Business must take a more scientific approach to IT
security, or they could open themselves up to serious data
breaches,according toPaul Dorey, chairman of theInstitute of Information Security
Professionals(IISP).
Compared with other disciplines such as engineering,
expectations around IT security systems are a lot less precise.
This will have to change as threats increase in number and
complexity, said Paul Dorey.
IT security professionals will need to have a greater
understanding of the business and be able to use recognised
standards and repeatable processes if they are to succeed in the
next decade, he said.
"In the next ten years I expect there to be lot more clarity
about a
security standard to enable greater certainty across
organisational boundaries," said Dorey.
If this does not happen, said Dorey, organisations willrun more
risk and security incident levels will go up. Trust in IT systems
will be undermined, said Dorey.
Business needs to think seriously about creating an IT security
equivalent of an MBA to distil essential skills into a formal
training programme.
According to Dorey, this will ensure the necessary skills in
business leadership, risk assessment and effective communication
are passed on to future generations of IT security
professionals.
Many security professionals lack these skills, which prevents
them from communicating effectively with business leaders or
exerting any influence on the organisations they work for, said
Dorey.
"Understanding the context and the business relevance of the
risk message is where security professionals switch from being
advisors to being part of the decision making process," he
said.
Improving communication skills, said Dorey, is the first step in
tackling the problem of getting people in the industry to be more
rounded security leaders.
Dorey is to present on the topic of IT security skills at
Infosecurity
Europe 2009 at Earls Court in London on 29 April.
Infosec 2009: an essential guide for IT professionals
>>