Monday, March 09, 2009

Thoughts on Technology Careers for the Next Generation

I think the next generation of IT and digital security professionals will find limited opportunities in the "traditional" non-IT/security companies of today. I wrote about this last year in Reactions to Latest Schneier Thoughts on Security Industry when I said this, specifically about the security field:

What does this mean for security professionals? I think it means we will end up working for more service providers (like Bruce with Counterpane at BT) and fewer "normal" companies.

Bruce wrote "the security industry will disappear as a consumer category, and will instead market to the IT industry," which means we security people will tend to either work for those who provide IT goods and services or we will work for small specialized companies that cater to the IT goods and services providers...

[S]ecurity companies will end up part of Cisco, Microsoft, Google, IBM, or a telecom. I doubt we will have large "security vendors" in the future.


I'd like to extend this prediction (which is not unique to me, of course, but writing it here means I'm planning for the change) from security to IT in general. I re-examined my stance on this issue after reading GE CIO Gets His Head in the Cloud for New SaaS Supply Chain App. The fact that the article talks about GE isn't the specific point (disclaimer: my employer). It's another reminder that IT and security are not the end goal for most organizations: they are means to an end. The only exceptions are companies whose products and services are IT and/or security, e.g., Cisco, Microsoft, Google, IBM, telecoms, etc.

This doesn't mean that "IT [or security] doesn't matter." On the contrary, both are crucial, but history has shown a relentless drive to focus the business on core competencies and away from non-core functions. The definition of core competencies is what matters.

Businesses are spread across a large spectrum. One end might have a (largely theoretical) fully-closed organization that could generate its own electricity, mine its own raw materials, design its own products, staff every seat with employees, design/build/run/defend its own information assets, and run its own sales, distribution, and customer service functions. At the extreme opposite is a firm that does nothing but buy patented ideas and sell licenses, with minimum staff and every other function outsourced.

The history of capitalism has demonstrated the power of comparative advantage, specialization, and division of labor. Businesses continue to migrate away from the do-it-yourself model to the outsourced model, with labor, legal, and security concerns as a few sources of friction.

If you look around your own enterprise you'll see signs that this migration is happening. I'd like to know which of you manage a 3G network? Chances are if you answer yes, you work for a telecoms provider. How many of you keep the operating system on your Blackberry or iPhone patched? If you answer yes you work for a telecoms provider or Apple.

It's entirely within the realm of possibility to imagine enterprise users operating personally-owned assets, with network connectivity supplied by a 3G network, accessing software-as-a-service Web apps hosted by a cloud provider. Oh wait, that is already happening. Anyone who wants to see what the "consumerization of IT" looks like should visit a university campus and see how students learn in the 21st century.

This doesn't mean that universities and other organizations who are embracing this model have zero IT and security staff. Rather, I think it is important to imagine where we (or our kids) could be working in 20 years, if we want to stay in the IT and/or security fields. Many more jobs, percentage-wise, are going to be with providers and vendors, not customers. Consider how many companies maintain their own electricians, phone technicians, and so on. There are plenty of those roles in the modern economy, but they tend not to work for non-electrical, non-phone companies.


Richard Bejtlich is teaching new classes in Europe and Las Vegas in 2009. Online Europe registration ends by 1 Apr, and seats are filling. "Super Early" Las Vegas registration ends 15 Mar.

5 comments:

Bjarte said...

I find this topic very interesting. From an economic perspective, I agree that the IT security function will merge/move in with the providers of SaaS (and other IT providers). To buy a "secure IT service" sounds like a very good idea.


But I am very sceptical of these providers ability to understand and defend their clients business security needs. To defend against low-level threats like malware, simple vulnerability-centric attack and such is fairly easy. (If not easy, at least generic).


But what will the providers do when the client is targeted because of actions and decisions they do and make? They may be exposed to industrial espionage threats in critical phases of a product development. Organized crime may launch a targeted campaign during the holiday season when staffing is low. These examples are not important, but to understand that the dynamics in each business have an impact in the realm of IT security is in my view very important. Normally, the providers dont have access to this kind of information, and cannot prepare and adapt to it. Until such providers have the tools and methods for aligning their IT security service with the business needs of all their clients, I believe there is a real need for in-house IT security specialists.

Richard Bejtlich said...

Bjarte, I think you are right.

Saad said...

Bjarte,

Your point is valid IMHO. Specifically "to understand that the dynamics in each business have an impact in the realm of IT security is in my view very important". But then, it depends on the level of security awareness the business is at or wishing to reach. If protecting against the low-hanging fruit (generic malware, virus, etc.), patch management, automated vuln scan and such are what a business considers "security" (and which I call the bare minimum), then yes service providers are more than enough to get the job done. Anything above this level needs in-house infosec professionals with good business intelligence, which may or may not call in the service providers for help (depending on the situation at hand and available time/skills).

Barry Anderson said...

The other thing to remember is that service providers deliver a product at a price and the more they can cut the cost of delivering that service, the greater their profit. Taken to extremes of course, this means not delivering the contracted service at all and simply taking your money.

Remember, if your criterion for selecting a service provider is "they're big enough to sue if things go wrong", chances are they can field a better legal team than you!

B-)

Rich Friedberg said...

Completely agree. There was a discussion on a security blog recently asking whether or not executives viewed IT as a business enabler, or as a competitive advantage. The results were (not surprisingly) the former. Given that IT is viewed simply as a means to an end (as you describe), organizations approach the problem from a cost only perspective. This, especially in these economic times, will ultimately lead to quicker outsourcing to service providers and vendors (or complete failure of their own networks followed by outsourcing).

Just my two cents...