Will 2013 be the year of the cloud security professional?
This year will see the genesis of a new type of security professional - the cloud expert. Will there be enough to go round?
Although there is a lot of weight in the argument that there is no such thing as an 'IT Security Guru' who knows everything about everything, I think it's equally important to put the kibosh on the claim that specialisation in a single field is truly possible either.
Or rather, I should clarify, that I don't think it's possible to be truly effective within an IT security professional role without having a broad view of the bigger picture as it relates to security threats. The bad guys are not blinkered, they look for any and every avenue of attack, and in order to properly defend corporate data the good guys need to be able to see the potential for infiltration wherever it may be initiated. That said, a best practice requirement for holistically-minded folk does not diminish the pressing need for placing them within the role of the cloud security professional.
Indeed, a recent IDC/Microsoft report was pretty adamant that the cloud sector is more than just a buzzword bingo jackpot; it's one of the places where job creation is positively rife.
Within the next three years, the report claimed, there will something in the order of seven million cloud-related jobs created globally, and as we start this new year there are fast approaching two million job vacancies within the cloud market that, it seems, are not being easily filled right now.
This growth (26 percent per year) comes against a background of an IT sector which, while not actively depressed it has to be admitted, is not exactly growing in anything other than very modest terms. The report itself didn't focus on IT security, instead contending that the 'broad skills focus' that I mentioned earlier was the missing link in the employment-filling chain. It suggests that the cloud is driving demand for well rounded individuals rather than straightforward techies, that what is required to satisfy this growing demand for jobs is a mix of IT and business skills.
I happen to agree, and cannot help but think it applies particularly appropriately to the specific demand for cloud security professionals. Think about it; businesses moving to the cloud require security roles that can deal not just with defences against attack, but also handling the transition of that business and its data defences into a cloud-based environment. That demands the wider view, one that is aware of legislative and compliance issues, can cope with the juggling act that is data sovereignty in the cloud, has the vision to appreciate that the threatscape is changing and adapt accordingly.
The ideal cloud security 'specialist' (although I use the word with more than a little hesitancy) will obviously need virtualised server system skills spread across multiple platforms, along with a thorough understanding of how identity management works across those platforms both in and off cloud. They need to be risk managers, in the very truest sense of the word, capable of solving problems and pro actively preventing them simultaneously. They need to be at the very top of the IT security game, or at least coming into the field with the correct focus on the skills that matter: virtual environment security and identity-based security in other words.
This will lead to an increased emphasis on the need for better training and education as far as IT security is concerned. Without it there is a very real chance that the kind of graduates required to take on the cloud challenge will not be nurtured, and just as importantly there won't be enough people to fill the gaps and take up the slack created by the exodus of highly-skilled IT security professionals within the enterprise as they head into the cloud where the remuneration and career advancement opportunities on offer will be increasingly hard to resist.
Going back to where I started with the question will 2013 be the year of the cloud security professional?, I think the answer is clear enough: it already is. The real question, therefore, has to be 'are you up for the challenge?'