Business skills key for security chiefs

Computing rounds up the news and views from Gartner's IT Security Summit

Information security officers need to focus on business skills rather than technology if they are to succeed in the organisation, says analyst Gartner.

In the next 10 years, Gartner predicts information security will move from being a function in the IT department to part of an independent operational risk division reporting directly to the board.

The evolution of the chief information security officer into the role of the risk management officer will also require IT professionals to shed their ‘techie’ image and improve how they communicate with the business, said Paul Proctor, vice president of security research, speaking at the Gartner IT Security Summit in London last week.

‘Running off and getting additional security credentials is not the way to become the risk manager; they need to get business qualifications and understand the company’s needs,’ he said.

‘If you are only interested in technology, then you’ve probably progressed in the company as far as you can.’

IT security departments also need to stop throwing money at every potential security risk and start to calculate whether there is an acceptable level of risk when it comes to introducing new business processes.

‘IT people like to spend money to put a stop to any threats, but business people realise that there are levels of acceptable risk,’ said Proctor.

Paul Wood, chief security officer at UBS Investment Bank saw his role move from being part of IT to the operational risk team.

‘In investment banking, it is about time to market and delivering IT solutions tomorrow, if not yesterday,’ said Wood.

‘To achieve this securely, we started to realise that it was important to move from being part of the IT department, which sometimes stopped us from delivering, to being a part of the bank that has some teeth.’

A growth in industry regulation is also likely to see information security officers move further towards a company’s group risk department, said Paul Dorey, chief information security officer at BP.

‘IT security professionals need to report to someone who understands and who is part of the company power base,’ said Dorey. ‘Anyone who wants to be part of the company board needs to be the chief risk officer.’