Like a growing number of companies, information security management no longer sits within the IT function of camera and printer manufacturer Ricoh Europe.

“In fact, I report to the finance director, although we do not sit in the finance department either,” says information security manager Kevin McLean. “We really sit inbetween the business and IT.”

McLean says IT people understand the vulnerabilities and controls, which are increasingly complex and indecipherable to the business people.

“But the business people understand the impact on the business if information is disclosed or becomes unavailable,” he says.

“I see our role as acting as a broker between those two areas; translating the vulnerabilities and solutions for the business people and helping the IT people prioritise which solutions are required where.”

He says this type of setup has specific implications in terms of skills. “In my department I need IT graduates with business MBAs. The technical areas we have been concerned with in recent times ­ – protecting the perimeter, firewalls, intrusion detection and so on – ­ will, I think, increasingly go out to managed services, so the need for specific technical skills in-house will decrease,” he says.

McLean says Ricoh will still need the skills to audit services ­ – and will also need to be able to manage the behaviour of the people using the systems, because there are many opportunities for individuals to subvert good practice.

“We think we have cracked security awareness, but now we are in the motivation phase ­ – giving users a good reason to follow security policies,” he says. “That means we need specific soft skills of persuasion and negotiation – ­ they are certainly a major part of the mix from my perspective.”

One technical area McLean does see a need for, however, is penetration testing. “While I see the traditional gateway controls being outsourced, I see penetration testing ­ – which has traditionally been bought in from outside ­ – coming in-house,” he says.

“That is what is starting to happen in the financial and government sectors, and where they lead others generally follow a little way behind. Penetration testing is probably something we should not be doing only once a year, but on an ongoing basis, and we will definitely need very specific skills if we bring that in-house.”

Ricoh is engaged in obtaining ISO 27001 certification across the globe, an issue that has presented
a number of challenges in terms of co-ordination, timing and planning.

“Our customers deserve some assurance that they can trust us, so the whole area of being able to demonstrate competence in security is another major challenge,” says McLean.

But while he feels most of the training for new security skill sets will have to be done in-house, McLean is also encouraged by the changing approach of academia.

“I think schools and colleges are beginning to respond to these types of skills requirements,” he says. “There are now quite a few masters courses, for example, where they cover highly technical areas such as encryption and so on. They also teach the business issues and that is very encouraging.”

Further reading:
More stories on these topics: Security, Skills, Skills
Permalink  Comments  Forward
what do you think?
Click here for more Post your comment
Click here for more Send an email to the Computing editor at feedback@computing.co.uk
Reader comments for this story
Post your comment Post your comment   What is this?
Like this story? Spread the news by clicking a link:   Post this to Delicious del.icio.us     Post this to Digg digg this     Post this to reddit reddit!

related content
latest news
A satellite image
Strategy
BulletEEA and Microsoft to develop online green information portal
Plan is to develop global repository of information for experts  16 May 2008
IBM
Internet
BulletIBM throws a paddy
The World Community Grid will help tackle famine by developing a new form of rice  16 May 2008
NHS staff using IT
Nhs
BulletPatient records cause four-year NHS IT delay
Other parts of the scheme are broadly on track, but software delays mean care records will be four years late, says NAO  16 May 2008
Click here for more More news
latest in depth
Floods
Strategy
BulletManaging risk is about people, process and technology
Computing’s web seminars on managing risk answered your questions to help make sure your company is not headed for disaster  14 May 2008
Picture of an IT technician working on a PC
Strategy
BulletShape up or ship out
In the third of our four-part guide to outsourcing, we look at the in-demand skills  15 May 2008
Alisdair Darling
Innovation
BulletIT startups need more cash
Investors challenge the government over knowledge-based economy plans  15 May 2008
Click here for more More in depth

Advertising Marketplace

Sponsored links

Featured jobs

Secure Service Manager
London,SW1H, United Kingdom | Metropolitan Police Service
Secure Service Manager, London,SW1H, £37,876 - £43,107 Leading a specialist team responsible for the service delivery of business critical systems, you'll ensure the provision of IT support to operational policing at the Metropolitan Police Service. ... more >
Database Administrator
St. Albans, United Kingdom | UK Land Directory Ltd
Database Administrator, St. Albans, £28,000 per annum Database Administrator wanted for an independent company in the heart of St Albans city centre. Our office is close to the Train Station and accessible from all major ... more >
Integration Tester
London, United Kingdom | MI6
Integration Tester, £32,443 - £37,925 We're the Secret Intelligence Service. You may know us as MI6. Information is at the heart of everything we do. We operate around the world to gather intelligence which combats ... more >
Chief Enterprise Architect,
London, United Kingdom | MI6
Chief Enterprise Architect, £56,100 - £79,714 We're the Secret Intelligence Service. You may know us as MI6. Information is at the heart of everything we do. We operate around the world to gather intelligence which ... more >
Click here for more  More job opportunities