Like a growing number of companies, information security management no longer sits within the IT function of camera and printer manufacturer Ricoh Europe.

“In fact, I report to the finance director, although we do not sit in the finance department either,” says information security manager Kevin McLean. “We really sit inbetween the business and IT.”

McLean says IT people understand the vulnerabilities and controls, which are increasingly complex and indecipherable to the business people.

“But the business people understand the impact on the business if information is disclosed or becomes unavailable,” he says.

“I see our role as acting as a broker between those two areas; translating the vulnerabilities and solutions for the business people and helping the IT people prioritise which solutions are required where.”

He says this type of setup has specific implications in terms of skills. “In my department I need IT graduates with business MBAs. The technical areas we have been concerned with in recent times ­ – protecting the perimeter, firewalls, intrusion detection and so on – ­ will, I think, increasingly go out to managed services, so the need for specific technical skills in-house will decrease,” he says.

McLean says Ricoh will still need the skills to audit services ­ – and will also need to be able to manage the behaviour of the people using the systems, because there are many opportunities for individuals to subvert good practice.

“We think we have cracked security awareness, but now we are in the motivation phase ­ – giving users a good reason to follow security policies,” he says. “That means we need specific soft skills of persuasion and negotiation – ­ they are certainly a major part of the mix from my perspective.”

One technical area McLean does see a need for, however, is penetration testing. “While I see the traditional gateway controls being outsourced, I see penetration testing ­ – which has traditionally been bought in from outside ­ – coming in-house,” he says.

“That is what is starting to happen in the financial and government sectors, and where they lead others generally follow a little way behind. Penetration testing is probably something we should not be doing only once a year, but on an ongoing basis, and we will definitely need very specific skills if we bring that in-house.”

Ricoh is engaged in obtaining ISO 27001 certification across the globe, an issue that has presented
a number of challenges in terms of co-ordination, timing and planning.

“Our customers deserve some assurance that they can trust us, so the whole area of being able to demonstrate competence in security is another major challenge,” says McLean.

But while he feels most of the training for new security skill sets will have to be done in-house, McLean is also encouraged by the changing approach of academia.

“I think schools and colleges are beginning to respond to these types of skills requirements,” he says. “There are now quite a few masters courses, for example, where they cover highly technical areas such as encryption and so on. They also teach the business issues and that is very encouraging.”