Intra-Professional Stratification

This category reflects the role of technology in security management. From the practitioners, government and professional associations, the answer was overwhelming. This group saw Information Security as distinct from what might be termed “IT Security”, the latter being the implementation of Information Security policy by technical controls, such as firewalls, encryption systems and similar technology.

Particularly relevant to this study was the extent to which this separation was seen as both a difference in content and in approach or skill set. With regards to the first, this was both in terms of “professional knowledge base” and the actual scope of work. Information Security was seen to be the protection of the information in any form against any threat. Whilst the storage medium was often technologically-based and hence the attack vector often based on technical approaches, this was considered only to be a subset of the role.

“Information Security covers IT controls, manual controls, physical controls, logical controls. IT Security covers IT. ... It's not really interested in those kinds of things, segregation of duties between manual processes, which are critical. ... I would say IT

Security is part of Information Security.”

[FIN91E-SM15]

Importantly, this view was shared by the government interviewee, something which would be vital to gaining support for a clearly-defined separate profession from IT.

“It isn't just about computers, there's a huge amount of people involved in it as well. I think organisations that focus on the technology will miss the point. Having it in organisations that just do engineering, just do computers, it's not the broad church it needs to be.”

[GOV01E-GV01]

Particularly interesting here was the theme of movement in time. One interviewee described an early security role in very different terms to the modern understanding:

“In [a retailer] at that time security administration was a role that existed, so there was what they would call a security manager at that time. He was more, or completely, operational. ... In terms of ... how would our risk appetite be fulfilled by introducing a particular technology or how wouldn't it be and what were the risks of doing that, there was no knowledge in there at all”

[MIN48E-SM22]

Another contributor suggested a surprisingly short timescale for this movement:

“You know, if you'd asked me twelve months ago, I would have said [that Information Security is part of IT]. Now I increasingly think ‘no’. ... Five years ago I think it was a much more technically-orientated, security-focused role.”

[FIN31E-AN72]

It is not clear that these new socially-informed roles are concrete and stable, since there is little evidence of a closed network and mobilised practitioners, however from this data a movement towards an industry more grounded in human factors can be seen. This matches the reported more onerous regulatory burden and evolving mixed threat environment which requires a more mature and organised security team. Therefore, instead of a security component to the technical mix supporting the company IT, Information Security moved to present the board with the ability to control IT on their behalf for security matters, almost switching places in the network.

“I think it's still coalescing as to how this is all going to work for me, but certainly in my head at the moment I see it as a natural move out into some governance”

[CHA31-SM07]

The case of Edward Snowden was noted as an example of a case where technical controls were not seen as paramount. The authorised internal user typically is not only not the target of many control measures, they are also capable of deliberately circumventing them. When the threat moves outside the technical sphere, mitigation options rapidly become less tolerable (since it is

much more difficult ethically and legally to constrain people than to constrain data flows).

“People who use computers are the important thing; they cannot be programmed, you can't put anti-virus on a person.”

[PRO29E-PO42]

Problematisation therefore begins again, since the technical team has no way to offer a passageway to security on its own and must seek a partner who is offering an understanding of human factors. The example was given of closing access after an employee had given notice, causing the employee to simply ensure that all exfiltration and abuse had been completed prior to giving notice. The challenge at this point becomes ensuring that such human issues were raised as important and hence business time spent on ensuring their success. In the wider sense indeed, this position of security near the top of the agenda was seen to be more critical than the technical play.

“The technology challenge wasn't really a huge problem, it was more about getting the buy-in to say these are important aspects that need to be considered.”

[MIN48E-SM22]

It is interesting that there is talk of distinction between technical and non-technical roles almost to the point of dichotomy. The people in an organisation with responsibility for technical security were spoken of in a very separate manner.

“I think there's two types of security people, it's the technical and the non-technical; not completely non-technical but people who are more towards the project governance or security risk management for example or policies and procedures, that kind of area … [Y]ou have IT Security people and you have Information Security people.”

[COM73E-AN44]

“You're going to put a firewall in of course but let's think about first of all what you're trying to protect, why are you trying to protect it. No is the answer, the simple answer is no, it's a separate discipline.”

[ENT22E-SM03]

This is surprising as most of these people were originally technical IT staff. Is this area particularly ripe to be affected by changing training routes in the profession’s supply line? If it is true that security managers and technical staff are separating – and this is of course a theme from literature and one of the primary rationales for conducting the study – then this directly supports an attack on the black box of “Information Security professional”, whose unity of role as was discussed above is central to a claim of an independent profession.

