Shifts in technology, business expectations and process ownership in organisations are inevitable and all three have security implications, according to Forrester Research.
"These shifts have been taking place for a few years, but the frequency of change has accelerated significantly in the past year," Khalid Kark, principal analyst at Forrester, told Computer Weekly.
IT security professionals need to recognise these shifts to ensure they are prepared to handle them, he will tell the opening session of the Forrester Security Forum EMEA 2010 in London on 11-12 March.
IT security professionals need to be ready to deal with the adoption of new technologies such as virtualisation and cloud computing, greater use of social media in business, and the proliferation of consumer devices such as iPhones, said Kark.
Business expectations of the security function are also expanding rapidly, with IT security professionals having to take on increasing responsibilities such as business continuity, pandemic planning and IT audits, as well as compliance checks, he said.
"IT security professionals need to be equipped to take on and manage these additional roles while ensuring the basic security of IT systems as executives increasingly view them as strategic partners in the business," said Kark.
IT professionals also need to prepare to deal with a growing number of third-party security service providers to help cope with security challenges, which involves evaluating suppliers, managing contracts and monitoring service quality, he said.
"If security professionals do not react quickly to all three shifts, they are going to be left behind and the business is going to do whatever it needs to do to lower cost and boost efficiency."
But security professionals are generally not well equipped to react to all three simultaneously, he said.
IT professionals need to learn about and understand the changes that are taking place, and then come up with the appropriate strategies, approaches, policies, technologies and architecture to address these changes, said Kark.
"First, understand what the changes mean, then build a security programme around managing and addressing these changes, and finally measure the effectiveness of that programme."