Articles

The present and future of the Information Security professional

By May 29, 2020 No Comments

*Lucas Santos

Technological advancement has brought us to the era of industry 4.0, where the resources, services and data of organizations go through digitalization, leaving their physical means of processing, sharing and storage and migrating to virtual environments.

Among the countless benefits that this migration can bring, an advantage that deserves to be highlighted is the high availability of an organization's resources, both in the view of employees, who can remotely access information necessary for their work, and in the view of users, who can take advantage of the services offered by the organization at any time and from anywhere.

This advantage is the perfect illustration of the result that digitalization can bring to an organization.

This positive point (among many others) of digitalization serves as an example to understand the advantages and disadvantages of this transformation, and the necessary care in its use.

One advantage is practicality in providing services and meeting user demand.

Digitization brings organizations efficiency in meeting demands and at the same time increases the capacity for simultaneous customer service. For example: a common service provided by Poupatempo, such as retrieving duplicate documents, is solved much faster and much more securely if it is carried out entirely digitally, without the need to exchange information between humans.

This, among other facilities offered by digitalization, has caused entrepreneurs to invest in this transformation in their businesses to add value to the corporation.

This new organizational scenario, where more and more companies are investing in digital data processing and storage environments, makes organizations' businesses increasingly dependent on their digital resources.

And it is at this point that high availability becomes a disadvantage of digitization, if it does not receive due attention.

After all, the information is available to anyone who wants to access it, and if it does not have the proper access and manipulation controls, it can completely compromise the business of organizations. In other words, if sensitive information is stored / processed without due care, a malicious person can gain access, obtain extremely confidential information and even manipulate it in order to hinder the progress of a company's activities or to obtain, in some way, own benefit, for example: financial blackmail with hijacked data.

For a time, those responsible for managing all of an organization's sensitive information, its processing, storage and access control was the responsibility of Information Technology (IT) professionals. Over time, the greater number of vulnerabilities and forms of attack forced companies to resort to the segmentation of this area and to create a team dedicated especially to the control and mitigation of risks related to high-value information for an organization. And so, derived from the IT area, comes the area of Information security.

What does an information security professional do?

Even in simpler environments, the presence of the Information Security (SI) professional is noted through the access control and user profiles of a computer network, for example. The larger the environment and park of a company's IT devices, the greater its investment in the security of information and assets considered of high value for the corporation.

Currently, there are two major subcategories of professionals in the IS scenario:

  • Those who have direct contact with an organization's network and the technological resources that comprise it, identification of vulnerabilities, possible threats and ways to mitigate them, the so-called Ethical Hackers, who have the same skills as possible attackers and use them for the organization. In organizations, it is common to see the division of these professionals into two teams:
    • Red team - Responsible for identifying vulnerabilities in a computer network and how they can be exploited. This team has the vision more similar to the vision of a attacker.
    • Blue team - Responsible for mitigating threats encountered by the Red team. They are responsible for defense the corporate network.
  • Those who work in the area of GRC (Governance, Risk and Compliance - also identified as Compliance). These professionals are responsible for the application and monitoring of rules, laws, policies and the like within an organization. For a better understanding, we can make an analogy and say that these professionals are the “lawyers” of an organization's IT sector. In large companies, it is common to also see the area of Corporate governance, which serves the same purpose, covering the corporation as a whole.

For both functions, it is common for a company to outsource labor, hiring Information Security consultancy companies, which have a more focused view on the rules and standards that must be followed so that the contracting company has its activities regularized and documented, in accordance with rules imposed by regulatory agencies and laws in their segment.

            What is the market expectation for the information security professional?

         For professionals in this area, the scenario is optimistic, in the short and long term. It is possible to see that, increasingly, organizations are turning to digital environments to store and process the information that is important for their business, and the investment in the security of these resources must be proportional to their use, an investment that is still seen by managers of public and private companies as “expense”.

            This notion of the need for data security has increased at the organizational level, due to the spread of data leakage news in multinational companies, and even in public bodies and / or people, affecting users around the globe. A notion that for a long time went unnoticed, but today it already exists within the business scenario and can be seen through the emergence and application of regulations and laws that cover this topic in organizations all over the world.

Today we have laws like the American Sarbanes-oxley (SOx) aimed at financial control of organizations, the group of standards ABNT / ISO 27.000, the General Law for the Protection of Personal Data (LGPD), based on the regulations in force in the European Union of the same type (General Data Protection Regulation - GDPR), Central Bank of Brazil Resolution No. 4,658 and Circular No. 3,909, both have Cybersecurity for financial institutions and payment institutions respectively. Knowledge of these laws and regulations is essential for those who wish to build a successful career within Information Security.

            Given the digitalization scenario presented in the course of this article, we can conclude that the demand for IS professionals tends to increase over time. The emergence of new technologies brings the need to implement security, so the market expectation for IS professionals is very positive. Even these professionals are already required not only in an organizational environment, if we consider resources such as IoTs (Internet of Things - Internet of Things, in English) that are being implemented in residential environments.

While some professions go through a negative scenario and are at risk of extinction, for the Information Security professional, the scenario is the opposite, every day new opportunities arise and the tendency is to increase! So, if you are or want to be an IS professional, you can be excited, because the future for us is promising!

Lucas Santos - Consultant in GRC & Information Security at [SAFEWAY]

 

About [SAFEWAY]

SAFEWAY is an Information Security consulting company, recognized by its clients for offering high value added solutions through projects that fully meet business needs. During these years of experience, we have proudly accumulated several successful projects that have earned us credibility and prominence in our clients, which constitute in large part the 100 largest companies in Brazil.