I read the following in the latest SANS NewsBites:
The lead story contains an important notification by Major General Lord of broad-based US federal IT security failure. As senior officials discover how bad federal security really is, they have begun looking for solutions (some are also looking for scapegoats.)
The first and most important change they will make is to begin cutting budgets for policy and report writers, and transfer budget and responsibility to operational technical security projects and professionals who can actually protect their systems. The transformation has already begun.
If you have soft skills (policy writing, security awareness, risk assessment, C&A report writing, etc.) and want to have great, long-term job prospects in security, it makes sense to move quickly to add hands-on technical skills so you can lead the teams of people who will be needed to turn the tide against the attackers.
The "lead story" refers to this post.
Alan Paller continues in the newsletter:
Major General Lord is simply saying out loud what White House and DoD officials have known for almost three years; that's how long the hacking and data thefts are known to have been going on. What he did not say was that the same techniques (and attackers) have proven successful in penetrating DoD contractors such as Lockheed Martin and Raytheon, and penetrating many other government agencies including some you would not expect the Chinese military to care about.
The failure of federal agencies and contractors to protect sensitive information was instigated by misallocation of resources caused by OMB and Congressional metrics measuring the wrong things. It is time to revitalize FISMA and the C&A process.
If Government Reform Chairman Davis doesn't feel the problem is worth his time, he might consider transferring responsibility for FISMA and federal security to the House Homeland Security Committee where Chairman King's targeted subcommittee chairs have fostered real progress in improving security of critical infrastructure control systems.
I wonder how much of the "soft skills" comment is wishful thinking and how much is based on actual events.
If we're truly realizing that "hard skills" are needed for real defense, then maybe my prediction from January is materializing:
Is this [MBAs instead of techs] why companies continue to be compromised? Are the MBAs running around wondering why their self-defending networks are failing? I guarantee we will see a "back-to-basics" movement in the next few years, where "hands-on" tech skills will be emphasized again.