IT security workers must support business needs, says Ernst & Young

IT security professionals must better support their firms' business needs, according to the Ernst & Young Global Information Security Survey 2012

IT security professionals need to transform the profession if they are to persuade business they are doing a good job, according to Mark Brown, director of information security at Ernst & Young.

“Most organisations think information security professionals are not fulfilling the needs of business,” Mark Brown told attendees of the Govnet Cyber Security Summit 2012 in London.

The shortcomings of IT security professionals in supporting business needs was revealed in Ernst & Young's latest Global Information Security Survey 2012. Brown said the Ernst & Young survey's findings should be a “wake-up call” for the whole IT security industry.

The Global Information Security Survey 2012 showed businesses recognise the strategic importance of information security. But the Ernst & Young survey also showed 85% of respondents did not think information security professionals supported the business.

Read more about aligning IT security to business needs

Some 57% said information security workers lack the ability to talk in business terms about things such as total cost of ownership. A larger proportion (62%) said they failed to align information security to enterprise architecture and business processes.

“Businesses make profit from taking risk, yet information security is still largely risk-averse; they do not know the risk appetite of their organisations, they do not understand the board, and therefore cannot assist in achieving the board’s goals,” Brown told the Govnet Cyber Security Summit 2012.

The only way forward for the information security professionals, he said, is to transform the industry by looking at IT security as a business issue, such as how IT security can optimise financial performance, protect brand reputation and protect and enhance customer loyalty.

“They need to focus on meeting the needs of the business, align with business goals and begin demonstrating business leadership,” said Brown.

Delegates at the Govnet Cyber Security Summit heard that a successful transformation can ensure information security makes business sense when it is linked to business strategy, linked to enterprise architecture and business processes and when it is embracing new technologies demanded by the business.


Read more on Hackers and cybercrime prevention

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

"talk in business terms about things such as total cost of ownership" TCO is not a business term, it is a marketing term. Prior to using TCO we discussed Return on investment. TCO is false in that we can always bring it down to ZERO if we don't by the crap in the first place. ROI is actually meaningful. It makes me feel uneasy that Ernst $ Young propagate this type of marketing. I agree, it is not newsworthy.


Fear for your job ? Unfortunately, E&Y is damn right on this one. Too many IT security professionals don't understand their primary goal is "to make the business secure", and not "to avoid risk". And risk analysis is all about "Cost", hence part of TCO. ROI is a completely different beast. Bothare meaningful.


Security is an avoidance of risk and they shouldn't be taking chances on corporate data. Business and Security are two different mindsets and they clash. Business people need to realize risks in Security shouldn't be thought of in the same way they conduct business. I can agree that Security people can have a problem communicating to business people, but I find it funny that the security people need to learn to speak business lingo and business feels no need to teach themselves IT lingo. Businesses should be making strives to teach their employees about the implications and issues faced in security and IT should be taught what they are supporting businesswise. This is nothing more than a disconnect between the two fields and it's not right to point all the blame on IT.