Security professionals need to become business people to sell security to the masses, but, according to Gartner analysts, they don't need MBAs.
Speaking at the Gartner Security and Risk Management Summit 2012 in Sydney this morning, the analysis company's vice president of research Paul Proctor said that it is not enough for security professionals to align themselves with business practices; they also need to be part of the business themselves.
Proctor pointed to the example of safety in vehicles, explaining that when first introduced, seat belts and other safety features were seen as a hindrance to vehicles and occupant comfort, yet today, they are now legally required and even help to sell vehicles.
"Now, car safety is actually featured inside of ads that improve brand. Think about the last car ad you watched. It talked about traction control and air bags and collision detection ... all of this focus on the value of safety to the consumer. Risk and security performance now drive revenue and market share."
But according to Proctor, in the IT world, security is currently reactive. This can often hurt businesses. He stated that in extreme cases, new business initiatives are simply dropped, because they present too much of a risk. In order to change this model, Proctor said that security professionals must become business leaders.
Gartner colleague and research director Rob McMillan elaborated, stating that this is because exposure to risk is actually a business decision.
"It's not IT's job to determine how much protection is necessary. This can be a shock to many traditional security practitioners, but we have to evolve. This can't be achieved by operating in traditional silos," McMillan said.
"Security and risk leaders must become business leaders. You don't have to go to business school, but you cannot remain ignorant of your own business," Proctor said.
"You can translate risk concepts into risk-adjusted business value statements by mapping leading indicators of risk into leading indicators of business performance [key performance indicators]," Proctor said.
Proctor also warned that a failure by security professionals to get involved in the business may lead to the business attempting to manage risk by rolling it into a "cyber insurance scheme". He said that from Gartner's research, these policies are often underestimated, and, as a result, organisations aren't always covered for the full extent of damages.
"This is not a perfect solution. Through 2014, 50 per cent of the organisations that submit cyber insurance claims are going to end up with a negotiated settlement that does not mean the expectations of the original person who purchased the policy," Proctor said.