Employers should tackle information security both centrally
and locally by creating central security teams and backing them up
with high-powered information security officers in each major
business unit.
At its security conference this week, Gartner will detail an
approach that allows companies to benefit from economies of scale
in negotiations with suppliers and, at the same time, tailor
information security policies to the particular needs of each part
of the business.
Processes such as setting information security policy and procuring
anti-virus, identity and access management and intrusion protection
systems are best handled centrally, said Roberta Witty, research
director at Gartner.
But businesses need local security officers with business clout to
make sure that company security policies are properly enforced,
rather than left to gather dust on the shelf.
"They have to be able to walk into the business manager's office
and say, 'This project cannot go ahead because it will damage the
business'," she said.
Traditionally, most companies have nurtured their own information
security officers in-house, but many are now beginning to look
outside their organisations as demand grows.
"You need someone who is a really good communicator, who
understands technology and who understands the business. Up until
now, a lot of information security specialists have learned on the
job. We have seen that change," said Witty.
IT auditors and people with strong project management or risk
management backgrounds can often make good information security
officers, but communication skills are important.
One of their most important roles should be to ensure that
employees are trained in company security policies. Staff need to
know how to respond if someone rings them up and asks for their
password, and they need to be aware of the dangers of downloading
code from the internet.
Outsourcing parts of the security operation can save money and
provide all-round security coverage for companies that do not have
sufficient security staff, but it should not be carried out
lightly. Strong service level agreements and good performance
metrics are essential.
"Don't outsource security if you have not outsourced any other part
of your IT. Security is not where you want to learn," said Whitty.