IT security awareness is at an all-time high, and organizations are spending and hiring in record numbers. Legislation and regulations are proliferating. Yet, for all this effort, nearly every statistical measure of IT security performance — from the number of incidents and vulnerabilities to the cost and impact of a security breach — is bad news. In what other endeavor would so much investment be permitted with such poor results?
The potential for disruption from malicious or accidental threats is growing, yet our ability to manage risk has never been more uncertain. Throwing more money at IT security will not close the gap.
Why has this happened?
There are many reasons behind the disconnect between effort and results. Security is still not a major design criterion in products, and connectivity is increasing at exponential rates with the move to mobile platforms. Additionally, security architectures were mostly developed by vendors interested in providing a rationale for the sale of products and are not based on a thorough analysis of risks and threats.
Arguably, the most significant disconnect is also the most common misconception in IT security — that it is a technical problem requiring a technical solution.
The technical disconnect
For too long, IT security has focused on technology and minimizes or completely ignores other critical elements of risk management: people, policy, process and technology. Although many IT security functions pay lip service to these concepts, little is done to implement each element equally.
Security is multidimensional, requiring a variety of skills. In addition to technical know-how, security professionals must work in a competitive business environment and do so in a legal and ethical manner.
People skills require everything from proficiency in communicating complex issues with non-technical executives, to demonstrating the expertise required to interview suspects and witnesses.
Successful security professionals analyze risk beyond its simple technical components and incorporate defensible business impacts to justify budgets and educate decision-makers.
Litigation and regulation are now firmly entrenched in IT. Electronic discovery is the new gold rush in the legal profession, and responding to discovery orders of digitally stored information has become a major concern for the general counsel's office.
Finally, investigations of security incidents require extreme legal caution. A patchwork of federal, state and international torts and laws now govern everything from requirements, to report security breaches, to issues involving workplace privacy, searches, monitoring of communications and invasion of privacy. The inexperienced IT security practitioner is in a legal minefield and probably doesn't even know it. The recent allegations of improper investigation of HP board members are a case study in how easily simple investigations can become a legal and public relations nightmare.
A more mature IT security: Convergence and certification
Executives dependent on IT for competitive advantage confront an increasing requirement to manage risks crossing functional boundaries. Two initiatives are underway in the security profession that will meet these challenges and change the way we do business: convergence and certification.
The traditional model of separate functions for corporate security, physical security and IT security is wasteful and hinders organizations from managing cross-functional risks. Corporate or physical security functions are converging with IT security and corporate risk management.
The most visible example of this is the position of chief security officer (CSO) and the increased investment in implementing converged security programs. The Alliance of Enterprise Security Risk Management (a coalition of international security organizations ASIS, ISACA and the Information Systems Security Association) recently published a report titled "Convergence of Enterprise Security Organizations," which states:
"In 2005, the private sector in North America and Europe is expected to spend more than $300 million on convergence efforts, while combined, the public and private sector spending is expected to exceed $1.1 billion."
The full report is available as a free download at http://www.aesrm.org.
The second initiative, professional certification, address the needs of converged security by going beyond demonstrating simple technical competence to recognize the broader skills required to make risk-based decisions. Examples of these newer certifications include ISACA's Certified Information Security Manager (CISM) and the Association of Certified Fraud Examiners' Certified Fraud Examiner (CFE).
These certifications require both knowledge and experience in multiple skill domains of their respective disciplines.
Experience-based certifications help organizations hire the most qualified individuals and address due diligence requirements, and they will become a job requirement.
The future is now. IT security engineers and managers who do not develop the competencies required to incorporate legal, business and investigative skills will increasingly find their career opportunities limited. Organizations are looking for better results in managing risk and looking to do it for a lower cost.
Contrary to popular opinion, these are not mutually exclusive. To accomplish it, a stronger security profession is required that understands and works with strategic decision-makers to effectively manage risk across all security domains.
-Kent Anderson is the founder and managing director of Network Risk Management LLC and a member of ISACA's CISM Certification Board.