Businesses need both local and central IT security officers

Employers should tackle information security both centrally and locally by creating central security teams and backing them up...

Employers should tackle information security both centrally and locally by creating central security teams and backing them up with high-powered information security officers in each major business unit.

At its security conference this week, Gartner will detail an approach that allows companies to benefit from economies of scale in negotiations with suppliers and, at the same time, tailor information security policies to the particular needs of each part of the business.

Processes such as setting information security policy and procuring anti-virus, identity and access management and intrusion protection systems are best handled centrally, said Roberta Witty, research director at Gartner.

But businesses need local security officers with business clout to make sure that company security policies are properly enforced, rather than left to gather dust on the shelf.

"They have to be able to walk into the business manager's office and say, 'This project cannot go ahead because it will damage the business'," she said.

Traditionally, most companies have nurtured their own information security officers in-house, but many are now beginning to look outside their organisations as demand grows.

"You need someone who is a really good communicator, who understands technology and who understands the business. Up until now, a lot of information security specialists have learned on the job. We have seen that change," said Witty.

IT auditors and people with strong project management or risk management backgrounds can often make good information security officers, but communication skills are important.

One of their most important roles should be to ensure that employees are trained in company security policies. Staff need to know how to respond if someone rings them up and asks for their password, and they need to be aware of the dangers of downloading code from the internet.

Outsourcing parts of the security operation can save money and provide all-round security coverage for companies that do not have sufficient security staff, but it should not be carried out lightly. Strong service level agreements and good performance metrics are essential.

"Don't outsource security if you have not outsourced any other part of your IT. Security is not where you want to learn," said Whitty.

Read more on Hackers and cybercrime prevention