Business must take a more scientific approach to IT security, or they could open themselves up to serious data...
breaches,according to Paul Dorey, chairman of the Institute of Information Security Professionals (IISP).
Compared with other disciplines such as engineering, expectations around IT security systems are a lot less precise. This will have to change as threats increase in number and complexity, said Paul Dorey.
IT security professionals will need to have a greater understanding of the business and be able to use recognised standards and repeatable processes if they are to succeed in the next decade, he said.
"In the next ten years I expect there to be lot more clarity about a security standard to enable greater certainty across organisational boundaries," said Dorey.
If this does not happen, said Dorey, organisations willrun more risk and security incident levels will go up. Trust in IT systems will be undermined, said Dorey.
Business needs to think seriously about creating an IT security equivalent of an MBA to distil essential skills into a formal training programme.
According to Dorey, this will ensure the necessary skills in business leadership, risk assessment and effective communication are passed on to future generations of IT security professionals.
Many security professionals lack these skills, which prevents them from communicating effectively with business leaders or exerting any influence on the organisations they work for, said Dorey.
"Understanding the context and the business relevance of the risk message is where security professionals switch from being advisors to being part of the decision making process," he said.
Improving communication skills, said Dorey, is the first step in tackling the problem of getting people in the industry to be more rounded security leaders.
Dorey is to present on the topic of IT security skills at Infosecurity Europe 2009 at Earls Court in London on 29 April.
Infosec 2009: an essential guide for IT professionals >>