End-users are changing the game for information security professionals by bringing consumer technology - and the expectations rasied by it - into the workplace.

End-user awareness could well be one of the fastest-developing opportunities in the security arena. It ranked second in EMEA, and fourth worldwide, in (ISC)2's latest Global Information Security Workforce Study of training requirements. More than two-fifths (42 per cent) of survey respondents in the region selected it among options more targeted at professionals, including information risk management, forensics and security architecture.

This was the first time end-user training had been included in the survey, and its ranking has surprised analyst Frost & Sullivan, which was commissioned by (ISC)2 to conduct the study. It is a stark indicator of IT and business trends that are significantly changing the dynamics for security professionals.

End-user expectation is one of those dynamics. While IT and information security professionals are used to researching new technology, end-users are now bringing technology into work-. This has largely been led by the myriad mobile devices available and the exponential number of apps being developed for them.  Apple's slogan, ‘There's an app for that', illustrates the scale of development here.

Similar levels of innovation are taking place in cloud computing. Again, users can easily trial and bring new services to work. Standard policies and processes, and even organisational structures, will change as more cloud-based services underpin businesses. The impact of social networking promises to be of a similar scale as businesses increasingly court online communities, and even go so far as to set up a shop front in this marketplace.

While the function of the security professional has always evolved, skill requirements are now shifting significantly. Users, not the innovators, are driving this. They will instinctively follow the open and flexible example of the consumer services that established their expectations, which is not always going to be appropriate.

Maintaining this emerging ‘mobile on demand' business model will be challenging because the reliance on security will permeate more aspects of organisations' operations. We are still getting to grips with the impact of these changes to business operations. It is safe to say, however, that standards-based, policy-driven security management will have to evolve into one that relies far more on enabling everyone to make the right decisions.

John Colley, CISSP, managing director EMEA, (ISC)2