Over the years, the security sector has grown at an exponential rate. From the beginning, we’ve all made a point of solving problems by throwing as much technology at them as we possibly could. Unfortunately, we learned a few hard lessons along the way, one of them being that these solutions require personnel in order to function.
Meanwhile, as the number of products crept into our environments, something else happened that would change the security landscape forever — regulatory compliance. As if security isn’t already hard enough, now businesses must make complex decisions to meet compliance and still remain viable.
Many private sector businesses are facing the prospect of bankruptcy because they cannot possibly meet the staggering regulatory costs and still remain profitable. Effectively, by trying to solve much of our security problems with technology, we’ve put ourselves in a position where we’re going to spend up to three times the initial investment making those same solutions compliant.
Business managers have to radically rethink all of their business processes. The implications of this are huge. I have personally read some recommendations where business managers have actually suggested removing PCs from certain business processes and replacing them with typewriters in order to remove the associated compliance costs.
What, No ROI?
Another unfortunate side effect of regulatory compliance is that it threatens to permanently label security as a cost center. It’s very difficult for security shops to provide any kind of quantitative ROI on regulatory compliance activities that’s meaningful to management. Typically, this is because most of the benefits are keeping out of jail or paying potential fines.
That said, the road ahead has a fork in it. In one direction you’ll find operations security and the other direction reads business process security.
Because we’ve spent a large amount of time and money cherry picking issues with point solutions, a huge market of products, careers, certifications and technical standards has emerged. Clearly there will always be a place in the organization for technology, however, the availability of personnel required to effectively manage and maintain these solutions has significantly grown.
Look at any college today and you’ll not only find very robust CIS programs but you’ll also find vendor certification programs available as well. Today we have college grads showing up with certificates that mid level and senior techs used to carry. As an example, Cisco is one of many vendors operating within the walls of colleges and more recently, high schools.
What does this all mean?
Much like anything else that becomes saturated, so will the security job market feel the impact. Operations security will see lower salaries than traditionally seen and to that end, you’ll see security professionals looking elsewhere in the sector for more lucrative opportunities. When you can hire significantly cheaper labor that is already certified, much of the high paid legacy personnel will vanish.
Keep IT Simple
Another thing you’ll see is smarter choices when applying technology solutions to business processes and problems. This means a reduction in the amount of applied technology solutions.
I’ve often said that good technology does not trump bad practices. This is the cornerstone of what I’m calling business process security. It’s built around the notion that less is more and in applying this to a business, streamlining can be achieved and compliance costs will see reductions.
Business process security will bring professionals to a new level of understanding in terms of core business processes, where the security professional will identify security and business inefficiencies that can be removed from the overall business flow. As you prune off useless and low efficiency business processes, you can also remove security solutions that exist solely to support these functions and to that end, maximize profits minimizing associated compliance costs.
As a result of these activities, you may find that the cost of compliance will fall significantly. Only now, you can measure success in hard dollars. This will provide security managers with true ROI directly associated with security activities. Ultimately, that gives executive level management a sense that security plays a vital role and generates positive ROI.
Security budgets may also see an interesting shift in that executives will be more willing to fill the security till when it’s seen as a positive return to the enterprise. Another thing you may also see is more specialized personnel brought onboard to assist in these new business security activities, and that folks, is where the high paying security salaries will exist.
To sum it all up, there will be lower paid trench workers mired in the daily activities of operational security and there will be those who will align themselves with every business unit in order to maximize business, regulatory and security processes.
Which road you choose is up to you. However, if you’re looking for the pot of gold in the field of security, I suggest that you avoid operations and quickly slide into the business side of security
This article was first published on EnterpriseITPlanet.com.