Consider the evolving role of security starting in the early 1990s. Security people were technical and firewalls were expected to solve our problems. Then businesses began to be more aware of the potential impact of security "events", but security people largely ignored them, write Paul Proctor, vice-president and distinguished analyst, and Jeff Wheatman, research director at Gartner.
When the worms hit in the early 2000s, security became very visible and its practitioners were promoted. These mass promotions of folks ill-equipped to handle authority led to the age of "No" where security people did little to demonstrate that they were able to work well with others. More recently, regulations ushered in the age of compliance. A constant throughout this evolution has been that security people were wizards and technology was the wand.
Gartner has seen a dramatic increase in programme maturity over the past 10 years. Tools are still important pieces of the puzzle, but scalable, repeatable processes are now at the centre of security programmes. The bottom line is that organisations are ready for something different and security people must evolve with that need. Do the following to embrace this trend and further your career:
- Abandon fear, uncertainty and doubt (FUD) and embrace the concept of helping the organisation balance security requirements with business need.
- Develop key risk indicators (KRI) that map to key performance indicators (KPI) to provide a translation of security efforts into business value.
- Use risk management to facilitate conscious decisions about what you are not going to do and accept residual risk.
- Supplement your technology knowledge with business knowledge - marketing, sales, and financial modelling are all excellent additions to your toolkit.
- Learn to communicate in the language of the business.
- Transform yourself into a business peer who takes an interest in what your organisation "does for a living".
- Don't buy tools for the sake of being on the bleeding edge.
- Survey your peers on the business side of the house, learn about their processes - no need to reinvent the wheel.