Once upon a time, the IT world was sharply divided between two categories of personnel: developers (formerly known as programmers or informally as code jockeys) and IT professionals (which encompassed IT administrators, architects and engineers). Today, the business model has shifted and consolidated the two broad categories into one that’s called DevOps (for development and operations). Some security folks are feeling a little left out in the cold – even though security itself is more important than ever. Many of us don’t write code, and don’t particularly want to. Where do we fit into the DevOps paradigm?

Man (or woman) in the middle

To be fair, this sense of “homelessness” isn’t entirely new with the ascension of the DevOps model. Security has always been a bit of a culture onto itself, one that encompasses everything in IT but is hard to pin down.

In big tech companies, some of the people I’ve known whose job was “security” have always felt a bit like ships adrift without anchors; other PMs had specific products or software features that they “owned,” but security PMs were a little like cowbirds, which – instead of building their own nests – lay their eggs in other birds’ nests and depend on the surrogate parents to take care of their young along with their own.

Security folks identify threats and vulnerabilities and come up with solutions, but within the corporate structure they’re dependent on those who own the products and features to incorporate them to secure the software, systems, networks and cloud implementations.

Jack (or Jill) of all security trades

Before we can intelligently discuss where security belongs in the new paradigm, we have to first agree on exactly what an “IT security professional” is and does. That, in itself, can present a challenge. I’m going to discuss this in relation to the Microsoft MVP (Most Valuable Professional) program, since in many ways it reflects the trends and patterns in the industry as a whole.

I have been recognized by Microsoft as an MVP for my security expertise for the past fourteen years, and I’ve watched the MVP program struggle with how to define and categorize us within that program for just as long.

Early on, they related it to a product, and I was considered a “Windows Server Security” MVP.  Of course, in the real world of IT, few security pros would be limited to securing only the servers; client computers are important and arguably more vulnerable attack vectors – and then there are the network devices that also must be secured.

This reality eventually led to a new title: Enterprise Security MVP.  That was also to distinguish us from the other category of security pros, whose area of expertise was called Consumer Security.  The millions of small businesses and organizations out there running Microsoft products that fell somewhere in between weren’t specifically addressed.

During that time period, “Consumer Security MVPs” seemed to focus more on software vulnerabilities and patches, as well as viruses and malware, and web browser security issues. We of the Enterprise Security variety dealt with more sophisticated security technologies such as encryption (EFS, BitLocker, IPsec, etc.), PKI (certificate services), virtual machine security, Active Directory security and policies, rights management services, auditing and monitoring, and so forth.

Meanwhile, real-world IT still didn’t follow such clear-cut lines of demarcation. All those issues that plague consumers are concerns for businesses, as well. And unlike the product-focused MVPs who could dive deeply into one thing and become specialists, we still had to have a good working knowledge of all the products and all of the features of each, since security touches everything.

Then along came the cloud, and the whole world changed.

Clouding the issue

With the advent of cloud computing, suddenly the security landscape shifted. Areas of responsibility became blurred. Companies adopted cloud services while maintaining their own in-house datacenters for some of their IT functions. The era of the hybrid network was upon us, and that meant many modifications, both big and small, to the traditional security mindset and practices.

It changed the MVP program, too. In October 2015, the program was realigned with the new “cloud first, mobile first” philosophy that CEO Satya Nadella had announced at least a year earlier, with further refinements made in March 2016. The formerly existing 36 categories of MVP expertise have been reduced to 10, with the big emphasis on services rather than software. Expertise areas got shuffled, some were dropped altogether, some subsumed by others, and some brand new ones were created.

The new categories became:

  • Microsoft Azure
  • Cloud and Datacenter Management
  • Data Platform
  • Business Solutions
  • Enterprise Mobility
  • Office Servers and Services
  • Windows and Devices for IT
  • Windows Development
  • Office Development
  • Visual Studio and Development Technologies

See security in there anywhere? That’s because you don’t know where to look. Enterprise Security got dropped into the “Cloud and Datacenter Management” category – well, mostly. If you’re working in “mobility” security, identity and access, information protection and/or Remote Desktop Services/Remote App security, you’re now in the Enterprise Mobility award category. What about Windows client security? That would seem to belong in the Windows and Devices for IT column.

What happened to consumer security? It’s not listed anywhere in the breakdown of the subcategories that go with each of the above, on Microsoft’s MVP website. In fact, if you look carefully at all those contribution areas, you won’t see much of anything that’s related to consumer computing. That’s because the 2016 changes moved all of the consumer-focused MVPs to the “Windows Insider” program.

Azure is by far the largest expertise category now – even more so than it looks at first glance, since the Cloud and Datacenter Management and the Data Platform categories also encompass many Azure technologies. Most of the other broad expertise areas are about “development.”  What does all this portend for (business-oriented, non-dev) security pros?

Developers, developers, developers

I’ve been an MVP for a long time, through a lot of changes – including changes in company leadership. I vividly remember attending MVP Summits where Steve Ballmer opened and closed his keynote speech by chanting the mantra of “Developers, developers, developers!” I sometimes wondered whether he realized how left out those many of us who weren’t code jockeys felt during this ritual.

