creative soul - Fotolia

Infosec pros should start preparing for the future, say experts

Information security professionals need to grow their skills, engage with the business, increase security awareness, set business goals and tailor their messages, says a panel of experts

Information security professionals should plan to increase their technical and non-technical skills to ensure they are able to deliver value to their organisations in the future, according to an expert panel.

They should also seek to work more closely with all parts of the business, the panel told the (ISC)2 Security Congress, Europe, the Middle-East and Africa 2015 in Munich.

“First, they need to understand that they will need to develop their skills in dealing with people, processes and technology, because only a comprehensive approach will work,” said David Shearer, chief executive officer of (ISC)2.

Next, infosec professionals need to break out of their security silo and engage with all parts of the business to help every department understand the relevance and importance of information security.

“They need to work to ensure everyone understands the role and relevance of information security in the same way they do for things such as human resources management,” said Georg Freundorfer, European security director for Oracle.

“Infosec professionals should work to bring security into the mindset of management by explaining the cyber security-related risks to the business, which in turn should encourage senior executives to provide the resources necessary to mitigate and manage those risks,” he said.

Confidence in security

This is also about information security professionals changing their approach to the business, according to Adrian Davis, European managing director of (ISC)2.

“They need to make information security more interesting and relevant by working harder at raising the awareness of executives and tailoring their messages to make it clear to different departments how they can add value to the business,” he said.  

As part of the engagement process, Freundorfer said infosec professionals should ask business managers where they see the risks or specific threats to their department to identify how they can help business leaders to gain confidence in the ability of security to support them.

“Infosec professionals who stay inside their silo will always tend to be reactive. Instead they should find out from the business how they can help,” he said.

Supporting business goals

Another key strategy for information security professionals should be to identify the goals of the business and then demonstrate how they can support those goals, said Lorenz Kuhlee, senior investigative response and forensic consultant for the European risk intelligence team at Verizon.

“They should also assume that the organisation’s network has been breached and work to ensure they have the capability to detect breaches and respond quickly,” he said.

In working with the business, especially on new projects, infosec professionals should also ask business leaders about confidentiality, integrity and availability, said Sebastian Broeker, chief information security officer at Deutsche Flugsicherung.

“They are often so focused on the project – on delivering the new product or service – that even if they have considered security and privacy, they often have not considered confidentiality, integrity and availability of systems, services and data,” he said.

Empowerment of employees

Finally, infosec professionals should work with business executives to help them to understand the cyber threat environment and how it works, according to Ciarán Mc Mahon, psychology research and development co-ordinator at the RCSI (Royal College of Surgeons in Ireland).  

“At a senior executive level, fear has a role to play. They need to understand that they have probably been hacked, and that it is just a question of finding out to what degree,” he said.

In a presentation on the cyber psychology of information security, Mc Mahon said that in general, fear is not a good tactic to encourage good security behaviour. “Responses are not uniform and the impact tends to wear off quickly,” he said.

Instead, Mc Mahon said infosec pros should aim to help everyone in an organisation to understand they are part of information security and have a role to play, even consulting employees on drawing up the information security policy that reflects their values and beliefs.

“The emphasis should be on delegation and empowerment of employees – even temporary employees need to see themselves as part of the organisation,” he said.

The human aspect of security remains a significant challenge, said Mc Mahon. “People should be the strongest security control in an organisation, but are often the weakest link,” he said.

Read more about security as a business enabler

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

Read more on Hackers and cybercrime prevention

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Do we really need a "panel of experts" to tell us that the world is changing, that security isn't very secure and we'd better prepare for the next round of assaults on our data...?  Wow, I need to get on more panels. If we don't already know this, we're in the wrong business.
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close