10 common misconceptions about security professionals

Security professionals have limited upward mobility

Fact: In the past, for some organizations, information security was viewed as highly technical, specialized field, often buried within the larger IT organization. However, given today’s dependence upon information technology to conduct business, organizations understand the critical role of information security in critical business processes.

Security professionals have increasing opportunities to interact with the highest levels of corporate management and contribute to an organization’s success. The increased levels of access to senior management will introduce new opportunities for information security professionals.

Everyone working in security is a security expert

Fact: The field is actually incredibly specialized. IDS people don’t know how to find vulnerabilities in web apps and software security people don’t know how to do forensics.

Security pros are paranoid, wearing tin foil hats and holding public key exchange parties

Fact: Recent NSA disclosures have shown us many previously sci-fi-ish theoretical attacks are real.  That said, statistics and economics still tell us that sophisticated attackers are not likely burrowed into most security people’s mobile device or home computer.

Security pros think compliance means security

Fact: The reality is that compliance only gets you so far and if your security posture is only geared to keep you complaint, you’re not going to sleep very well at night. Part of the reason for this misperception is that compliance is the stick CSOs use to drive and get budget for security initiatives. But don’t for a second think that they aren’t using the opportunity to go beyond the regulatory requirements to meet the security needs of the business.

Security and infrastructure/operations will never get along

Fact: While “Availability” in the Confidentiality, Integrity, and Availability (CIA) Triad is often perceived as  the driving force for infrastructure/operations, the two groups understand the role each other must play and acknowledge the importance of all three legs of the stool.

Information Security is a very technical discipline

Fact: As is usually the case, overly broad generalizations typically don’t hold up.  Within the field of information security, there are certainly roles that require detailed technical expertise.

However, as the role of the information security field is moving toward risk management, there is a need for professionals who can understand the needs of business units and clearly communicate in the language of the business units.  It’s not all about the technical details; it’s about explaining the risks and presenting options for managing the risks that include people, process and technology.

Hacking is like it’s portrayed in the movies

Fact: People probably realize everything is exaggerated in the movies but maybe not the extent. Lights don’t start flashing when you break into a machine. You can’t crack somebody’s password one letter at a time.’

When you successfully break in, you don’t get a 3D visualization of the database that you can then “fly” through and explore like a video game. Gibberish characters don’t suddenly transform before your eyes into readable text. Occasionally a real security tool is used in a movie, but it’s not the focus of attention, and it’s on screen for like 2 seconds.

Security pros value security over productivity or enablement

Fact: While security is in the job title, most CSOs know that a thriving business requires some tradeoffs. You can’t force people to live in a bunker and you can’t block everything just because it’s new or you haven’t heard about it or IT doesn’t directly manage it.

The misconception has come to be because for many years the CSO hurdle has been slow and sometimes impassable, but that’s changed a lot over the last few years. While CSOs can’t take anything for granted and security has gotten exponentially more difficult, the new paradigms ushered by consumerization and cloud have required a change in posture to stay relevant.

There is never any busy/tedious work

Fact: No job is 100% excitement all the time. A lot of security work involves operationalizing security products, aggregating and analyzing logs for anomalies, writing tools to automate common tasks, and – worst of all – working on tasks or projects that are only being conducted in order to pass some regulatory audit.

Security is all about preventing attacks

Fact: For most organizations, the mission of the information security team is to help the organization manage the risks against the confidentiality, integrity and availability of IT assets.

Of course, within the InfoSec team, there are resources that are responsible for security controls focused on prevention, but the current threat landscape requires that organizations also focus on detection to ensure that any attacks that successfully bypass preventative controls are quickly detected and contained. With a dynamic and evolving threat landscape, organizations cannot depend upon prevention alone.