It’s an exciting time for the security profession, given the major changes that will be introduced over the next 12 months. I thought this would be a good opportunity for me to set out my own vision for the future, in the context of that changing environment. I would be interested to hear your thoughts on what follows.
I think that all of the roles within our profession are about managing risk, but the language we use sometimes gives the impression that security is binary. We must never believe that something is completely secure – we apply our skills to mitigate risks to an appropriate level and to advise on residual risk. We need to focus our language on terms that help bring to life the measures we have in place and the risks that remain.
As a profession, we should embrace the world of cyber security. In many departments, I see that the security world and the cyber world are somehow seen as separate, or different. In reality, the skills that have underpinned our approach in the past (what we used to call information assurance) are a critical part of the future, especially in terms of how we manage cyber security risks.
Physical and personnel security skills remain key and we have to retain our ability to manage risks in a holistic way. The rapidly evolving cyber world impacts our physical and personnel environment, not just our technical environment.
There is a national skills gap in technical security, so it is no surprise that this is one of our biggest challenges in the public sector. We need to bring together the range of initiatives that are underway, in order to provide a springboard for the development of the skills we need for the future. We will do what we can from the centre, but the challenge is an individual one too, and we should all rise to it.
We are about to begin the pilot for new security framework, agreed through Cabinet Office earlier this year. This and the forthcoming launch of the new National Cyber Security Centre present a huge opportunity for our profession to rise to the challenges I’ve outlined above.
This is the start of an open conversation about the future of our profession, which I will continue to blog about. But let’s grasp this opportunity and rebuild our capabilities across the security landscape.