A response to “Thinking About the Future of InfoSec”

I recently read an article by Daniel Miessler that’s been making the rounds about his predictions for the future of cybersecurity. He talks about changes to organizations, the market and the day to day of cybersecurity professionals. His post is definitely worth a read. I also decided to write down some of my thoughts in response.

The original article can be found here: https://danielmiessler.com/blog/thinking-about-the-future-of-infosec-v2022/

Organizational Changes

Miessler’s main prediction in this area is that security will transition from a discrete area to an embedded one. That it will fold into general engineering and operations and that it will be “[become] a smaller oversight function up with the C-Suite, with strong collaboration with the CFO and the head of legal.”

Not going to lie, I like both of these concepts. Security is by its nature an exercise in risk management and most professionals will tell you that the human and policy aspect far outweighs the IT one. Organizations, where security falls under legal, are not unheard of and I wouldn’t be surprised if it became more popular. However, I don’t particularly see this as the “future” as opposed to an option that will be more appealing to certain companies.

Replacing a dedicated security organization with functions embedded into the rest of the organization is nothing new. Organizations, especially product ones, frequently shift from vertical to horizontal to a matrix and then back again to vertical. I feel this is more of a trend cycle than a one-way maturity function. 

Day to Day Changes

These predictions continue to elaborate on the absorption of information security into the greater risk management effort as well as talk about the continued commoditization of the security profession.

Miessler describes a transition from “Wizards to Accountants” with the future state of security resembling a factory. I would agree that process repeatability is a sign of a mature organization and industry. However, I’d argue that the transition here has already occurred and is more dependent on the maturity of the company than the industry. The primary types of jobs Miessler predicts are connecting things together, doing data analytics and process management. Again these are the same types of roles I see in the enterprise today. When I work with a company, I choose a mature tool, an accepted framework and established processes for implementation. There’s not a lot of wizardry that you wouldn’t find in any other type of IT or infrastructure role. Additionally in non-security operations, which is a much more mature field, we still have plenty of wizards; there is just a lot of process and metrics built around it. A lot can be solved by good playbooks and automation, but there is still a never ending stream of obscure bugs that require a creative “wizard” type.

Miessler also talks about AI making a significant effect on the industry and that AI and automation will become inseparable. I think this is to some degree true. The amount of data generated by an organization has long surpassed the amount that can be manually reviewed. Automation is already needed and already exists. AI solutions, in my opinion, have not given us necessarily better results than traditional algorithms. They do however very easily improve the speed in which those algorithms can be developed. That being said, I hesitate to go so far as to say that they will replace analysts to any significant degree. I could see them just as easily generating more insights and thus increasing the number of analysts needed by an organization.

Changes to the market

The last type of changes Miessler discusses are those to the market itself. The predictions that stood out to me are that regulation will continue to have an increased role in driving requirements, that insurance companies will have more influence and become larger players, that the industry will favor general technology companies over security-specific companies and that the large centralized solutions will dominate the enterprise space.

I happen to agree with the first two predictions. Cyber regulations are becoming more commonplace and given the speed of government, it only makes sense that they will continue to mature over the next few decades. Cyber insurance is already a reason for many requirements and that they would become more involved. 

The favoring of general tech companies over security companies seems reasonable. Already you can buy security products and even analysts from the likes of IBM, Microsoft and Google. However once again I wonder if Miessler is confusing maturity with trends. Conglomerates grow, then dissolve on a cyclical basis. GE was a huge company but now it’s split, conversely, Disney is larger than ever.

The large centralized solutions that Miessler talks about remind me of SAP. While I don’t strongly disagree that this could happen, I’m not entirely convinced it will. SAP’s creation of an essentially closed garden and ubiquitous ecosystem was not the result of it beating out competitors but instead the result of it being the only alternative to creating it yourself. Today’s cyber ecosystem is already full of vendor offerings that all integrate and connect to each other because they must. I can’t imagine it going backwards.

Closing thoughts

I imagine that many of Miessler’s predictions will come to pass. The question I see is not when, but for how long. A lot of these predictions have already begun. I feel many of them represent a future trend more than an end state. Still, Miessler does present a well thought out and interesting view that is worth considering and thinking about. All in all, I enjoyed thinking about the future and look forward to seeing if he makes any updates as time goes on.