“Data is the gold silver and diamonds of the modern world and should be given the same level of protection”, said Professor Howard A. Schmidt, CISSP, president of ISF.
“Many businesses, governments and individuals are still unclear of the true value of data and where it resides and who has ownership is even less clear. We need to be better at controlling and managing data and understand the expectations of the data owners and providers. For example, if we give personal data to identify and validate ourselves – this data is only required for a short period of time and could then be destroyed.”
John Colley, CISSP, (ISC)2’s managing director, EMEA added, “We need to get past the ‘awareness programme’ phase. … Children from first stages should not only be learning to use the computers and online resources but how to use them safely and securely and why this is important. We learnt about safety in the science lab. The dynamic here is the same.”
Colley said that information security is always playing catch up with technology, as “people, IT and business leaders have yet to develop the skills to think securely”.
He added, “The majority of computing-related courses do not adequately address security issues, yet we know that strategic decisions taken by IT, from the procurement and/or development of software to the adoption of cloud services, is having a huge impact on vulnerability levels when the security requirements are not built in at the outset.
“Security should also be a core element of business education. Tomorrow’s business leaders need to be able to instinctively strategise for secure business development. Employee induction should include security with the systems training; and security responsibilities should be part of the employment contract.”
Adrian Davis, senior research consultant at the ISF, added that also information security professionals are facing a significant skills adjustment with disparate roles emerging, the traditional information security requirement decreasing, and more jobs becoming largely managerial.
“We have reached a new generation of information security professionals that are not simply the IT people who can configure a firewall and speak the language of security. Instead these are career professionals who recognise the challenges and the opportunities and choose to focus exclusively on information security and undergo specific education, training and certification”, Davis said.
“They are not a single breed, but instead can be categorised in four different roles: the technology specialists; the consultants that can relate information security to the business; the generalists who understand enterprise risk management across an organisation; and the project leaders who can transform strategy into deliverable solutions. These people are key to communicating an understanding of security throughout the organisation.”
A joint (ISC)2 and ISF research project Anticipating Your Advantage, presented later at RSA by Davis pointed out that, hiring managers struggle: 80% in a recent (ISC)2 survey are challenged to fill positions, despite the current economic downturn creating a larger available workforce.
Issues revealed include inadequacies in the recruitment process, a separation of management and technology skills that is opening up gaps in disparate functional areas, and a blurring of the traditional career path with people jumping from one role to another.
Schmidt concluded the RSA Europe briefing by suggesting that, “The new generation of information security professionals are able to balance the business benefits with information security risks and because they hold more senior positions, they are able to put forward a strong case for information security as a business enabler. They also recognise that we will never stop criminals completely or prevent the progress of technology; so as information professionals they need to focus on crime prevention and reducing the vulnerabilities.”