With a career in IT longer than I am willing to admit (suffice to say that it all began in a time when dinosaurs ruled the earth!), I am a relatively recent recruit to the Information Security profession. Not that the concept of security was new or strange, after all, security has been a function of IT for as long as I’ve been around. The thing is that the landscape has changed and those changes are exciting and challenging and that’s what hooked me.
Until the Internet came along and became the new way of life, the concept of computer security was largely confined to a narrow band of IT security administrators and specialists embedded deep within the shadowy realms of IT.
With the evolution of IT in its myriad forms and wide-scale usage , security practices, complexity and scope have not only grown exponentially but the broader reaching Information Security has emerged to apply control context and relevance around information in all its forms – digital or otherwise. In other words, a one size fits all security solution doesn’t cut it. This development represents a fundamental shift that security professionals and those who employ us need to consider.
A demand is created for a different type of skill set and organisational positioning which doesn’t necessarily align to the traditional IT Security profile.
There is an important and enduring link between IT and Information Security however they offer distinctly different services:
- IT Security is concerned with the technology that handles information and as the title suggests is a function within IT. Areas of responsibility may include security control design, maintenance, monitoring and operations.
- Information Security is concerned with the security of information regardless of the form it takes across an enterprise. As such it is necessary to understand the information, the business, the culture, who uses that information and how it is used, security awareness and education, applicable legal and regulatory requirements as well as suitable policies, technical and procedural controls.
This is not such common knowledge and from experience these two areas are deemed interchangeable for many in the IT industry and even across security.
I’m talking basic stuff here but the message doesn’t seem to be out there or well understood. Many companies still persist in rolling up Information Security into an IT function, generally producing painstaking and piecemeal results. Aside from a potential conflict of interest, there is generally a lack of authority, jurisdiction, resources and often knowledge beyond IT to drive Information Security practices, yet somehow magic is expected to happen.
It is clear to me that Information Security is in the throes of change and that we are trail blazers, shaping the future of not only security but how organisations think and do things. That’s powerful and exciting.
Whether it is engaging a vendor, writing a contract, developing a business case or designing a system or process, we are influencing these activities. A major shift from the IT shop that security was, in many cases only 5 years ago.
To use an analogy, Information Security has been going through puberty and struggling with growing pains. To really stand up and be heard, as an industry and as individuals, we need to be assertive, consistent and innovative in articulating what our roles and responsibilities are and demonstrating the value we can contribute to the business. Not an easy task but I am certain we are clever enough to rise to the challenge.
Read other CSO's industry opinion pieces:
Breadth First Hacking by Robert Layton
Fighting the botnet threat by Peter Coroneos
Enterprise Security Architecture as a discipline – the three viewpoints by Puneet Kukreja