Security professionals need to improve people (and business) management skills before IT skills

By John Colley, CISSP, Board of Directors, Chairman European Advisory Board, (ISC)2

In today’s business world, the highest levels of management accept and understand the potential impact of data breaches, including loss of business, damage to the corporate image, diminished shareholder value, and lawsuits. The long battle to push information security up the priority agenda has been won. Gone are the days when information security was considered a nuisance. However, many have yet to recognise that protecting information assets is more about people management than IT management. This is particularly true today in a world where it is becoming the exception rather than then norm that new systems, programs, even products are rolled out without due consideration for information security.

Research into the information security workforce in more than 100 countries would suggest that this should not be the case. We are not only responsible for, but highly dependent on managing the complex human factors that impact a security program. According to more than 4,000 information security experts from around the world (22.8% within EMEA) in the latest (ISC)² Global Information Security Workforce Study conducted by IDC on behalf of (ISC)2, the three most critical factors in securing the enterprise involve people rather than technology. When asked to identify the top 5 important factors in protecting infrastructure, respondents overwhelmingly identified management support for security policy, users following policy, and the need for qualified security staff, ahead of the need for hardware and software solutions. Information security professionals around the world are saying that technology is only an enabler, not a solution to implementing a sound security strategy.
The study goes on to say that increasing budgets are being dedicated to personnel, education and training— 41% of the total security budget, up 5% over previous years—while nearly 40% (45% across EMEA), of respondents said such budgets will increase by nearly one third in 2007. Demand for professional development training, specifically, is moving away from the purely technical, with information security risk management identified as a key training requirement for the majority of information security professionals in both the Americas and EMEA. In its report, IDC says “organisations that have thrown technology at the security problem are now starting to address people and processes.”

The report notes that security professionals have done a commendable job of raising awareness of security issues within their organisations. But that more work needs to be done, specifically to strengthen internal access controls, improve visibility across the network, and enhance security policies, processes and procedures. Further, greater resources should be allocated to develop security staff in line with the evolution toward an enterprise-wide security stance, and long-term approach to mitigating risk. This would go a long way toward improving training, awareness and efforts to avert human error. Demonstrating our value in these areas will, therefore, be crucial as such a move runs counter to the instincts of management who typically prefer to minimize overheads and maximize the integration of technology. In short, we must evolve and today, not only strike a balance between business and technical skills but also people skills if we are to continue to move our companies forward.

Fortunately, for the second year in a row, the study tells us that our influence is increasing, with 73% of workforce study respondents expecting more influence with executives and boards in the coming 12 months, through the discussion of security policy, responsibilities and awareness across the organisation. Given this, we can expect our audience will also grow—within and outside organisational boundaries. Employees that deliver our services, the customers or constituents that take advantage of them, investors and, yes, the public at large that has the potential to interact with our organisation (even if only through a hijacked home computer) as well as the senior executives that grant the budgets, need to be within our scope. We are reliant on all these people, their awareness, ethics and behaviour, and we must understand what they want to achieve if we are to accomplish significant goals.
Our humble beginnings as a small consideration within the IT department are becoming a part of the distant past. According to the study, responsibility for executing a sound security strategy is being increasingly shared across the organisation, making C-level officers accountable as part of a well-defined and articulated risk management program. Continuing a trend identified in last year’s study, responsibility for securing information assets is shifting from the chief information officer (CIO) into other areas of senior management and business, including the chief executive officer, chief financial officer, chief risk officer and chief information security officer, as well as legal and compliance departments. Now only 29% of respondents report to the IT department, a significant drop from the 38% reported when the first study was conducted in 2004.

As professionals we are, therefore, well positioned to take a leadership role in helping the organisation embrace the fact that information security is everyone’s responsibility in a business world utterly dependent on information technology. The most successful of us will apply a deft approach rather than an iron fist. The objective will be to encourage the adoption of a security-aware corporate culture through buy-in and the accomplishment of joint goals rather than the enforcement of policy alone.
Outside the corporation, we should feel justified in taking the time to ensure customers, our future employees and society as a whole understand how to be responsible with and thereby embrace their online world for shopping, researching, banking, and socialising, as it is becoming so engrained in our culture. If every unsecured computer is a potential threat every moment spent addressing that threat is a contribution toward to our specific risk management remit.

Many among us in the information security profession have considered altruistically donating some of our time to helping children and the public at large understand Internet safety. Driven by frustration at the exploitation of home computers in so many attacks, we have also thought about reaching out to the community in general. After all, if people could just be more aware of the basics of computer and information security. I would wager that the majority of us have been behind at least one employee awareness or training campaign within our own companies. But considering such activity as a core responsibility and something that could extend beyond the organisational boundaries could well be quite a leap for many of us.

As a membership-driven professional certifying body, (ISC)2 is supporting its members’ efforts to address public awareness as part of their mandate. Working with Childnet International—a charity dedicated to making the Internet a great and safer place for children—over 100 members are taking time away from work to visit schools across the United Kingdom. For (ISC)2 and its membership this program is more than an exercise in altruism. The program aims to promote responsible computing at an early stage of computer use, in much the same way that recycling is promoted to improve environmental standards generally.

For years we have espoused that information security is about business not just technology. It is high time we recognise that information security, like business, is about people. Companies will have to invest in people, their training and awareness, and the policies that guide them. For those of us building a career in information security management, there is every reason to believe that our influence will reach further than ever before—but we will have to hone our people as well as our business management and IT skills.
John Colley, CISSP, is a member of the Board of Directors, and Co- Chair of the European Advisory Board for (ISC)2, a non-profit professional consortium which represents over 49,000 members worldwide, including more than 2000 in the UK and nearly 7,000 (6940)across EMEA. He has been an active advocate of the security profession for many years and has served on the (ISC)2 Board of Directors since April 1999. John has formerly held posts as Group Head of Information Security at the Royal Bank of Scotland Group and as Head of Information Security at ICL.