It all started like this ...
Colleague: Are we an industry built on outliers? Built on people who are smarter than the statistical norm/average?
Colleague: And if that's true, can we continue to sustain ourselves as an industry if we're relying on smart people for every aspect of security?
Of course, I couldn't give my friend a simple pass at this and answer with <140 characters over Twitter or simply rant over Skype ... so here are my thoughts on his question(s).
Right, first I'd like to point out that my friend is referring to the Information Security industry by the "we" above. Next I'd like to point out that my answer partially clashes directly with what Marcus Ranum postulated at InfoSec World 2012 on the panel where he said that security (paraphrasing) "... doesn't need to be more technology dependent, when we really need more smart people".
I'll give Marcus part of the argument, but as you'll see shortly, I'm not ready to fully buy into that 'smart people need only apply' theory.
Is Information Security an Industry of Outliers?
To be able to answer this question I feel compelled to fully grasp the definition of outlier for myself and you the reader. Don't think that I think any less of your intellect, because I'm looking this up for myself as well just to make sure I completely and fully understand the question. From the Wikipedia definition, an outlier is a statistical component defined as follows:
"In statistics, an outlier is an observation that is numerically distant from the rest of the data. Grubbs defined an outlier as: An outlying observation, or outlier, is one that appears to deviate markedly from other members of the sample in which it occurs." --Wikipedia
By this definition, the only way that information security can be a group of outliers is if we're considering ourselves within the entirety of the Information Technology realm. Now, while this would be great for my ego to think that myself and all my peers are just smarter than everyone else in IT, I know this to be false.
I say this because I have met lots of really, really smart people in IT that were not part of Information Security, and on the other side of that coin I have met a significant amount of people in Information Security who simply drag down the average IQ.
I don't believe Information Security, as a whole, is a field of people who are just simply smarter than the norm. Now, having said that, I do believe that it takes a little something extra to do Information Security as a discipline.
I think it does take a little extra 'get it' to put all the pieces across systems, applications, people, processes and networks together to see threats, find the things that other people simply look past and to steal Apple's quote (obviously with attribution) to "think differently".
I believe that this field of Information Security is one where someone with some extra brain capacity will flourish, but even that's not an absolute given. I can probably point to several people who are really what we consider "book smart" but couldn't figure out real risk analysis if your enterprise depended on it.
So here's a few key observations then:
- Information Security by its very nature of needing to see/understand the "big picture" requires some extra smarts.
- Smart people tend to do well in the field of Information Security.
- People tend to gravitate to the 'sexy' niche fields in technology - Information Security is one of those.
- It is harder for narrow-minded and "average intelligence" individuals to thrive in Information Security.
- I can find no direct correlation or causality between being intelligent and working in Information Security.
The Natural Hierarchy of InfoSec
Here's the thing, just like in every society and group there is a natural hierarchy of people and intelligence. In our field there are innovators (the top 2% of so), builders (the next 18%), and then those that implement (another 50%).
You may be wondering what's happened to the last 30%... and after a long think and a brief discussion with the person who originally posed this to me - I'll admit that there is a 30% crowd of what we affectionately refer to as drones. There's a good chance that even if you're in the builders 18% you're still 'smarter' than a large chunk of your IT peers - but not necessarily.
- Innovators - There are people who dream up ideas which cross vast technology and human boundaries to accomplish some really interesting things. Innovators, the ones who succeed, figure out how to dream up of something that reduces risk, is usable, and doesn't require a complete change in operation and are a rare breed.
- Builders - While the innovators are dreaming and creating in their minds, these are the people who put their thoughts into action. Action that makes their 'stuff' a reality. Often times the difference between vision and product is some tweaking and reality check and maybe even compromises... but these folks get that.
- Implementers - Those that do are valuable too. Taking products and 'ideas' and making them work in the enterprise is no small feat. This group includes those that are free thinkers but generally within parameters defined by someone else, and with ideas that are not their own. They range from really smart to those that just sort of 'do' security as they're told from the manuals or the certifications they've taken. It's a mixed bag in the implementers lot, but generally lots of good people work in this group, they make the cogs go round.
- Drones - If you're in this category, you can push a button, and this is likely where your security talent ends. I'll let you work out where these folks come from, what they do and all that - but know they're out there...
Can Information Security Sustain Itself?
As my friend puts it - the ability for Information Security to sustain depends heavily on whether those in the top 70%'ish can pull along the rest, without burning out or falling apart. Without getting into that 99% vs. 1% discussion, this is how the current anti-capitalist movement is teetering... if the people who are the really smart ones, the innovators, the ones who make things happen can only figure out a way to get the rest (the button-pushers) to just move with them ...
So let me re-think that... In a word, absolutely. There is going to be a necessary mix of automation and smart people going into any future I can conceive. Unless I'm way, way off here, I just don't see any time when either automation will be sufficient over the human mind, or the human mind will not require automation.
I'll disagree with Marcus partially because while I think we need to throw really smart people at the Information Security problem, I fully believe automation, mature automation, as an enabler is essential. If we're only looking for 'smart people' we're doomed, folks. You simply can't sustain the level of growth in human resources we would need to make security continue along the technology curve we're on.
Smart people, coupled with lots of mature technology that doesn't live in silos - that's what we're in desperate need of right now. I would argue that we are already equipped with a vast amount of the very great technology that's needed to propel us forward to benefiting the businesses and organizations we serve, but we've vastly under-utilized that technology because we're stuck in an entirely different gear - but I'll leave that to someone else to explain or rant on.
The outlook? From where I sit, I think we're a mix of smart people, smart technology and I feel we have a legitimate shot at continuing on or maybe even improving our own state.
The big question is - what will our organizations require of us into the future? I think as resources that fall into that top 20% are snapped up or wander off to invent - the other 80% will need to work really hard to utilize technology and build processes that are repeatable and enable those that aren't so mentally gifted.
It's all about leveling the playing field across the board and reducing risks... right? On a personal note, I think a lot of the 'are we the smartest?' simply comes from a position of ego... not suggesting this person has an ego because knowing him personally that's exactly not true.
I'd love to hear what everyone else has to say about this? Is the Information Security industry just the smartest bunch of people, all concentrated to one discipline? If so ... what's your proposal for moving forward - and don't say human cloning :-)
Cross-posted from Following the White Rabbit