News

Security Set To Move Beyond IT Director Control

A new study finds security professionals are set to move beyond IT director control in future, as they take a more proactive approach in order to secure their organizations

By Tom Jowitt, Techworld.com

August 01, 2008 —

Security professionals are set to move beyond IT director control in future, as they take a more proactive approach in order to secure their organizations, according to a study from the Information Security Forum (ISF).

The ISF is an international organization dedicated to benchmarking and best practices in information security. "This study is part of an ongoing set of deliverables looking at the management of security in organizations," explained Adrian Davis, ISF's senior research consultant and the report's author.

"At the end of last year, we looked at where security would be in five years' time. We held workgroup meetings around the world and backed up this up by questionnaires. We gathered a very large dataset to mine data from."

The ISF is currently in the process of producing the report's deliverables, and could not reveal a lot of detail. However Davies did talk to Techworld about the highlights of the report.

"The vision of information security going forward is that the degree of change is very significant," he said. "For example, currently, less than 3 out 10 information security professionals believe they are focused on delivering solutions to the business."

"In the future, we predict 6 or 7 out 10 will be focused on delivering solutions."

"This means that skills will need to change," he added. "How security interacts with business will change. Security professionals won't be reporting to the IT director. Currently 5 out of 10 report to the IT director. But less than a fifth will do so in future."

Davies points out that there is currently a large increase in information security professionals reporting to chief risk officers (CRO), chief security officers (CSO) and chief operation officers.

"These CRO and CSO are not IT people," he said. "They are typically the same level as the IT director. The IT security professional is moving away from IT, toward business and business support functions."

"This move away from the IT arena, is in part driven by Enterprise Risk Management, as well as the convergence of physical and information security, ie the merging of the guns and the guards, a one stop shop to protect your installation."

Davies feels that currently IT security professionals are focused on the protection of the organization's information and to a certain extent, the organization's reputation and brand.

"Going forward, they want to move towards being more strategic, more advisory, and providing assurance that the organization is secure."

So how do security professionals achieve this? "Well there are many components to that," said Davies. "Looking ahead, security professionals need to look at what is likely to happen, rather than waiting for it to happen, what we call scanning the threat horizon and understanding what the threat impact could be. Second component, which is a management cliché, is embracing change. Better to be changing securely than being on the outside."

• Email
• Print
• Comments
• Digg This
• SlashDot

• Security and Business: Communication 101
• Making Security Work When Staffing is Tight
• CSOs: Three and Out?