I think InfoSec—and in fact business management in general—is evolving into the combination of four things:
So essentially we have:
A few things to note about this:
Everything else becomes the execution and implementation of those ideas.
Which is still hard work in many cases—but AI will get better and better at that over time.
This is why the ideal (and perhaps only safe) place for humans is coming up with the ideas and starting businesses to implement them—mostly using automation.
I challenge you think about all jobs in this way.
Like software security.
What happens when software is only allowed to be built using X components, and Y frameworks, with Z controls?
And automation builds most of that software and tests it continuously to take sure it’s in that state?
Ask what part of the job is actually just the result of the actual thing not being done properly in the first place according to an SOP.
This has been promised for years, and it’s not happening tomorrow.
But we can now see what that would look like if software can build software and can also validate that it was done using the approved SOP.
Everything is a pipeline. Including the building and validation of software.
The human part is the desire to build, and the ideas for what to build.
Much of security comes down to things being built or implemented the wrong way, and there being nowhere near enough people or time to clean up afterwards.
Things are very different when automation can make a big dent in both.
So as a security person—or someone considering getting into security, which part of this do you want to work on?
Think carefully about where you want to be in this ecosystem.