Security professionals are set to move beyond CIO and IT director control in future, as they take a more proactive approach in order to secure their organisations, according to a study from the Information Security Forum (ISF).
The ISF is an international organisation dedicated to benchmarking and best practices in information security. "This study is part of an ongoing set of deliverables looking at the management of security in organisations," explained Adrian Davis, the ISF senior research consultant and the report's author.
"At the end of last year, we looked at where security would be in five years' time. We held workgroup meetings around the world and backed up this up by questionnaires. We gathered a very large dataset to mine data from."
The ISF is currently in the process of producing the report's deliverables, and could not reveal a lot of detail.
"The vision of information security going forward is that the degree of change is very significant," he said. "For example, currently, less than three out 10 information security professionals believe they are focused on delivering solutions to the business."
"In the future, we predict six or seven out 10 will be focused on delivering solutions."
"This means that skills will need to change," he added. "How security interacts with business will change. Security professionals won't be reporting to the IT director. Currently five out of 10 report to the IT director. But less than a fifth will do so in future."
Davies points out that there is currently a large increase in information security professionals reporting to chief risk officers (CRO), chief security officers (CSO) and chief operation officers.
"These CRO and CSO are not IT people," he said. "They are typically the same level as the IT director. The IT security professional is moving away from IT, toward business and business support functions."
"This move away from the IT arena, is in part driven by Enterprise Risk Management, as well as the convergence of physical and information security, ie the merging of the guns and the guards, a one stop shop to protect your installation."
Davies feels that currently IT security professionals are focused on the protection of the organisation's information and to a certain extent, the organisation's reputation and brand.
"Going forward, they want to move towards being more strategic, more advisory, and providing assurance that the organisation is secure."
So how do security professionals achieve this? "Well there are many components to that," said Davies. "Looking ahead, security professionals need to look at what is likely to happen, rather than waiting for it to happen, what we call scanning the threat horizon and understanding what the threat impact could be. The second component, which is a management cliché, is embracing change. Better to be changing securely than being on the outside."
"Lastly, there needs to be a real understanding that a lot of these problems cannot be solved by technology alone," he said. "You need to deal with processes, people aspects, not just the bits and the bytes."
Davies believes there is a change towards a risk based approach. "We know there is no such thing as 100 percent security," he said. "You can only offer certain level of security. Security professionals need to sit down with the business, identify risk, and prioritise those risks. They need to work with business to minimise risk."
"But there is tension here between compliance (which is a tick all the boxes and you are ok approach) and the risk based approach," he warned. "One risk to one company, may be not be a risk to another company. It is a newer view of information security than the old guard approach of locking up and securing everything."
And Davies feels that security professionals are becoming more proactive. "There are followers and then there are leaders. Some organisations are blazing a trail," he said. "Some organisations are currently only looking at going down that route."
"The thing that is surprising is the degree of change," Davies concludes. "It is quite an exciting time for people in information security. There are many challenges, but a real sense that the security profession is maturing and can in fact become a true business partner, rather than being a mere technical adjunct as in the past."
The ISF is releasing a short report (free of charge) on the subject, to ISF members only, on 31 July.