Regulatory compliance issues and concern over data compromises have brought information security issues to the forefront in corporate boardrooms, according to a panel of IT security managers at the Computer Security Institute.
The trend is forcing security managers to adopt a more business-oriented approach to creating security strategies.
Selling management on the need for information security has become easier for IT managers because of privacy threats, data piracy and other issues, says Terri Curran, director of information security at Bose.
“In a sense, the road has been paved more for us. Management knows they’ve got to have security.”
However, security managers often tend to understand technology issues better than they do risk management topics, says Jack Jones, chief information security officer at Nationwide Mutual Insurance in Columbus, Ohio. As a result, their efforts are often misaligned with business goals, he says.
“Perfect security is not achievable,” Jones says.
“At the end of the day, [the security function] is about managing the frequency and magnitude of loss.”
That goal requires that security managers do a better job of putting technology issues into a business context, Jones says. That’s a significant challenge for security officers, he adds.Increasingly, corporate security goals aren’t about information security but about information assurance, which deals with issues like data availability and integrity, says Jane Scott-Norris, chief information security officer at the US Department of State.
Thus, organisations should focus on risk management as well as risk avoidance. “You have to be able to evaluate risks and articulate them in business terms,” Scott-Norris says.
Jennifer Bayuk, CISO at New York-based Bear, Stearns & Co, says it’s also important that security managers demonstrate their value to an organisation — especially because security is often seen as a cost centre offering little return on investment.
“If you can’t demonstrate what you are doing, it doesn’t count,” Bayuk says.
Looking ahead, Bayuk predicts CISOs will have two distinct career paths: a technology-focused position that reports to the CIO and a business-focused role that works with chief risk officers.