What do information security practitioners do every day? Who do they communicate with? How do they define information security? What are there major challenges and concerns? What are their most important relationships? While a lot of research has focused on the operation of technical controls and information security management approaches, little consideration has been given to the every-day life of information security practitioners. Recently the Australian Information Security Association (AISA) co-funded an Australia pilot study as part of the EU funded Cyber Securities Cartography project, 1 which examines the complex world of the information security practitioner. A focus on the social and human aspects of information security, particularly as they relate to information security practitioners, may help identify the additional skills that may be required by practitioners to help address the current cyber security skills shortage and also high light areas where current practice may need to be re-examined.
As part of the study, researchers interviewed nine Australian information security practitioners working in three different cities and with a range of different titles. The analysis of the transcripts from those interviews produced some interesting results. Broadly two general themes emerged:
⊗The every-day life of information security practitioners is diverse, complicated and contested; and
⊗The information security community is one in flux.
The idea that information security is a contested space is not entirely consistent with traditional security management approaches based on the premise that the ‘right’ level of information security can be achieved through the application of a rationalisation process based on risk assessments. At the same time, concerns with the changing world and doubts about the continued applicability of core tenets such as the definition of “information security” suggest that a new approach to information security might be required.
A diverse, complicated and contested life
The interviewees included a PCI DSS expert, an IT security manager in a health service provider, a risk manager from a local government authority and a security team lead from a large financial institution. All described very different ‘every-day’ roles. There was a great diversity in responsibilities and tasks, even for those participants with similar titles. However, all (except one) identified themselves as information security practitioners. All of the participants had started off in IT, although was no uniform career path to becoming an information security practitioner…Click HERE to find out more about this article