Certainly any assumption that there is a single career through which one might linearly flow, from firewall administrator novice to CISO Grand Master is highly questionable. There was a

considerable body of data which suggested that primarily technical and primarily non-technical paths diverged at some point mid-career if not earlier.

But for one speciality to graduate to another is not the only option for both to have status.

Anaesthetists for example do not generally yearn to become general practitioners. The sociology of the professions has much to say on the topic of hierarchy; not just between strata of a single profession but between professions and those spun off below. In the same way that medicine sought to avoid tarnishing the ethereal physician with the mundanity of physiotherapy without losing control over the ground, the competent firewall professional can be governed by the security manager without compromising the status of either, provided both have a place in the network and a well-forged link.

“People recognise also I think the value of nursing alongside the value of doctors, and although one would argue that maybe nursing is junior to doctors people would see them both as having a very relevant position.”

[PRO41E-PO86]

The data here suggests that technical professionals did not necessarily view management (meaning security governance rather than mere hierarchical management) as being a career goal. As the security manager is exposed to the realities of business politics, they make a useful shield from that environment for those whose strengths lie elsewhere. Space needs to be left in the network for a symbiosis between those with the technical skills but no desire to lobby, and those content to seek the higher rewards and wider engagement of management but avoid the rigours of maintaining technical expertise (who thus require the advice and support of the specialists). Whilst many people develop both technical and social skill-sets and could move to a security management track should they wish, the feeling was that in many cases the mindset of an outright technical expert clashed with that required to undertake management tasks.

“I think there's quite a divide sometimes. I've got a guy who works for me ... If I said to him, could you stand up in front of twenty people, even people from our own office and talk about something, that would be the last thing he'd want to do. He'd be quite happy about providing the information for someone else to do it.”

[MAN61E-SM05]

For such people the security manager is a source of technology budget and policies which require technical controls. They lobby boards for the money to carry out what the security-aware staff collectively desire, viz. the implementation of security policies (which will include technical controls, and thus employment). Some compromise is needed on autonomy, but in exchange for isolation from the very social factors which are otherwise a threat to the harmony of the old network. Both become passage points for each other, as shown in Fig. 21.

Board Security Manager

Technical Specialist

Security Technology Policy Resources

Power

Shield, apolitical access to resources

Executed Policy Access to resource

Compliance, security

Fig. 21: Potentially peer-symbiotic relationship between security manager and technician.

The distance must not be too great, however. The manager who is technically ignorant must rely on competent advice, causing them to seek a technical expert who is the OPP to that advice.

This weakens the position of the manager to politician and quasi-lawyer; they are no longer the OPP to a secure state themselves, they become the person who coordinates the technical responses required by the operational, statutory and regulatory environment. The literature shows that policies which cannot be technically enforced are useless. The manager’s position if coming from complete ignorance could be easily upset by being undermined by being gainsaid by the technical professional. Such a role of “policy and regulatory specialist” would be valid, but it is much less powerful when a direct peer of the technical specialist. Similarly, one whose governance environment was seen to be overly controlling or unnecessarily arduous is likely to be challenged. In reality, the skills dichotomy is relative; the disgruntled technical professional with political skills would be a powerful enemy to the manager should the relationship break down.

“I think a lot comes down to organisational politics, really. In some companies the technical people can bulldoze their way into getting their way and in other companies they can't, so I think it varies by company and by how much power the different points of view are able to project.”

[TEC72E-AN91]

Therefore to this sample, whilst IT is only seen as a subset of the task, governance professionals were expected to be sufficiently versed in the realm of technical controls to be able to relate risk strategy to selection of controls and mitigation actions. For several this meant a period working with the technology was at least desirable, since it was felt to be easier to assimilate human aspects with a technical background than to add technical concepts to governance.

“The skill sets have moved on and changed a lot, but it’s worth saying that having the technical background ... makes understanding why and how things can go wrong a damn sight easier.”

[MIN48E-SM22]

The overall picture therefore involves a governance professional who has sufficient knowledge

in both technical and policy areas to oversee and govern both competently. This requires a range of skills from some more obviously technical-legal such as forensics (Stahl, 2006), to “softer”

aspects such as user education.

“A properly equipped Information Security team should be multi-disciplinary; it should have technical people, it should have people who understand the human element.”

[CHA31-SM07]

The following sections examine more closely the relationship between the manager, the business and the internal client.