Information security skills must include communication, says Dorey

According to industry veteran Paul Dorey, future security professionals will need to have better communication skills to gain respect.

LONDON -- A successful information security professional needs to acquire a wide range of new skills in order to command the right level of influence, according to one of the industry's most experienced veterans.

Paul Dorey, the keynote speaker on the second day of the Infosecurity Europe conference, has held senior security roles in banks and most recently at the global oil company BP Plc., and is now chairman of the Institute of Information Security Professionals.

For more Infosecurity Europe 2009 news

Get the latest news and interviews from the conference floor. Check out our live coverage of Infosecurity Europe 2009.
At the Infosecurity event, hosted in London, Dorey explained why security professionals will need to adapt their manner and language in order to deal with different groups of people in their organisations.

"We are entering a time when IT security people are going to have to move from being merely advisors to the business to real professionals whose views are listened to," he said. As IT supports every aspect of life, security breaches become potentially life-threatening or disastrous for their organisations. Just as bridge designers and structural engineers work to common and consistent standards and are therefore respected, he said, so security professionals should command the same level of respect.

For that to happen, security professionals need to communicate effectively with a wide range of disciplines – including audit, risk assessment and compliance, IT and engineering. "They need to be like chameleons to fit into those disciplines," he said. "You may not become an expert in them all, but you must at least don the facade. ... Get some mentoring to help you understand them."

Don't miss need-to-know info!
Security pros can't afford to be the last to know. Sign up for email updates from and you'll never be behind the curve!
Dorey predicted that many new threats will come in the physical infrastructure that increasingly depends on microcontrollers, or computer systems-on-a-chip, which are still largely ignored by the security world. The integrity of those physical assets will become increasingly important, hence the need for a greater appreciation of engineering.

Most of all, he urged security people to be business-like in their approach. This means thinking of the business context and relevance of whatever they propose; setting realistic priorities; working to influence people; managing change; being convincing in the boardroom, and showing leadership.

"I'm pleased that security people are now going on MBA courses. We ought to send more people for that kind of training," he said.

And to be really effective, he added, security should make things happen rather than try to block them. "Their attitude should be, 'You tell me what you want to do, and I'll show you how,'" he said.

Read more on Security policy and user awareness