One of the nagging doubts I have once in a while is whether our profession actually matters, and if so, then the extent to which it does.
I guess immediate clarification on what "matters" is necessary, since some folks will likely revert to "security is failing" mode, which I don’t believe. What I am really curious about is whether we, as security professionals, can have a significant impact on the security posture of an organization such that it reduces that organization’s risk.
In order to judge the impact, I believe we must evaluate our performance in two ways – first, comparing a security professional’s performance to an untrained (but reasonably savvy) IT person; and second, comparing one security professional to another.
Put another way, if multiple individuals were given the same set of constraints within an organization – time/money/FTEs/assets/culture – do you think that some people would be more successful than others at reducing risk?
Finally, if you believe that some folks are better than others at reducing risk – what are the key components of the strategy that make the difference?
I have no taken to likening security to being a doctor. Most people dont care about the disease but they want to know simple steps of what to do in order to make it better. As an industry we seem to have a tendancy to all think we are treating other doctors who want to know the gory details when a compasionate and calm bed-side manner is whats really needed.
The doctor analogy is a good one. While MDs seemingly base their actions on science, there is unfortunately all too much reliance on personal experience and ‘intuition’, which may or may not be empirically justified. Even with all that, there’s a reason that we in IT still use the expression “wave a dead chicken” with only some ironic intention when confronted by a difficult problem.