Security Isn't Something You "Do"

Newsflash: Just because you work in the "security" industry does not mean you "do" security. In fact, allow me to go a bit extreme and declare that none of you/us have ever "done security." It's simply a distortion of reality and misrepresentation of the facts to say or believe otherwise. Is this an old Schneier-esque point? Perhaps, to a degree... but...

"What would you say you do here?"

The answer varies from role to role... you may be in operations, you may be in audit or quality & performance (I include pentesting in this category), you may be in compliance or risk management, or you may be a specialist in an area such as software development or enterprise architecture. The point here being that pretty much all of these roles fit into the organization without having the "security" label attached. And, that's a good thing...

This thought occurred to me while thinking about the RSA Conference next week. It's huge. Sure, the expo floor for AS-IS was bigger, but the talks... well, I don't know of any conference that has more "content" for you to consume (for better or for worse). In fact, it almost feels like the RSA Conference is bigger than the industry itself. It's also a bit scary when you get right down to it...

As a blogger attending the event, one of the tasks I try to take-on every year is to dig through the expo floor and look for anything that appears to be unique or interesting. And, don't get me wrong... there are always a few firms out there emerging into the big wide world of the RSA Conference. However, given the cost of exhibiting and the sheer volume of vendors, it seems to be decreasingly likely that you'll find those gems as the big business world simply drowns them...

...which brings me back to my original line of thinking... we aren't "doing security"... we're doing other things that exhibit qualities that include "security" -isms. This begs the question: has the RSA Conference reached the point where fragmentation is not only appropriate and useful, but also inevitable? Time will tell... if not that, then perhaps it's time to re-assess how the expo floor is approached, such as creating a designated, (far) less expensive space for startups and small firms (just a thought).

In the meantime... I challenge people to think about what it is they actually do, and whether this whole "security" label is really benefiting us any more (I don't think that it is). The longer we try to keep ourselves separate from our true peers, the less relevant we will be to those peers. This notion becomes even more important in light of the DevOps model, where IT and development become a single well-oiled machine, and where the theory of constraints is applied to the IT factory.

Evolve or die! Y'all have a nice day now, y'hear? ;)

About this Entry

This page contains a single entry by Ben Tomhave published on February 19, 2013 9:45 PM.

"The Phoenix Project" - A Must Read for 2013 was the previous entry in this blog.

We Don't Need More Frameworks or "Best Practices" is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Monthly Archives


  • about
Powered by Movable Type 6.3.7