Where they once held a relatively minor position in IT, information security professionals have finally started getting the recognition they deserve for their diversity of knowledge and skill. This ranges from a comprehensive view of compliance issues to proficiency in risk models with business and management instincts. Their influence is increasing and their audience growing, and business is beginning to accept that it is time to understand how to be responsible with information security risk.
Despite its growing influence, information security continues to be perceived as a necessary evil or cost to the business. All too often, this is the perspective of the individuals in the profession as much as the executives charged with funding it.
As information security professionals, we are unified in our motivation to avoid threats rather than advance business. Business executives may accept that selling online is dependent upon good security, but the broader information security picture is not appreciated.
It is time to change that thinking, and recognise that there is every opportunity to consider information security as a strategic tool for competitive advantage, increased shareholder value and better management of resources. Such change does not require new technical know-how or security solutions, but rather a new way of assessing them.
As information security professionals, we like to think we understand that security is about more than just technology, yet all too often our actions tell a different story. According to the (ISC)2 2005 Global Information Security Workforce Study, most of us are spending the majority of our time researching and implementing new technologies. In Europe, more than a quarter of respondents indicated that fighting political battles and selling our value to management were their most time-consuming activities, and more than 30 percent ranked them as their second most time-consuming. These findings suggest that our conversations revolve around threats rather than opportunity for the business.
We need to remind ourselves again and again that information security is not a technology issue — it's a people issue. We are reliant on people, their awareness, ethics and behaviour, and we must understand what they want to achieve if we are to accomplish the goals of business. This includes the employees who deliver our services and the customers who take advantage of them, as well as the senior executives and boardroom directors who grant us our budgets. We must make the effort to understand certain issues: changing organisational structures that increasingly embrace outsourcing; how our companies would like to take advantage of their business intelligence; how customers would like to interact with our businesses; evolving workflows; application management; development strategies, and so on.
We must also recognise that information security programmes reflect high levels of interdependence across the business. The security team from the top down should be capable of working collaboratively with business units — participating on strategy committees, assessing business objectives, presenting risk analyses and reporting common accomplishments in recognition of common objectives. A review of hiring practice is warranted to ensure a team that is capable of interfacing with the business, as well as implementing solutions.
Despite the amount of time seemingly spent justifying our presence, the profession should not begrudge this effort. For the most senior managers, up to 50 percent of their time should be spent on communicating and managing our contribution to the business. We must recognise that it is part of our job not only to manage upward, but outward. We cannot afford to stick within the comfort of our domain rather than concern ourselves with what motivates our stakeholders.
The opportunity for the information security profession is immense. Clearly we must continue to understand the evolving threat landscape coming from increasingly sophisticated criminal factions. We must also stay on top of the available technology to protect against these threats, recognising them as tools, rather than the focus of our jobs. Most importantly, however, we must recognise that our jobs are not only critical to the running of the business and protection of its assets, but also to its development and strength in the future. We are driving a change in the role of the security professional. Let us make the most of our influence.
John Colley is chairman of the European advisory board for the International Information Systems Security Certification Consortium (ISC) and can be seen at Infosecurity Europe 2007.
Talkback
John’s article is absolutely correct and is thought provoking. It’s very difficult to be positive about Information Security, especially when it’s viewed as a technical issue rather than one that the business should embrace. Reporting the information security status to senior management tends to be negative. Information Security professionals report bad news. It can’t be helped. If security is running smoothly then there is nothing to report, otherwise Information Security has a tendency to be reported in quantitative terms, such as the number of security incidents. We need to find another way.
One important factor to consider within a company is the positioning of the senior Information Security professional. If they are within the IT department, then it will be viewed by everyone as a technical issue. Sure, most of the security controls are within IT because that’s where most of the information is held, but the drivers are with the business. If the security of information is a business responsibility, and it can be traced back to business requirements, then funding becomes easier. When Information Security is within the IT department there is a tendency to take a technical approach. After all, IT people love technology; they will buy the most technologically advanced and shiniest piece of equipment to mitigate security vulnerabilities and treats. If one considers that IT doesn’t own business information, then IT can’t be responsible for its protection. If the business doesn’t get this and other roles and responsibilities correct before any outsourcing takes place, then it can be very difficult to manage the outsource contract.