. Firewalls will be no more. IDS removed. WAF’s gone. Load balancers becoming generic TLS termination points. All the creature comforts a traditional infrastructure security person has come to rely on will be no more.
As applications sit upon platforms that self-maintain, the focus of an Information Security professional is going to consolidate solely on Applications and Identity.
When hiring today I get many people that are Infrastructure Architects or Enterprise Architects. They can certainly design a network, traditional infrastructure components like web servers and databases. But challenge them with event driven (serverless) architecture, or platform as a service and they are at a loss.
When I was at Skype we used to focus on decoupling the application from the infrastructure. And not by a form of IAAS, but to truly separate the two. This allowed teams to work on products and features rather than scaling. They could trust that the data store would scale for them and they should focus on delighting customers. It became natural. Other web-scale properties back then did the same.
How Information Security Professionals should adjust to changes
The rest of the world is evolving to this point with containers (still don’t like) and platform as a service, but very slowly. As technology evolves so must the IT professionals and engineers. Security people are no exception to that, and I urge all my teams to truly understand the application. To write code, to know how to build security in, instead of relying on the infrastructure to do it for you.
As tomorrow, that infrastructure isn’t going to be there.
Adrian has been working in Information Security for 16 years of his 21 years working in technology. He classes himself as a technologist that specialises in Security. Working now as London Stock Exchange Group CISO having just been HSBC’s CISO where he was in charge of all IT security globally for two years. He has worked in many industries and companies, bringing his unique brand of security that puts the business first.
Prior to HSBC Adrian was Executive in Residence at Accel Partners (London) helping and advising startups. CISO at Skype for 5 years where web scale and big-data was one of the most challenging environments to apply security to Betfair, Man Group, Barclays Capital, BAA, BA, are just some of the other companies he has worked for across high tech and financial sectors. He holds a Masters in Information Security from the University of London.