“IT security professionals, enterprises and organisations in the UK really want to find out what are the real risks and how best to respond to them,” he told Computer Weekly.
Stroud, vice-president strategy and innovation at CA Technologies and member of Isaca’s Professional Influence and Advocacy Committee, was speaking during a visit to the Isaca London Chapter.
“Cyber security has been one of the main topics for formal and informal discussions with Isaca members during my visit,” he said.
While it is debatable if cyber security is different to "normal information security”, Stroud said increased media coverage has helped raise awareness around the topic.
“It has provided an opportunity for information security professionals to engage with their organisations about the implications of data leaks and how to do proper risk assessments,” he said.
It has also raised fresh questions about what the role of chief information security officers (CISOs) should entail, where they should sit in an organisation, and how they should be relevant to an organisation.
“One of the interesting things that some UK organisations are already doing is ensuring that the CISO role is not just a senior role, but moving forward from being reactive to being proactive,” said Stroud.
This means getting involved in the risk management of the organisation and helping set out actions to support the risk profile. In this regard, he said the UK is ahead of many other parts of the world.
Another common topic raised by Isaca members in the UK is the continual pressure on the cost of IT.
“IT professionals in the UK are under a lot of pressure to do more with less, with IT seen much more as a cost centre than it is in the US, where IT is increasingly being seen as an innovative tool,” said Stroud.
More on Isaca
- UK trust in mobile apps low, Isaca report reveals
- New tech a top security challenge, says Isaca CEO
- Risk assessment key to cloud adoption, says Isaca
- Isaca to revamp IS Audit and Assurance Standards
- Isaca: Update to COBIT 5 governance framework maximizes IT assets
- Isaca guide offers tips for secure mobile payments
- Isaca releases cloud computing governance guide
- Isaca: Rigorous approach is required
- Web application risks exacerbated by social media ties, says Isaca
The best way for IT to respond, he said, is to look for new ways of doing things though use of technology for things like automation to support the business better at a lower cost.
Stroud predicts that this will soon lead to the emergence of innovative business models that use technology as the conduit to products and services.
One of the wider challenges facing IT professionals is that with the increased use of consumer apps and devices, the business is moving too fast for traditional IT to keep up, he said.
In response, Isaca members are looking at changing technology stacks and ways of managing how devices are used.
“But members recognise that information security professionals need to focus on the information, and not necessarily the device, because in reality it is the information that is critical,” said Stroud.
“We need to start looking at how we manage the information and how we determine what is ‘secret’ as opposed to ‘public’ information,” he said.
This means organisations should be investing in the means to categorise information and putting the right level of protection around information based on risk to the business.
“Isaca members are starting to think about how to improve the risk assessment, understand the business impact, and then apply the appropriate level of security controls,” said Stroud.
While UK members understand this approach and are starting to move in this direction ahead of many other countries, he said it takes time to change behaviours, cultures and systems.
It is a different way of thinking about the problem, which requires CISOs and their teams to start getting engaged with the business from a business value and risk perspective, he said.
“For businesses to use their CISOs effectively, they need to be involved in the risk assessment process upfront so that they can add value and set a proactive security strategy as the business moves forward,” said Stroud.
For their part, he believes CISOs should spend more time educating the user community about the value of what they are doing.