The demand for information security professionals has never been higher, yet organizations find themselves in perpetual pursuit of what is referred to in the Netherlands as ‘the five-legged sheep’—individuals who are experts in multiple domains of information security. This unsustainable approach not only hinders hiring but also adds unnecessary pressure on existing staff. In this article, I argue that information security is not a siloed domain but rather an integral part of every discipline that deals with information. While this is not a new concept, there has been too little action taken to truly integrate it across various fields. This disconnect is evident in the many job vacancies that seek an information security specialist, yet the requirements listed in the job descriptions often don’t align with the actual scope of the work.
The fight
Organizations often seek information security professionals who are jacks-of-all-trades, requiring expertise in system management, network management, organizational behavior, and even awareness programs. The issue with this approach is two-fold:
- Specialization sacrificed: Specialists are spread too thin, diluting their expertise on complex matters. Given the rapid pace of technological advancements, it’s nearly impossible to maintain in-depth expertise in multiple domains and still legitimately call oneself a specialist.
- Limiting entry: The bar is set so high that it discourages potential newcomers from entering the field. This issue is exacerbated by the perception that information security professionals are evolved forms of other roles, such as network administrators or system administrators. If that’s the comparison point, then indeed, filling these positions becomes a formidable challenge. What happened to learning on the job as a viable path for career development?
Turning the tide?!
Information security is not a standalone subject; it’s a component of every area that involves information. Instead of funneling all responsibilities toward a few experts, we should:
- Educate existing roles: Integrate role-specific information security training into existing positions within an organization. By doing so, you’re leveraging the talent you already have in-house, eliminating the big need for additional external recruitment.
- Reduce dependency: By having everyone play a part, we reduce the number of specialized information security roles required. Distributing the responsibilities also fosters a sense of ownership among all employees, which in turn strengthens the integration of information security throughout the organization. Again, information security is not merely a problem to be solved by specialists; it’s paramount for everyone in the organization.
The rise of digitalization and AI is rendering many roles redundant. Rather than removing these roles, it makes economic and operational sense to reskill these employees as information security practitioners.
True value
As the digital landscape evolves, the complexity of information security grows exponentially, making the role of specialists more critical than ever. While the need for specialists is undeniable, their true value within an organization can be harnessed most effectively when their role is clearly defined and optimized.
Addressing complex issues: The role of an information security specialist should be laser-focused on tackling the intricate and complex issues that a generalist would not have the expertise to resolve. This could include tasks like deciphering advanced persistent threats, implementing end-to-end encryption solutions, or managing a complex security incident response. By confining their scope to such high-level challenges, specialists can provide indispensable, in-depth expertise that becomes the backbone of an organization’s security infrastructure.
Mentorship over management: Often, there is a tendency to promote those with the most technical knowledge into managerial roles. However, placing specialists in managerial positions can dilute their core competencies as they find themselves burdened with administrative tasks and team management. A more effective utilization of their skills would be in a mentorship role, guiding and educating non-specialists within the organization. This ensures that the specialist’s in-depth knowledge is not confined but disseminated, thereby elevating the organization’s overall security posture.
In short, the true value of an information security specialist lies not just in their ability to solve problems but in their capacity to focus on complex issues and act as mentors. By properly aligning the roles and responsibilities of specialists, organizations can create a more robust, efficient, and integrated information security framework.