Security is more than just an overhead

IT security experts need to convince the rest of the business world that they are not simply a necessary evil
Written by John Colley, Contributor

Where they once held a relatively minor position in IT, information security professionals have finally started getting the recognition they deserve for their diversity of knowledge and skill. This ranges from a comprehensive view of compliance issues to proficiency in risk models with business and management instincts. Their influence is increasing and their audience growing, and business is beginning to accept that it is time to understand how to be responsible with information security risk.

Despite its growing influence, information security continues to be perceived as a necessary evil or cost to the business. All too often, this is the perspective of the individuals in the profession as much as the executives charged with funding it.

As information security professionals, we are unified in our motivation to avoid threats rather than advance business. Business executives may accept that selling online is dependent upon good security, but the broader information security picture is not appreciated.

It is time to change that thinking, and recognise that there is every opportunity to consider information security as a strategic tool for competitive advantage, increased shareholder value and better management of resources. Such change does not require new technical know-how or security solutions, but rather a new way of assessing them.

As information security professionals, we like to think we understand that security is about more than just technology, yet all too often our actions tell a different story. According to the (ISC)2 2005 Global Information Security Workforce Study, most of us are spending the majority of our time researching and implementing new technologies. In Europe, more than a quarter of respondents indicated that fighting political battles and selling our value to management were their most time-consuming activities, and more than 30 percent ranked them as their second most time-consuming. These findings suggest that our conversations revolve around threats rather than opportunity for the business.

We need to remind ourselves again and again that information security is not a technology issue — it's a people issue. We are reliant on people, their awareness, ethics and behaviour, and we must understand what they want to achieve if we are to accomplish the goals of business. This includes the employees who deliver our services and the customers who take advantage of them, as well as the senior executives and boardroom directors who grant us our budgets. We must make the effort to understand certain issues: changing organisational structures that increasingly embrace outsourcing; how our companies would like to take advantage of their business intelligence; how customers would like to interact with our businesses; evolving workflows; application management; development strategies, and so on.

We must also recognise that information security programmes reflect high levels of interdependence across the business. The security team from the top down should be capable of working collaboratively with business units — participating on strategy committees, assessing business objectives, presenting risk analyses and reporting common accomplishments in recognition of common objectives. A review of hiring practice is warranted to ensure a team that is capable of interfacing with the business, as well as implementing solutions.

Despite the amount of time seemingly spent justifying our presence, the profession should not begrudge this effort. For the most senior managers, up to 50 percent of their time should be spent on communicating and managing our contribution to the business. We must recognise that it is part of our job not only to manage upward, but outward. We cannot afford to stick within the comfort of our domain rather than concern ourselves with what motivates our stakeholders.

The opportunity for the information security profession is immense. Clearly we must continue to understand the evolving threat landscape coming from increasingly sophisticated criminal factions. We must also stay on top of the available technology to protect against these threats, recognising them as tools, rather than the focus of our jobs. Most importantly, however, we must recognise that our jobs are not only critical to the running of the business and protection of its assets, but also to its development and strength in the future. We are driving a change in the role of the security professional. Let us make the most of our influence.

John Colley is chairman of the European advisory board for the International Information Systems Security Certification Consortium (ISC) and can be seen at Infosecurity Europe 2007.

Editorial standards