Keeping focus is always an issue for everyone. In today’s world we have our smart phones on us at all times, it’s so easy to lose focus on our current task. Distractions are a way of life now. Being the father of 3 kids, so my life is full of distractions. However, distractions are a major issue in cyber security. From an enterprise trying to decide what to spend their budget on, local antivirus or firewalls; to a infosec professional deciding what area of infoSec they want to get into.
It seems there are many options out there when it comes to cyber/information security. For the large enterprise or the small business it is important to understand and mitigate the risks that are in front of you. It all comes down to ”risk management.” You need to look at what you feel your greatest risk to your business/organization is. If you feel the greatest risk is receiving a malicious email/phish then you should spend a lot of money on your local client protection (AV, local firewall, Host based IDS). If you have a web application that handles credit card transactions then spending your budget on web application firewalls and development security programs might be the direction you want to start looking at.
There is a concept that is used in medium to larger businesses call DevOps. With the proliferation of cloud services such as Amazon AWS and Microsoft Azure developers are able to sping up servers and resources as needed. There is no need to have IT staff “rack and stack” physical servers anymore. The concept of DevOps is where the development teams are either working with or ARE the Operations team. Added Security into that process is very easy to do. Automated security scanning in the development pipeline is always a good idea as well. I will have another post of about DevOps vs DevSecOps later.
From the macro level of focus for an organization lets move to the micro level of the cyber security professional. Just as in any career path there are many directions one can go. For a doctor, they can choose radiology, emergency medicine, pediatrics, orthopedics … the list goes on and on. Just as in medicine there are different paths a cyber security professional can choose. Do you enjoy cracking passwords? Do you enjoy breaking wireless? Do you want to physically test security controls like door locks and entry sensors? Do you enjoy breaking into websites?
My career has led me down a few paths, but has ultimately led me to application security, manly web application security. I chose this path because as network security layers are getting deeper and deeper the path into an organization is more and more indirect. I believe its important that web applications be as secure as possible while at the same time allowing the customer the best possible experience. I also believe that security can be “baked” into the development process at the beginning, DevOps (DevSecOps) :).
So focus is an issue that we need to deal with. I wish I had the answers to what area is the best for our attention, however, I truly believe it comes down to each person or organization. Each person needs to figure out what your passion is, or where you feel your biggest risk lies.