If the old perimeter were the firewalls and network borders…
…and the current perimeter is your web presence(s)…
…the next “border” is your remote connectivity and mobile devices? (I’ll ignore for the moment how “the cloud” explodes the current perimeter.)
With the last two “perimeters” in the above example, you can hire a security geek to come in and immediately direct their effort at something somewhat finite. “Go look at the firewall rules and network segmentation!” “Go scan our websites and vomit out a vulnerability report of your findings!” “Go make sure our client-app-database pipeline is appropriate!” But none of that expands to what offers real endemic security in an organization. Those are necessary security tasks, but certainly are not wholistic.
Maybe this is why data-centric security is scary. You can’t just target the data in some data warehouse (the visual of that is far more interesting to me than the definition!). Rather than treat the skin of the organization, you’re basically needing to cover the same area that the entire vascular system covers (heart, arteries, veins, capillaries…).
It might also be why mobile device security is scary: it’s not easily scoped and bounded to narrow segments of an entity. And, god forbid, it means dealing with users and consumer devices. I mean that not only in the backroom security geek being scared to interact with people, but in the thought that, holy shit, *users* need to be part of security, too, whether they (the users) like it or not. I know we often talk to education and policies, but most every user I know in an organization that doesn’t have a direct interest in security as part of their job, will almost always prefer someone else deal with it. And this is absolute if that security even remotely negatively impacts their own job or convenience.
I’m actually wrestling with buying back into Apple (been out since ipod 4th gen) and actually getting an iPad device, but not because I want to use it. It’ll be because I need to get back to the user perspective and have some sort of experience with it.
You certainly cannot say that security is a cheap career (in money, time, and effort)!