My time was coming, though. A few years later, Microsoft fell head-over-heels in love with security. They even developed a whole line of security-related products: the Forefront family of line-of-business security applications that ambitiously aimed to provide protection for client, server and network. Over the years, their Proxy Server had morphed into the ISA proxy/firewall that subsequently matured into a robust Threat Management Gateway (TMG).

During this period, security was king and at the annual Summit, security MVPs were treated like royalty. We got the best conference rooms and the rock star speakers like Mark Russinovich at our sessions. We had the best group dinners and the best parties, because we had the best and most attentive MVP leads. Life was good. Those were the days, my friend; we thought they’d never end. But of course, they did, as the best of times inevitably must.

Security in obscurity

Let’s back up for a moment. In earlier days, Microsoft products had the reputation of being insecure. Linux and Apple’s OS X (built on a UNIX kernel) were perceived to be safer from hackers and malware. As Internet connectivity became ubiquitous, attacks grew more frequent and more sophisticated, and security became a bigger priority for customers, Microsoft’s whole-hearted embrace of and dedication to security was both inevitable and necessary.

The company’s Trustworthy Computing initiative with its goal of “secure by design, secure by default and secure in deployment” demonstrated a new and serious commitment to security. This was responsible for the elevation of the security professional to an almost revered status within the company – and it was also eventually responsible for our descent back into (relative) obscurity.

As security became a priority for developers and was built into the software from the beginning, that meant add-on security products became less important. The security focus moved almost imperceptibly from the IT pro to the developer. Software that’s inherently more secure is a good thing for the customers/users. For IT professionals who specialize in security, maybe not so much.

At the last few MVP Summits, the new stars of the show have been – you guessed it – Azure MVPs.  They now command the big rooms in the main building. Enterprise Security folks, along with the rest of the “on-premises” oriented areas of expertise, have been relegated to a dark little classroom in a building a half mile away from the “action.”  

Forefront’s “football field” of security products – Identity Manager, Endpoint Protection, Exchange and System Center Protection, TMG and UAG – are all gone, left behind in the graveyard of abandoned software products along with once-popular business and consumer applications such as Frontpage/Expression, Small Business Server, Money, Windows Media Center and hardware products such as the Lumia phones and the Microsoft Band.

Such is the way of the IT world; you have your fifteen minutes of fame and then you’re a “has been.”  Heck, I remember when Windows Media Center was getting the glory, and look at it now: abandoned by all but a few of us hardcore holdouts who are still running Windows 8.1 on our media room PCs so we won’t have to give up its goodness.

But I digress. There actually is a bright spot for security folks in the MVP world, at least for those who are adaptable (and adaptability is a job requirement in IT): A brand new shiny expertise in – you guessed it again – Azure Security.

Nonetheless, some IT pro MVPs – security and otherwise – are feeling a little disoriented. We’re currently part of DX (Developer Experience) and I get a lot of invitations to developer meetups and coding-oriented web presentations. But that’s not who I am or what I do.

Meanwhile, back in the trenches

MVP program aside, this seems to be the way IT in general is heading. There’s a reason the “dev” part comes first in DevOps. Despite the protestations of some that DevOps isn’t bad news for security experts, the fact that such protestations would even be deemed necessary means I’m not the only one who’s feeling edged out these days.

In fact, to quote from that very article, “DevOps is actually a boon for security folks, who can, with the right automation and operational tools, inject security earlier into the development process, and increase the security of the code that ultimately reaches production.”  This seems to support the idea, in focusing on the security of the code, that DevOps views security as primarily a function of developers, not operations personnel.

In fact, this article that’s intended to reassure security professionals in the end paints a gloomy picture. It talks about code analysis tools, preventing vulnerable code from reaching production, and using automated security tools. To a non-programmer IT security pro, this all sounds like a future where operational security people are little more than technicians who make sure the anti-malware programs are running.

It’s a far cry from the exciting career envisioned by all those kids who rushed into the cybersecurity field when it was one of the hottest jobs on the block.

Where do we go next?

Students of history can take comfort in the fact that business, like society, moves in circles and cycles. Centralized mainframe computing gave way to the PC revolution, which cycled back around to the client-server model and then morphed into the Cloud. Computing will continue to change and “new” models will emerge that are oddly reminiscent of old ones.

Through it all, however, the need for security will never go away. In fact, unless there is some drastic change in human nature or the “big one” (EMP) wipes out electronic communications all over the planet, cybersecurity is going to become more and more of an issue as time goes on. The Internet of Things (IoT), wearables and ubiquitous computing will only add to the complexity of the problem. In fact, according to some forecasts, the future looks bleak for those who are hoping that more security-conscious coding practices and those automated tools will reduce the threat landscape.

Ironically, that pessimistic prediction could mean a brighter future – at least in terms of job prospects – for security professionals. Automation is unlikely to be able to keep up with the new challenges that new technologies will bring.