The world is still reeling from the COVID-19 pandemic, but at the same time people are trying to figure out how to ease back into normal when “normal” finally arrives. I have seen blog posts from IT professionals who are essentially predicting that one day we will all go back to the office, and it will be as though nothing had ever happened. On the flipside, I have seen just as many blog posts claiming that when all of this is over the world will be completely unrecognizable. My guess is that the truth lies somewhere in between.
The impact that the COVID-19 pandemic has had on all of our lives makes it more or less inevitable that some things in the world of enterprise IT are going to drastically change. One big change I expect to see is that, when all of this is over, IT hiring managers will adopt a completely different approach to hiring and training security professionals.
Consider the types of things hiring criteria that hiring managers have used in the past: security-related IT certifications, familiarity with certain tools, experience with cloud computing, and, of course, previous IT security experience.
While I don’t doubt that those types of things are going to continue to be relevant, my guess is that hiring managers are going to need to look for security professionals who have a more extensive skill set than what was required in the past. Why? The threat landscape has changed dramatically.
Right now, almost everyone is still working from home. Even when the world “reopens,” it seems likely that many people will continue to work from home. In the work-from-home model, many users are more productive working from home, and many companies are finding it cheaper to support a remote workforce. There may also be people whose fears about going out into public will continue long after a vaccine is found and/or herd immunity is developed.
At this point, employers have invested a lot of money into building an IT infrastructure that allows employees to work remotely, and they probably won’t be anxious to walk away from that investment by requiring that everyone start coming into the office again.
The skills and hiring practices needed for keeping servers secure probably won’t change all that much. However, endpoint device security will become even more important than it already is because so much work will be done from remote, personal devices. As such, tomorrow’s security pros are going to need to have a deep understanding of the inner workings of end user devices. They will need to know how to remotely monitor such devices, and how to take corrective action if necessary. Remember, simply reimaging a device in response to a security problem isn’t going to be an option. There are licensing issues to consider, and the device probably contains the user’s own personal data and applications.
Security pros will need the ability to manually address security issues detected on remote endpoint devices. They will also need to know how to prevent other systems from becoming compromised during these operations.
While it’s true that some organizations have attempted to take the end user device out of the equation by mandating the use of virtual desktops, users are still accessing those virtual desktops through a physical device. If that physical device were to become infected with a key logger or other type of malware, then corporate data could be put at risk as. Such an infection probably isn’t going to spread to a virtual desktop (and, even if it did, nonpersistent virtual desktops are reset to a pristine state after each session), but it could cause sensitive data to be exposed.
The bottom line is that, going forward, it will be necessary for IT security professionals to do more than get a few certifications and learn how to use various security tools. Security pros will need to develop a diverse skill set that allows them to deal with security challenges that stem from supporting an incredibly varied collection of remote end user devices. They will need to develop creative solutions for finding and addressing security issues on what amount to remote BYOD devices, and they will have to do this without adversely affecting users devices in the process.