There are no cooks in space.
Think about it: When we picture the great seagoing voyages of discovery, there were cooks, chandlers, medics, and all sorts of other support staff. But that's not the case in space. And the reasons why have critical echoes for professionals in cybersecurity.
Today, it costs roughly $10,000 to put one pound into orbit. If you pick a weight of 150 pounds for a space cook, that means it would cost $1.5 million just to get the cook into orbit. Add in food, clothes, and all the other material required to support a human, and it starts to be an awful lot of money for someone to sling hash for astronauts.
The cost of putting stuff in orbit means that everything that goes into the payload section of a rocket has to be directly tied to the mission at hand. There just isn't room in the budget for much in the way of support.
When you talk to executives in enterprise IT today, you hear some of the same language. Everything -- everything -- that companies are doing right now is focused on bringing in revenue. If it isn't tied to the balance sheet's top line, it's not a priority.
We all have to admit that security is rarely tied to increasing revenue. Business trends have somewhat predictably swung between definitions of "core competency" that were laser-focused on the primary product or service being sold, and those that include all important support tasks. A global pandemic has moved the needle squarely toward the "laser focus" side of the spectrum. And that means many security professionals find themselves feeling like a NASA astro-cook: It's a nice idea but an awfully expensive way to get the job done.
At the same time, though, what we haven't seen is a broad enterprise move to the modern astronaut model in IT. On modern space flights, there are no cooks because the astronauts -- typically highly trained test pilots, PhD scientists and engineers, or both rolled into a very highly skilled package -- cook their own food. They also straighten up after themselves, clear any sanitation issues, and act as mechanics for the craft when something goes wrong.
In all of these cases, the focus is on the mission and the people carrying out the mission. The support functions are simply tacked onto their primary tasks. In business, you tend to see this degree of task-stacking in only the smallest companies, where the assumption is that the various support tasks won't actually be done very well. Specialization and expertise are benefits that larger enterprises are presumed to be able to access: Will the coronavirus epidemic take away these advantages as it takes office culture and free coffee?
Competence, Cost, and Core Business
Anecdotally, enterprises are responding in a couple of ways. First, they have for some time been shifting perimeter protection and security analysis to managed security service providers (MSSPs). As I talk with CISOs and CIOs, it seems that the pandemic has accelerated this transition, even as organizations work to firm up the knowledge necessary to properly write contracts and manage relationships with the service providers.
Next, there are companies that have decided to list security in the "nice to have" category, accepting the risk that they might have a security incident before they're able to restart their normal spending.
Some companies say they're adopting something closer to the astronaut model, adding security responsibilities to the job descriptions of IT generalists and even line-of-business employees. While some IT generalists can become quite competent at IT security, turning enterprise "mission specialists" into cybersecurity staff isn't realistic if for no other reason than the fact that cybersecurity has become a complex and demanding specialty. Most organizations feel they've done well if they can take employees out of the "adversary" category and into a neutral classification -- pulling them all the way into the "security staff" is an orbit too far.
Ultimately, the question will come down to security's value to the organization's mission. Over the past few years I've had many conversations with CISOs and other senior cybersecurity executives about what might take security out of the purely expense accounting category. While I've heard many optimistic statements about reducing transitional friction for customers and employees, most experts acknowledge that security is an expense rather than a revenue-producing activity.
Right now companies of all sizes are re-evaluating expenses once thought to be essential. The expense for office space is one such example that comes immediately to mind as ripe for rethinking. Cybersecurity isn't in that category because almost everyone can see that working from home requires a different security strategy than one in which most employees are coming into the office. (That new model requires a new analogy and another column, so I won't get into it here.)
The fact is that, until business revenue increases on a broad basis and cybersecurity's profile in the enterprise is raised, executives will see most cybersecurity staff in the same light as astronaut cooks: something that's really useful, but an awfully expensive way to get the job done.
Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio