Consider the evolving role of security starting in the early
1990s. Security people were technical and firewalls were expected
to solve our problems. Then businesses began to be more aware of
the potential impact of security "events", but security people
largely ignored them,write Paul Proctor, vice-president
and distinguished analyst, and Jeff Wheatman, research director at
Gartner.
When the worms hit in the early 2000s, security became very
visible and its practitioners were promoted. These mass promotions
of folks ill-equipped to handle authority led to the age of "No"
where security people did little to demonstrate that they were able
to work well with others. More recently, regulations ushered in the
age of compliance. A constant throughout this evolution has been
that security people were wizards and technology was the wand.
Gartner has seen a dramatic increase in programme maturity over
the past 10 years. Tools are still important pieces of the puzzle,
but scalable, repeatable processes are now at the centre of
security programmes. The bottom line is that organisations are
ready for something different and security people must evolve with
that need. Do the following to embrace this trend and further your
career:
- Abandon fear, uncertainty and doubt (FUD) and embrace the
concept of helping the organisation balance security requirements
with business need.
- Develop key risk indicators (KRI) that map to key performance
indicators (KPI) to provide a translation of security efforts into
business value.
- Use risk management to facilitate conscious decisions about
what you are not going to do and accept residual risk.
- Supplement your technology knowledge with business knowledge -
marketing, sales, and financial modelling are all excellent
additions to your toolkit.
- Learn to communicate in the language of the business.
- Transform yourself into a business peer who takes an interest
in what your organisation "does for a living".
- Don't buy tools for the sake of being on the bleeding
edge.
- Survey your peers on the business side of the house, learn
about their processes - no need to reinvent the wheel.
Read more expert advice from the Computer Weekly Security Think
Tank >>