I think the next generation of IT and digital security professionals will find limited opportunities in the "traditional" non-IT/security companies of today. I wrote about this last year in Reactions to Latest Schneier Thoughts on Security Industry when I said this, specifically about the security field:
What does this mean for security professionals? I think it means we will end up working for more service providers (like Bruce with Counterpane at BT) and fewer "normal" companies.
Bruce wrote "the security industry will disappear as a consumer category, and will instead market to the IT industry," which means we security people will tend to either work for those who provide IT goods and services or we will work for small specialized companies that cater to the IT goods and services providers...
[S]ecurity companies will end up part of Cisco, Microsoft, Google, IBM, or a telecom. I doubt we will have large "security vendors" in the future.
I'd like to extend this prediction (which is not unique to me, of course, but writing it here means I'm planning for the change) from security to IT in general. I re-examined my stance on this issue after reading GE CIO Gets His Head in the Cloud for New SaaS Supply Chain App. The fact that the article talks about GE isn't the specific point (disclaimer: my employer). It's another reminder that IT and security are not the end goal for most organizations: they are means to an end. The only exceptions are companies whose products and services are IT and/or security, e.g., Cisco, Microsoft, Google, IBM, telecoms, etc.
This doesn't mean that "IT [or security] doesn't matter." On the contrary, both are crucial, but history has shown a relentless drive to focus the business on core competencies and away from non-core functions. The definition of core competencies is what matters.
Businesses are spread across a large spectrum. One end might have a (largely theoretical) fully-closed organization that could generate its own electricity, mine its own raw materials, design its own products, staff every seat with employees, design/build/run/defend its own information assets, and run its own sales, distribution, and customer service functions. At the extreme opposite is a firm that does nothing but buy patented ideas and sell licenses, with minimum staff and every other function outsourced.
The history of capitalism has demonstrated the power of comparative advantage, specialization, and division of labor. Businesses continue to migrate away from the do-it-yourself model to the outsourced model, with labor, legal, and security concerns as a few sources of friction.
If you look around your own enterprise you'll see signs that this migration is happening. I'd like to know which of you manage a 3G network? Chances are if you answer yes, you work for a telecoms provider. How many of you keep the operating system on your Blackberry or iPhone patched? If you answer yes you work for a telecoms provider or Apple.
It's entirely within the realm of possibility to imagine enterprise users operating personally-owned assets, with network connectivity supplied by a 3G network, accessing software-as-a-service Web apps hosted by a cloud provider. Oh wait, that is already happening. Anyone who wants to see what the "consumerization of IT" looks like should visit a university campus and see how students learn in the 21st century.
This doesn't mean that universities and other organizations who are embracing this model have zero IT and security staff. Rather, I think it is important to imagine where we (or our kids) could be working in 20 years, if we want to stay in the IT and/or security fields. Many more jobs, percentage-wise, are going to be with providers and vendors, not customers. Consider how many companies maintain their own electricians, phone technicians, and so on. There are plenty of those roles in the modern economy, but they tend not to work for non-electrical, non-phone companies.
Richard Bejtlich is teaching new classes in Europe and Las Vegas in 2009. Online Europe registration ends by 1 Apr, and seats are filling. "Super Early" Las Vegas registration ends 15 Mar.