A couple of weeks ago, I was pleasantly surprised to find that Neil Gershenfeld would be giving the keynote at a large East Coast security conference I was attending. I’ve been a fan of the fabrication movement pioneered by people like Gershenfeld for a few years. I’ve been humbled to see how tools like 3D printers and laser cutters are starting to improve lives and empower communities. Consider the e-NABLE project, which fabricates prosthetic hands for children, or various up-cycling projects in the developing world to reduce pollution by reusing computer parts or plastic waste.
Gersenfeld spoke of fabrication disrupting production and consumption, reinventing the way we work and live. His ideas alternately perplexed and excited everyone in the room and at the end of his talk; he had more groupies lined up to meet him than William Shatner at a Sci-Fi convention. But what was someone like Gershenfeld doing in a room full of people whose careers were based upon finding faults in systems and software? I had reason to hope that I wasn’t the only security professional tired of the worn-out breaker mentality so prevalent in our field.
Maybe the tendency towards narcissism in the security community is finally starting to shift. Many industry veterans I know no longer feel the need to constantly display their prowess by exploiting vulnerabilities. They’re also burned out from repeatedly addressing the same problems with no apparent end in sight. Perhaps the industry is evolving because its participants are maturing. They have families who are dependent on stable and safe technology. But more likely the change has to do with organizations questioning the value delivered by information technology groups and by extension, security teams. The stakes are higher as breaches get larger and more frequent. Those who are in the business of safeguarding digital assets are being held accountable when losses impact the bottom line.
At Gershenfeld’s keynote, someone asked what security professionals could do to support this evolution in the way we use technology. Shouldn’t this start with an attitude adjustment? The truth is that as much as we want it to, the security tail can’t wag the dog. Security controls only matter if they add value and don’t become an obstruction to the business.
Instead of fearing change to our reactive security processes and checkbox procedures, we should restructure them by focusing on operationalizing security. Most of the security problems that plague our organizations are still basic, solved by simple controls. These include configuration management, system build templates, access management based upon data and user classification and embedding responsiveness to alerts into our systems. By approaching security as a feature instead of an end in itself, it becomes everyone’s concern and is more likely to be implemented. No longer some unique skill to someone with a special certification.
Security professionals no longer need to be the center of attention in a room full of technologists. We are simply subject matter experts called upon for guidance to help improve a product or project. This may change the nature of our jobs as digital cops, but ultimately anything that furthers the business will benefit information technology and security groups. Once security teams finally abandon their self-centered need to be a gate, grinding business to a halt, we might actually see progress that will make our jobs truly rewarding. The aim isn’t to increase the security budget, but to collaborate with a team to improve our workplaces, our organizations and maybe the world.