What Is This Job, Anyway?

March 11, 2024
Cybersecurity is becoming just another foundational component of the broader IT infrastructure for business

I was watching the football playoffs and mused about how advertisements reflect the changing world of technology. Several years ago, the hot innovative technology was cloud computing and everyone from the big computer vendors to small consultancies were pitching their prowess with the cloud - off-premises computing. Of course, I had been working with that model of computing since the late 1970s. I operated those huge Burroughs mainframes that took up barn-sized rooms to compute for a large military base. Cloud computing was nothing new but saw its rebirth as a novel concept in the late 2010s - with far better marketing.

Well before the cloud trend, television ads regaled us with the wonders of access to the internet. Televised football games were punctuated with advertisements for website builders and home modems. AOL and GoDaddy spent their marketing budgets targeting families having a pizza watching the football game. A decade later, viruses dominated the tech scene. It all began in the 1990s when major news media started front-page headlines about scary computer viruses that locked up your computer and exposed your sensitive financial data and credit card numbers to scammers and digital thieves. During this heady phase, John McAfee’s former company rebranded itself Network Associates, spending millions slapping their new brand on the 49er’s stadium in California. A couple of years later, then-President GW Bush looked across the table at the Network Associates’ CEO and asked him to describe this unfamiliar company. When he was informed it used to be called McAfee, Bush sighed and said, “Oh yeah, the antivirus company.” The next week, they were McAfee again.

The Tech Bubble

Companies like Symantec and McAfee grew their valuations sky-high in the early 21st century while Silicon Valley-funded cybersecurity start-ups launched weekly with dreams of selling out in a couple of years making their founders and investors wealthy. The sheer number of those who did so makes the odds seem favorable for anyone with a dream and coding experience.

About a decade ago, a new cybersecurity trend emerged that quickly gained traction and had more to do with psychology than technology. According to people supposedly in the thick of our profession, cybersecurity jobs were so fraught with stress, frustration, and burnout, that many of us were barely coping while leaning heavily on alcohol, drugs (legal and not) and mental health advisors of all types. Of course, none of this was true.

But it gave rise to an entire genre of IT security conference tracks where amateur psychologists and new-age hippies set up shop to offer you a better way to manage your professional responsibilities. Sure, there are stressful jobs and no lack of people who use alcohol and other drugs to manage stress. But to paint the entire career field as one of mental abuse was a brush far too wide and paint far too thick.

And no longer do consumers need to pay annual subscription fees for memory-hogging third-party antivirus software.

Now, cybersecurity is becoming just another foundational component of the broader IT infrastructure for business. And no longer do consumers need to pay annual subscription fees for memory-hogging third-party antivirus software. The huge security conferences that used to dominate our professional schedules have seen their first drop in attendance in decades. It was inevitable the bubble would burst.

Sure, you can still label yourself a 133t h4x0r and pay $1200 to attend a big-name conference. You can still give a corporate presentation on security at your company’s sales meeting in Ottawa and label yourself a renowned international keynote speaker. But those career moves that used to garner you fame and followers are quickly losing their luster. You may even be surprised to find those C-level executives at the big certification bodies don’t even eat their own dog food. You may feel you need their certifications to get past those career roadblocks. They happily collect a sizable toll to allow you past said roadblock, yet don’t even care enough to expect the same from their leadership. The big certification bodies are no longer in the cybersecurity business. They are simply in business.

Cybersecurity is All About Risk

Private industry and commercial businesses have discovered cybersecurity isn’t about continual cloak-and-dagger exploitation or always buying the latest rack box from a vendor. Where you draw the lines that separate security. risk management and IT operations will be the key. Unless you are a specialty software shop, security is now just a job requiring skills in PowerPoint, Excel, and lengthy Word documents.

As I took notes during this year’s games, I saw this year’s technology ads were all about AI - artificial intelligence. According to what I saw, AI now manages the entire NFL schedule and can thus mine your business data for increased profitability. It’s even packaged with your new mobile phone and can make your family photos worthy of the cover of the next big rap album. What exactly is AI? No one has a definitive answer, but it has scared some of our elected representatives into demanding legislation to control it via government edicts. Ugh. AI is the new hot technology trend.

So where does that leave cybersecurity? We have entered the next phase of our profession - one no longer in the headlines and often under the radar.

  • voting machines have “glitches.”
  • evil foreign governments have surveillance operations.
  • passwords are back to being recorded in notebooks on one’s desk.
  • Senior government cybersecurity “experts” are no longer brilliant technologists, but political policy wonks.

We have become a commonplace foundation of IT infrastructure and no longer the darling of technology. McAfee has become nothing but the subject line for spam emails and Symantec has rebranded to evoke early founder Peter Norton (as did McAfee) to try to sell LifeLock(c) subscriptions to replace the tens of millions they used to make selling consumer antivirus software. Are you ready for this new world? Is there a certification for it?

John McCumber is a seasoned cybersecurity executive with over 25 years of progressive experience in information assurance and cybersecurity operations, acquisition, management, and product development. Expertise in corporate security policy development and implementation of security in information technology design. Recent experience working with Congress on cybersecurity legislation and professional advocacy. He is a long-time columnist with Security Technology Executive magazine and a contributing writer at Ordinary Times. John is a retired US Air Force officer and former Cryptologic Fellow of the National Security Agency. During his military career, John served in the Defense Information Systems Agency and on the Joint Staff as an Information Warfare Officer during the Persian Gulf War.
About the Author

John McCumber

John McCumber is a security and risk professional, and author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, e-mail [email protected].