Pete Lindstrom wonders if Information Security Professionals really can make a difference for the company that they work for. He wonders if any IT savvy person can complete the tasks that are typically assigned to information security professionals.
Put another way, if multiple individuals were given the same set of constraints within an organization - time/money/FTEs/assets/culture - do you think that some people would be more successful than others at reducing risk?It almost insults me to have my skills called into question but I don't think that he is implying that what we do is just another task that anyone can accomplish. I think what he is trying to do is help us to think about what, why and how we do what we do. Sound familiar? What I like is that he doesn't just question and move on he asks for examples. What is it that you do to make a difference? What sets you apart from the average IT or security professor?
Put another way, if multiple individuals were given the same set of constraints within an organization - time/money/FTEs/assets/culture - do you think that some people would be more successful than others at reducing risk?I think that the answer to this is pretty obvious. Yes, just as in any profession information security professionals vary in skills, knowledge and ability to adequately secure their environment. If you set up 10 identical labs and took 10 different security professionals you would get 10 different ways to secure it and all 10 would have their strengths and weaknesses.
The key isn't how you do it but that you don't just follow a checklist and that you do what is needed for your environment. Example, the same 10 lab environment mentioned above would require 10 different security postures depending on the company that they were securing and their individual requirements. I think that a good security professional would set them up 10 different ways. Someone who doesn't really understand security but who knows how to secure a network would set them all up identically. That is not security. That is work that could be done by lots of different people.
So, back to the question of what makes the difference between a real security professional and any other person who calls themselves security professional? It is the ability to adapt and think and to take each situation and analyze it and secure it in the way that it needs to be secure, not just a way that may make it secure.