Friday, October 8, 2010

Future of the Information Security Expert

From the beginning of time, there were individuals and groups who had something which other desire. The object of desire changed throughout the centuries reflecting the state and the norms of the human society at the time, but there was always a need to safeguard the object of desire.
Association between information and power exists from Biblical times, and therefore the need to for information security. One of the means to protect information is encryption which is defined by the Oxford dictionary as an action of “convert (information or data) into a cipher or code, especially to prevent unauthorized access”. According to Fred Cohen (1995) “cryptography probably began in or around 2000 B.C. in Egypt, where hieroglyphics were used to decorate the tombs of deceased rulers and kings”. Base on that, we can safely assume that the need to protect information, such as intellectual property, financial data and medical records, will remain in the near future. Therefore, a position information security expert will exist as well to make sure information remains confidential, accurate and available.
The skill set of the information security expert will have to evolve with the information itself and the methods to store and access the information. For example, if previously information was captured on a printed material and storage required physical security, today information security experts are dealing mainly with electronic date. In addition, methods used to access the information, both legitimate and methods used by malicious users, will have impact on the role of information security expert. For example, number of attacks conducted through web applications increased significantly from 2000. It is further confirmed by the Cenzic (2008) report stating that “the percentage of Web application vulnerabilities went up to a staggering 80 percent”. The same could be said about the training required – it will have to evolve to provide information security experts with the required skill set.
Automation of the information security will have a major influence on the role of information security expert. If previously, network based scans and attacks were conducted manually, today numerous tools such as Nessus, nmap, nCircle and SAINT automate the task. The same trend happens with the web application security. Security tools are catching up with the industry to provide automated tools to identify (and exploit) web application security vulnerabilities. Naturally, automated tools will have their limitation and that is where information security expert will have to fill in the gap. As of today, assessments such as analysis of logical application flow could not be done by a computer, due to a need to understand the application, until it (computer) could pass a Turing test.


No comments:

Post a Comment