A pentester, security operations center (SOC) analyst, IT auditor, risk analyst and system administrator walk into a bar. The bartender asks, “What are you having?”
The pentester says, “Vodka!”
The SOC analyst says, “Rum!”
The IT auditor says, “Tequila!”
The risk analyst says, “Gin!”
The system administrator says, “Triple sec!”
The bartender pours a Long Island iced tea and serves it to the person standing in front of him.
Yes, it’s unfair to ask one person to do all of these jobs, but this is a recipe for Long Island iced tea.
Now, how does this relate to emerging technology?
Whether it’s the pentester who just found an unpatched Windows XP system on the production network, the SOC analyst who is analyzing packets after a possible phishing incident, the IT auditor who just found way too many policy violations, the risk analyst who just created a profile on a current system with high risk in the demilitarized zone (DMZ), or the system administrator who is restoring a hacked server, the notion of introducing emerging technologies into an existing infrastructure can make practitioners roll their eyes or throw their keyboard out the nearest window. For members of the IT community who constantly deal with attacks, it is difficult to imagine technology moving forward while there are still so many security issues with existing systems and processes.
How can we build emerging secure technology on top of technology that was never designed to be secure? It may seem counterintuitive for a futurist to look toward the past for answers, but one of the most famous (and misquoted) sayings about the past from philosopher George Santayana states that “Those who cannot remember the past are condemned to repeat it." I am going to add to the plethora of modified versions of this by saying that, for the IT security field, “Those who never learned the past are condemned to repeat it” might ring a bit more true. Most security problems stem from a lack of understanding or knowledge of how technology works. Whether it’s the end user who clicks on a link unaware of the malicious web code lurking behind the URL or the system administrator who installs third-party software without knowledge of critical security flaws within the program, cybersecurity needs to be built into an enterprise’s culture and thought processes.
Santayana also said, “Only the dead have seen the end of war.” To relate this with IT security, and be a bit less macabre, I would say that people in our field need to look at it as “Only the dead or retired are done learning.” There will be innovation. We will be asked to help implement emerging technologies in order to give our businesses the edge they need. The only way to keep up is to learn as much as possible about these advances and the security concerns they pose.
The industry is headed toward something new as far as job roles go (see the terrible bartending joke for context). Another solution may be to learn some of the skills or theories of various job roles. If you are an IT auditor, check out some pentesting courses. Have you been a system administrator for a few years? Visit ISACA’s digital library of resources to see some of the great IT auditor articles and trainings that exist. As job roles continue to merge into one and the evolving demands of the industry increase the ability to quickly switch roles within an organization, better practitioners will emerge in the field as well as more attractive candidates for future employers. So, why not sit down, pour yourself a drink (iced tea, hold the “Long Island”), and learn something new?
Editor’s note: For further insights on this topic, read Dustin Brewer’s recent Journal article, “The Bleeding Edge: Why the Bleeding Edge Is So Bloody,” ISACA Journal, volume 5, 2020..