At last, the broader business is beginning to ‘get' information security. John Colley reports on a project that seeks to help information security professionals to ‘get' business...
We are at a turning-point in the information security profession. For years now, we professionals have been counselled to beef up our business skills, told we'll only demonstrate our value if we speak to business managers and executives on their own terms. Well-publicised data breaches are motivating the desire right from the top for better IS governance. The way business is conducted has fundamentally changed. The battle to make security a priority is being won – which should motivate business-focused roles.
How this is evolving is the subject of a joint project, by (ISC)2 and PwC, to bring together the opinions of senior European execs from business, IT and security on integrating information security into business practice.
There are two clear challenges: to identify why security continues to be hampered by an uneasy relationship with both the IT and business departments; and to map out what is needed organisationally to achieve a strong mandate.
The business roles are a missing piece to the puzzle, although there is a growing recognition from business departments that they have an active role to play. They must now become better at being able to innovate, procure and develop their ideas, knowing that security is critical to the business case. This requires a deep understanding of the individual business function, the accountabilities to be defined, the obstacles to that accountability, the business processes and their impact on data and its integrity. It is here that organisations assess whether to use outsourced, cloud-based services or agile business processes in-house.
The roles diversify as our profession matures. The trend to centralise responsibility within a dedicated security department is reversing, with operational responsibilities, such as patch management and network security, moving back into IT. Then there's a growing emphasis on the application layer and security architecture, creating new IT development roles, along with the business departments' recognition of accountability.
Despite this, the dedicated security department continues to rise in stature, with a focus on risk management/governance, consultancy and strategic development.
Perhaps we will reach the stage where we can stop counselling people to beef up the skills that actually should be in existence elsewhere in the organisation.
John Colley is managing director, (ISC)2 EMEA