IT security policy should be put in the hands of a business risk expert rather than an IT professional, according to security analysts.
Hands-on administration of security in IT systems is best suited to someone with a Unix background, because of the knowledge it gives of authorisation and privileges. However, an IT professional should not be put in charge of overall information security policies, said Steve Hunt, security analyst with Giga Group.
"Somebody at business level should be in overall charge of security," he said. "The person should be able to calculate how much the company would lose if a certain server goes down."
Hunt said the calculation of risk is vital in building a coherent IT security policy. The firms hit hardest by the recent distributed denial of service attacks were those that had not assessed business risks properly, he said.