advertise here



Industry Comment Research   RSS Feed

Webinars Buyers' Guide Podcasts

Related Publications Foward Features




  In partnership with:

November/December 2006 issue

2007 preview: What's rollin' round the bend?

Back to Q1, Q2

3. Do you see IT security becoming operationalized to the extent that information security professionals will (have to) play a more strategic role in their businesses?

Adrian Asher, Global Head of Security, Betfair
The operational or non operational nature of Security will not affect the level that Security can strategically bring to the business. This statement is based upon the fact that in any industry there are varying levels of ability, skills and of course, personalities. In many organizations, but granted not all, the strategic influencers have not been based on their defined role, but based upon their abilities and social network they have defined.

Senior Management come together and agree on the way forward, but rarely do the concepts and ideas get generated in this format. The refining, prioritising and execution does of course occur at this point, but the actual conceptualisation, plausibility and sometimes even profitability has occurred before. Now this may be over generalising, but based on these experiences over the last decade or so, I feel that any area SHOULD play a more strategic role dependent on the persons within it, however no area MUST play a more strategic view. In fact to do so may even perversely cause damage to the business by forcing people into roles they are not comfortable with, and are only filling in order to continue their chosen career advancement.

Brian T. Contos, CISSP, CSO ArcSight Inc
Absolutely IT security professionals will have to play a more strategic role, because security is a strategic business issue. Employees are aware of the risks for the most part from the executive team on down. Also aware of the issues are customers, shareholders and partners. Security is being discussed in the boardrooms because it is a boardroom discussion, and those organizations that haven’t yet started to consider security at executive levels will soon discover that they are at a competitive disadvantage at best, and likely suffer from decreased shareholder faith, legal actions, regulatory fines, brand diminishment and ultimately lost revenue.

Leo Cronin, CISO, Reed Elsevier
From where I sit I see this already happening at many larger companies. It is surely happening within my company. A strategic role means looking out ahead for emerging threats to the business and educating business leadership on risk management and how security and safety can be factored in for competitive advantage. I am seeing more staff pursuing advanced business degrees to bring legitimacy to this new role and we are investing much more time than in the past with our colleagues in the legal profession on risk management issues. This transition may be more difficult however in smaller organizations that lack the resources to commit to security. Larger companies can help by reaching out in local communities to educate and support smaller businesses and organizations.

Robert Gleichauf, VP and CTO, Security Technology Group, Cisco
Yes. In order for security to succeed in business it cannot remain an overlay, it must become part of the business fabric. Otherwise it is too disruptive. Security professionals need to be brought in at the beginning of a project, not as an after thought when the company is about to release the product or service.

Paul Henry, Secure Computing
All the security professionals I have associated with have always strived to play a strategic role in businesses they were entrusted to protect. That being said, many have unfortunately long been constrained to operating tactically because of respective businesses failure to recognize the competitive advantage afforded by good security. Simply put, many security professionals have been put in the position of acting as the tactical safety net, not if things go wrong but when they go wrong.

Our regulatory environment is beginning to force a change, security professionals are now more then ever being relied upon more in a business enablement role. Security professionals are being asked “how can we perform this business requirement on the Internet and meet regulatory requirements?” where previously they were simply being told “ we are putting this service on the Internet to reduce our operating costs and we have no budget for security”.

It is essential that a company include security as part of its strategic planning. This way organizations can integrate effective security policies, procedures and technology into the business rather than blaming the security department when something goes wrong.

Evan Kaplan, CEO Aventail
Absolutely, IT security is operationalized and strategic. It used to be that you rolled out an application based almost solely on its business utility. Now, you don’t roll out an application until you’ve also checked out its affect on your security and its performance over the WAN. We started with simple authentication and enrollment. Now we need to consider issues like remote users, access controls, end point security, and unmanaged devices. IT management needs to play an educated, strategic role in balancing the tension between operational productivity and IT security.

Tom Noonan, General Manager, IBM Internet Security Systems
This is already happening. Security has moved from a “verb” (e.g. secure storage) to a “noun,” while simultaneously moving from a back office issue to a boardroom issue. Security has become its own discipline. It underpins many of the core business functions, whether that is management and access control of data, network and applications performance or the addition of technologies for business productivity.
Today’s business productivity is fuelled by a swarm of mobile workers accessing an increasing number of applications that are churning more real-time information, however the productivity comes with a cost and that cost is security.

Hugh Penri-Williams, Chairman of the Information Security Forum
In many companies, IT security already consists of two distinct activities: InfoSec (security strategy, policy & standards setting, investigations) increasingly reporting outside the CIO organization to the CSO (in my personal opinion, a healthy trend, much like when audit stopped reporting to CFOs), and OpSec (the actual application & infrastructure implementations, patching, firewall tuning, monitoring, upgrading). Hence, InfoSec professionals are slowly gaining the ear of senior management instead of being confronted with competing priorities and resources within IT. Hopefully, this will stop and reverse the decline described above. ‘Operationalized’, for me, is not really the correct term for this. I’d prefer to call it ‘emancipation’.

Paul Simmonds, CSO, ICI
Yes and no, I am seeing small steps in this direction, but this relies on two things - CEO’s and senior management who have the vision to understand that used properly information security is a business enabler, and information security professionals who are capable of operating at those levels. Both are still rare!

Alex van Someren, CEO nCipher
IT is strategic, so by definition so is security. Organizations that don’t take this on board will become extinct. CSOs and CISOs have always had to shout to get heard in the boardroom but 2006 saw greater realisation that security is a business enabler and not a barrier. Security is a process, not just a technology; so to be effective it has to be operationalised and become part of workplace behaviour.

4. What examples have you seen, in 2006, of organizations using security as a business enabler?

Features index

 



 

 
Search this Site:
Google Custom Search



Click here...