IT security in an increasingly complex threat environment needs to be more about management than technology performance, according to Eric Domage, program manager for IDC in Europe.
IT professionals need to stop buying security performance and move to buying and selling business performance, he told the IDC Security Conference 2011 in London.
"Performance is not a differentiator, it is expected. The real value of security is to help business to be better, to be more competitive," he said.
This was echoed by Des Powley, director of security and IDM at Oracle, which he said had made a conscious effort to get beyond an insurance sell.
"Oracle has acquired around 500 products from 75 companies in the past five years to be able to sell security on value," he said.
HP this week backed up a similar approach of infrastructure-wide integrated security by announcing new or improved products and services that tap into technologies acquired in the past two years.
IT professionals should stop thinking about full security, said Domage. "Their role is shifting towards thinking about security management at an executive level," he said.
A security management approach ensures that business is addressing all the key elements of security - cost, threat, compliance and skills, said Domage
"IDC sees security integration as a way of controlling cost as well as managing complexity," he said.
IDC views complexity as the next big risk, as the number and type of cyber threats and regulatory requirements continue to proliferate.
"Now is the time to focus on security management," said Domage, pointing out that the most effective way of dealing with the fact that everything is a target, as shown by recent attacks on SCADA and other systems previously thought to be highly secure, is at the planning and process level, not at the technology level.