All IT Jobs Are Cybersecurity Jobs Now goes the headline on a recent Wall Street Journal article, and the subhead reads The rise of cyberthreats means that the people once assigned to setting up computers and email servers must now treat security as top priority.
It’s like these folks—both in the IT arena and in the reporting media—have just had an epiphany.
The global “WannaCry” ransomware attack that peaked last week, and has affected at least 200,000 computers in 150 countries, as well as the growing threat of Adylkuzz, another new piece of malware, illustrate a basic problem that will only become more pressing as ever more of our systems become connected: the internet wasn’t designed with security in mind, and dealing with that reality isn’t cheap or easy.
No, it wasn’t. But it’s not the Internet that’s at the heart of these failures. It’s the company connections to the Internet, and the corporate human employees who aren’t being trained in how to handle the company’s connection to the Internet that is at the heart of these failures. IT has—or should have had—security at its heart from the time the first companies connected themselves to the Internet.
Even if nation-level espionage might not have been on the minds of private enterprise, the proprietary nature of company information and the fact of corporate espionage are as old as corporations.
Christopher Mims, in his article at the link, offered some sound advice for today. That the advice should have been obvious yesterday in no way invalidates it for today.
- Retrain IT staff on security—or replace them. In today’s world of ever-multiplying threats and dependence on connected assets, all IT staff must now be cybersecurity staff first.
Indeed.
- Push everything to the cloud. It used to be the job of IT personnel was to build and maintain the tools employees need. Now, pretty much anything can be done better with a cloud-based service.
I disagree with this. The cloud is no more securable than a corporate’s internal network—and when (not if) the cloud gets hacked, it won’t be only one company’s stuff that gets stolen or held hostage. Even if it’s only a company’s internal cloud that gets hacked, the whole of the company’s innards get exposed.
- New IT investment will need baked-in security.
Can I get an amen, brothers and sisters?
Yeah, I agree, speaking as an actual computer scientist, that cloud thing is *terrible* advice, but I also understand why the WSJ said it: it’s the same basic principle as Google et al. pushing two-factor authentication even though it’s provably less secure – they don’t trust the users to be competent. Cloud services are much less secure than an individual organisation’s in-house architecture *should* be, but much more secure than an individual organisation typically is in practice. The problem is that the three recommendations are then at odds: if your IT staff are cybersecurity staff first, and security is “baked-in”, you should be able to trust them far more than you can trust the cloud. Naturally, the WSJ doesn’t realise this, of course.