Last week I was lecturing at Royal Holloway University of London, as I’ve done for the past ten years or so. I’ve noticed a steady increase in sophistication in the audience over the years, and more recently an encouraging urge to challenge accepted wisdom. It’s a reassuring trend, as many of today’s practices today are questionable and future security requirements will demand a different set of skills from the ones we tend to find in security functions today. So what are these skills? And why aren’t we grooming our apprentices in them?

Let’s answer the latter question first. One reason is because security managers don’t seem to be very good at forecasting emerging trends. Two leading information security institutes, ISF and ISC2, have attempted to predict future skills from member surveys. Unfortunately, that’s not a reliable method of forecasting the future. The questions might not be the right ones (you don't know at the outset) and many of the members polled will not have the insight or time to make a realistic forecast. This is why these forecasts look more like a blueprint from ten years ago for the in-house function of a major bank.

Any kind of future planning requires three things. Firstly a selected group of subject matter experts and researchers that collectively possess knowledge of emerging trends in security, technology, politics, business, legislation, economics and social science. Secondly an environment in which they can pool knowledge and explore interactions between emerging trends. And thirdly a process in which they can ‘wire together’ a realistic road map of events, developments and impacts. There are existing methodologies for this, such as Technology Road Mapping, a process I’ve used many time with reasonable success. 

In the absence of a proper planning exercise, I shall have a go at using my own intuition to forecast some emerging core competences that we will need for the longer term. Some things seem very clear about the long term future. Firstly most infrastructure and applications will be in the cloud rather than in-house, requiring more user education and less operational security. Secondly, risks will get bigger, more sophisticated and more damaging. Thirdly, regulatory compliance will get tougher and the penalties for failures more severe. And fourthly, social networks will be the primary means of communicating with company staff.

Thinking on these points, here are my seven top skills for the future security professional.

1. An understanding of psychology to plan interventions that can might actually have an impact on the behaviour of staff

2. Social networking skills to influence and harness the support of large numbers of users and customers over social network

3. Skills in marketing communications to design compelling, effective awareness campaigns and materials

4. Strong commercial management skills to specify and manage security across business partnerships and outsourced supply chains

5. Sophisticated crisis management skills to safeguard the organisation’s intellectual assets (not just the data) in the likely event of a major security breach

6. Digital forensic skills to detect and prove when an intruder has infiltrated or modified the organisation’s intellectual assets

7. A sound knowledge of legal and regulatory requirements and issues 

In addition, a thick skin to take the flak from our increasingly brutal management teams might also be a useful survival skill. Further suggestions are of course highly welcome.

Delicious

Digg

Reddit

Facebook

StumbleUpon