This article was contributed to OUT-LAW.COM by
John Colley of the International Information
Systems Security Certification Consortium, (ISC)².
Our skill-set ranges from a comprehensive view of compliance
issues to proficiency in risk models with business and management
instincts. Our influence is increasing and our audience growing,
and business is beginning to accept that it is time to understand
how to be responsible with information security risk.
Despite its growing influence, information security continues to
be perceived as a necessary evil or cost to the business. All too
often, this is as much the perspective of the individuals in the
profession as it is of the executives charged with funding it. We
are unified in our motivation to avoid threats rather than to
advance business. Business executives may accept that selling
online is dependent upon good security, but the broader information
security picture is not appreciated.
It is time to change that thinking and recognise that there is
every opportunity to consider information security as a strategic
tool for competitive advantage, increased shareholder value and
better management of resources. Such change does not require new
technical know-how or security solutions, but rather a new way of
assessing them.
Information security professionals like to think they understand
that security is about more than just technology, yet their actions
all too often tell a different story. According to the (ISC)² 2005
Global Information Security Workforce Study, most of us are
spending the majority of our time researching and implementing new
technologies. In Europe, more than a quarter of respondents
indicated that fighting political battles and selling our value to
management were their most time-consuming activities, and more than
30% ranked them as their second most time-consuming. These findings
suggest that our conversations revolve around threats rather than
opportunity for the business.
We need to remind ourselves again and again that information
security is not a technology issue – it’s a people issue.
We are reliant on people, their awareness, ethics and behaviour,
and we must understand what they want to achieve if we are to
accomplish the goals of business. This includes the employees that
deliver our services and the customers that take advantage of them,
as well as the senior executives and board room directors that
grant us our budgets.
We must make the effort to understand changing organisational
structures that increasingly embrace outsourcing; how our companies
would like to take advantage of their business intelligence; how
customers would like to interact with our businesses; evolving
workflows; application management; development strategies; and so
on.
We must also recognise that information security programs
reflect high levels of interdependence across the business. The
security team from the top down should be capable of working
collaboratively with business units – participating on strategy
committees, assessing business objectives, presenting risk
analyses, and reporting common accomplishments in recognition of
common objectives. A review of hiring practice is warranted to
ensure a team that is capable of interfacing with the business, as
well as implementing solutions.
Despite the amount of time seemingly spent justifying our
presence, the profession should not begrudge this effort. For the
most senior managers, up to 50% of their time should be spent on
communicating and managing our contribution to the business. We
must recognise that it is part of our job to not only manage
upward, but outward. We cannot afford to stick within the comfort
of our domain rather than concern ourselves with what motivates our
stakeholders.
The opportunity for the information security profession is
immense. Clearly we must continue to understand the evolving threat
landscape coming from increasingly sophisticated criminal factions.
We must also stay on top of the technology available to protect
against these threats, recognising them as tools, rather than the
focus of our jobs. Most importantly, however, we must recognise
that our jobs are not only critical to the ongoing running of the
business and protection of its assets, but also to its development
and strength in the future. We are driving a change in the role of
the security professional. Let us make the most of our
influence.
John Colley is Chairman of (ISC)²'s European Advisory
Board. (ISC)², which trains and certifies information security
professionals, is exhibiting at Infosecurity Europe 2007 on
24th–26th April 2007 in the Grand Hall, Olympia, London.
See: www.infosec.co.uk
Disclaimer: We hope you find OUT-LAW’s content useful. It’s prepared by the lawyers at Pinsent Masons. Please remember, though, that it’s intended as general information only. It’s not legal advice. If that’s what you’re seeking, please
contact us. See also: our
full disclaimer
