The information security professional is more than 'a necessary evil'

OPINION: Relegated as a relatively minor position in IT just a few short years ago, information security professionals are now getting the executive face time we have long craved and deserve for our diversity of knowledge and skill.

This article was contributed to OUT-LAW.COM by John Colley of the International Information Systems Security Certification Consortium, (ISC)².

Our skill-set ranges from a comprehensive view of compliance issues to proficiency in risk models with business and management instincts. Our influence is increasing and our audience growing, and business is beginning to accept that it is time to understand how to be responsible with information security risk.

Despite its growing influence, information security continues to be perceived as a necessary evil or cost to the business. All too often, this is as much the perspective of the individuals in the profession as it is of the executives charged with funding it. We are unified in our motivation to avoid threats rather than to advance business. Business executives may accept that selling online is dependent upon good security, but the broader information security picture is not appreciated.

It is time to change that thinking and recognise that there is every opportunity to consider information security as a strategic tool for competitive advantage, increased shareholder value and better management of resources. Such change does not require new technical know-how or security solutions, but rather a new way of assessing them.

Information security professionals like to think they understand that security is about more than just technology, yet their actions all too often tell a different story. According to the (ISC)² 2005 Global Information Security Workforce Study, most of us are spending the majority of our time researching and implementing new technologies. In Europe, more than a quarter of respondents indicated that fighting political battles and selling our value to management were their most time-consuming activities, and more than 30% ranked them as their second most time-consuming. These findings suggest that our conversations revolve around threats rather than opportunity for the business.

We need to remind ourselves again and again that information security is not a technology issue – it’s a people issue. We are reliant on people, their awareness, ethics and behaviour, and we must understand what they want to achieve if we are to accomplish the goals of business. This includes the employees that deliver our services and the customers that take advantage of them, as well as the senior executives and board room directors that grant us our budgets.

We must make the effort to understand changing organisational structures that increasingly embrace outsourcing; how our companies would like to take advantage of their business intelligence; how customers would like to interact with our businesses; evolving workflows; application management; development strategies; and so on.

We must also recognise that information security programs reflect high levels of interdependence across the business. The security team from the top down should be capable of working collaboratively with business units – participating on strategy committees, assessing business objectives, presenting risk analyses, and reporting common accomplishments in recognition of common objectives. A review of hiring practice is warranted to ensure a team that is capable of interfacing with the business, as well as implementing solutions.

Despite the amount of time seemingly spent justifying our presence, the profession should not begrudge this effort. For the most senior managers, up to 50% of their time should be spent on communicating and managing our contribution to the business. We must recognise that it is part of our job to not only manage upward, but outward. We cannot afford to stick within the comfort of our domain rather than concern ourselves with what motivates our stakeholders.

The opportunity for the information security profession is immense. Clearly we must continue to understand the evolving threat landscape coming from increasingly sophisticated criminal factions. We must also stay on top of the technology available to protect against these threats, recognising them as tools, rather than the focus of our jobs. Most importantly, however, we must recognise that our jobs are not only critical to the ongoing running of the business and protection of its assets, but also to its development and strength in the future. We are driving a change in the role of the security professional. Let us make the most of our influence.

John Colley is Chairman of (ISC)²'s European Advisory Board. (ISC)², which trains and certifies information security professionals, is exhibiting at Infosecurity Europe 2007 on 24th–26th April 2007 in the Grand Hall, Olympia, London.