Re: Quote cybersecurity unquote

["Paul D. Robertson" <paul () compuwar net>]

Stephen P. Berry wrote:
> It is apparently national cyber security awareness month, a fact which
> I was made aware of by a bunch of fluff news pieces.

 I completely missed it, but I'm considering doing another advocacy thing
 like Personal Firewall Day, but longer- but it won't be in November, and
 it hopefully won't be under the radar.

> This got me thinking:  is network/information security, in the sense that
> long-time readers of firewall-wizards have practiced it, a dying 
> profession?
> In the aforementioned news coverage there's prominent discussion of
> so-called hackers for hire, but none whatsoever of the sort of systems 
> and
> infrastructure-focused work that I think of when I think of `security'
> in the abstract.  Of course this is partly due to media reporting on a
> technical subject---hackers make good copy and backups and ACLs 
> don't.  But
> it also seems to reflect a change in the job market as well.  I've been
> looking at job postings lately and there doesn't seem to be as much 
> demand
> for the general `security guy' the way there used to be---that sort of 
> thing
> apparently mostly being shifted up to the CTO level (and therefore 
> producing
> nothing but whitepapers) and down to the developer level (and therefore
> producing nothing at all).

  I don't know about the job market, but I assume all this pen testing
 hoopla has someone actually doing the remediation, though I guess it may
   the the companies doing the testing- that's certainly my current model.

> This seems to be part of a general move away from what used to be the
> traditional production operations systems and network administration 
> model.
> I'm sure everyone is familiar with the trend already, but I'm talking 
> about
> the move toward cloud-based/virtualisation-based `solutions', and the
> corresponding belief that such infrastructures don't require dedicated 
> staff,
> and can be maintained either by programmers/developers or by 
> third-parties
> (e.g. the hosting service provider).
>
> Of course I find this a little unsettling as a professional (on a good 
> day)
> working in the industry.  But it also looks like a recipe for disaster
> entirely from a logistical standpoint:  networks and application 
> archtectures
> running on them are getting progressively more and more complex, and more
> and more is riding on them, while at the same time less and less 
> resources
> are being devoted to the nuts-and-bolts design and implementation details
> below the this-is-where-the-customer-pays-us application layer.
>
> Is this just me being a grumpy old BOFHish sysadmin, or does this jibe 
> with
> other people's perceptions as well?  Is so, what's the fulcrum to which
> leverage can be applied to shift the situation, if one even exists?

 "Security as a Service" (*hack* </BillTheCat>)

 I think dedicated security companies testing and remediating is probably
 the most likely new model.

 Paul

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards