Paul Dorey, the keynote speaker on the second day of the Infosecurity Europe conference, has held senior security roles in banks and most recently at the global oil company BP Plc., and is now chairman of the Institute of Information Security Professionals.
"We are entering a time when IT security people are going to have to move from being merely advisors to the business to real professionals whose views are listened to," he said. As IT supports every aspect of life, security breaches become potentially life-threatening or disastrous for their organisations. Just as bridge designers and structural engineers work to common and consistent standards and are therefore respected, he said, so security professionals should command the same level of respect.
For that to happen, security professionals need to communicate effectively with a wide range of disciplines – including audit, risk assessment and compliance, IT and engineering. "They need to be like chameleons to fit into those disciplines," he said. "You may not become an expert in them all, but you must at least don the facade. ... Get some mentoring to help you understand them."
Most of all, he urged security people to be business-like in their approach. This means thinking of the business context and relevance of whatever they propose; setting realistic priorities; working to influence people; managing change; being convincing in the boardroom, and showing leadership.
"I'm pleased that security people are now going on MBA courses. We ought to send more people for that kind of training," he said.
And to be really effective, he added, security should make things happen rather than try to block them. "Their attitude should be, 'You tell me what you want to do, and I'll show you how,'" he said.