IT security professionals need to transform the profession if they are to persuade business they are doing a good...
job, according to Mark Brown, director of information security at Ernst & Young.
“Most organisations think information security professionals are not fulfilling the needs of business,” Mark Brown told attendees of the Govnet Cyber Security Summit 2012 in London.
The shortcomings of IT security professionals in supporting business needs was revealed in Ernst & Young's latest Global Information Security Survey 2012. Brown said the Ernst & Young survey's findings should be a “wake-up call” for the whole IT security industry.
The Global Information Security Survey 2012 showed businesses recognise the strategic importance of information security. But the Ernst & Young survey also showed 85% of respondents did not think information security professionals supported the business.
Read more about aligning IT security to business needs
Some 57% said information security workers lack the ability to talk in business terms about things such as total cost of ownership. A larger proportion (62%) said they failed to align information security to enterprise architecture and business processes.
“Businesses make profit from taking risk, yet information security is still largely risk-averse; they do not know the risk appetite of their organisations, they do not understand the board, and therefore cannot assist in achieving the board’s goals,” Brown told the Govnet Cyber Security Summit 2012.
The only way forward for the information security professionals, he said, is to transform the industry by looking at IT security as a business issue, such as how IT security can optimise financial performance, protect brand reputation and protect and enhance customer loyalty.
“They need to focus on meeting the needs of the business, align with business goals and begin demonstrating business leadership,” said Brown.
Delegates at the Govnet Cyber Security Summit heard that a successful transformation can ensure information security makes business sense when it is linked to business strategy, linked to enterprise architecture and business processes and when it is embracing new technologies demanded by the business.