The Trouble with Security
The rise and fall of the Microsoft security superstar
At the beginning of the new millennium, Microsoft dominated the computer operating system space but was beginning to face competition from Linux/UNIX, which was considered less user-friendly but more secure. In the past, security hadn’t been a big deal because most computers were operated either as completely standalone machines or as part of a closed local network.
But in the late 90s, that had started to change. The Internet had evolved from a relatively exclusive domain populated mostly by an elite group of government and academic employees and geeky computer hobbyists to a commercialized global venue. The blessing/curse of advertising and economies of scale had made it affordable to consumers and everybody suddenly wanted a ride on the Information Highway.
Of course, this created a very attractive hunting ground for technically savvy criminals as well as mischievous teenaged hackers, and viruses and worms began to proliferate. Security – which had been considered only as an afterthought if at all – seemingly overnight became a Very Big Deal. In 2002, Microsoft got serious about security, launching the Trustworthy Computing initiative.
At the Microsoft MVP Summits back in that time period, those of us who specialized in enterprise security were treated like royalty. We had the best parties, the best gifts, and we always got the “rock star” speakers such as Steve Riley and Mark Russinovich at our conference sessions.
At that time, Microsoft was heavily invested in a whole line of security-related software products that were marketed under the Forefront family umbrella, including our beloved Threat Management Gateway (TMG), the company’s enterprise-level firewall and proxy server that evolved out of the Internet Security and Acceleration (ISA) Server that was designed to be Microsoft’s counterpoint to Check Point, the leading software firewall at the time.
Those were the glory days. As we’ve progressed into the second decade of the twenty-first century, things have changed. Microsoft has discontinued most of the Forefront line of products. In 2012, the company dismayed many of its customers, as well as MVPs, consultants and partners who had built careers around ISA/TMG, by announcing that they were discontinuing their firewall software.
For Microsoft, it was a business strategy that made sense in the context of their new “cloud first” philosophy. In regard to “legacy” on-premises server installations, more and more of the features formerly found in separately-purchased security products are being added into the server operating system itself. It’s a win/win for companies that now don’t have to pay extra to get those benefits.
In 2014, as part of its restructuring program that included a large number of layoffs, Microsoft shut down the Trustworthy Computing Group.
It’s not just a “Microsoft thing”
This changing landscape for IT security professionals isn’t specific to any one company; Microsoft just happens to be the one with which I’m most involved. The evolutionary process is occurring throughout the software and services industry. Security is being “absorbed” and now is – as it should be – an intrinsic part of designing each product from the ground up. That’s good news, except perhaps for the security professionals who found themselves “homeless.”
It’s not that the job market for those with security expertise is down. On the contrary, demand for “cybersecurity” personnel is high in comparison with other IT jobs, and salaries are high, as well. But the reason for that is that there is a serious shortage of people with the requisite skills, and unfortunately many of those who have years of IT security experience find that their skills don’t fit the new positions.
The problem is that so many old-school security pros are focused on outdated technologies such as firewall administration. Today’s network environment is less about setting up a fortress at the perimeter and more about protecting data where it resides, as it moves from one location to another over the network and when it’s in use. The old concept of “computer security,” as its name suggests, focused on securing systems. The new paradigm is much more complex.
The cloud, of course, is one of the factors that has brought many changes to how we look at computing and in turn, how we think about security. Increasingly, much of our data and applications are residing on servers in data centers “somewhere out there” and physical control of those servers has shifted from in-house IT staffs to cloud provider personnel. At the same time, we still bear the burden of the final responsibility for the security of our assets even though we have less hands-on control over it.
Once upon a time we could wrap a protective layer of security mechanisms around a local network or subnet of computers – most of which were standardized with the same operating systems, applications and configurations – that were located within one physical and logical area. Today, our business networks are made up of all sorts of different types of hardware devices (desktop systems, laptops, tablets, smart phones) made by many different vendors that are running different operating systems and a wide variety of both business and consumer apps. Many aren’t even owned by the company but are purchased by employees and used for work as part of a BYOD program.
This highly mobile and much more independent workforce brings brand new security challenges that can’t be dealt with using the old tactics. At the same time, the hackers and attackers are growing much more sophisticated. Malware has evolved far beyond the simple viruses and worms of yesterday. Cybercrime has turned into an organized and highly lucrative industry of its own, much of it perpetrated by foreign interests, including nation-states with a vast amount of funding.
Yet many security professionals are still operating as if we were stuck in the 90s. A survey conducted by ESG in early 2014 indicated that a large percentage of security professionals were not familiar with Command & Control (C&C) techniques, polymorphic and metamorphic malware, and a surprising 29 percent weren’t even very familiar with zero day malware.
If you read the paragraph above and said, “What’s that?” then you just might be one of those security pros whose skills are in need of a little updating.
Bad news, good news
Good news for security experts tends to be bad news for computer users and businesses. The good and bad news circa 2015 is that there are new forces that are once again driving security to the forefront (so to speak) of IT.
One of the most important of these is the highly regulated environment in which so many organizations now operate. Government and industry mandates mean that a large number of companies can no longer view strong security as an option; they have no choice except to invest in better security if they want to stay in business and avoid sanctions, fines, lawsuits or even, in some cases, criminal charges.
This is bad news for those companies because meeting security compliance guidelines can be frustrating and confusing – not to mention costly. It’s good news for security professionals who recognize the opportunity because most organizations need someone to help them with the process, either on staff or as a consultant. Many organizations are struggling to navigate the treacherous waters of compliance and are looking for experts, particularly those with specialized expertise in particular vertical markets such as health care and financial services.
Most regulatory compliance issues are aimed at protecting the personal data of clients, patients, etc. Data breaches can have serious ramifications not only for the individuals whose sensitive information is exposed but also for the companies or organizations that allow it to happen. In addition to penalties imposed by the regulators, such companies can find themselves with severe public relations problems and loss of business as their reputations suffer.
The good news, for security pros who are willing to learn new ways of working, is that the new security skillset will be more in demand than ever.
Adapting to change
To remain relevant and thrive in this brave new world of cloud-centric, user-driven, multi-device IT, professionals must start to think globally, both literally and figuratively. It’s vital that you keep up with the ever-changing threat landscape as well as new means of protecting against more traditional threats.
Because the focus is on protecting data, security professionals have to change their mindsets from the idea that security is only about keeping things out (malware, viruses, etc.) and understand that it’s also about keeping things (protected data) in. Mechanisms for filtering and blocking outboard traffic have become just as important as those designed to detect and prevent threats from coming into the network or device.
Most important, though, today’s cybersecurity expert will need to develop soft skills in addition to technical how-how. Understanding network protocols and infrastructures and software vulnerabilities and exploits is still a requirement but it’s no longer enough. You’ll need both excellent analytical skills and the ability to communicate effectively with people at all levels within and outside the organization and make highly complex concept understandable to non-technical individuals.
More and more, the distinction between IT pro and developer is blurring, and security pros who consider themselves to be squarely in one camp or the other may find themselves without a camp at all. Today’s security pro needs both an understanding of general programming, secure coding practices and scripting languages as well as a good grasp of networking architecture, administration and management.
Nobody said the transition was going to be easy, but for those who successful make that transition, the future looks bright.