This article can also be found in the Premium Editorial Download "Information Security magazine: Top forensics tools for tracking down cybercriminals."

Download it now to read this article plus other related content.

IT IS A SUBTLE YET NOTEWORTHY DISTINCTION that Gary Swindon's job title reads "corporate" information security officer, and not "chief."

"As corporate ISO, I am responsible for security strategy, risk assessment, risk management and audit functions--things that are strategic in nature," says Swindon, who reports to the director of compliance and internal audit at Orlando Regional Healthcare, and not to the CIO. "If you're going to report to the CIO, then the job takes on the flavor of technical security rather than it being a business process."

Meet the new CISO, not quite the same as the old CISO.

This transition from operational security responsibilities to strategic ones resonates throughout the results of Information Security's 2006 Priorities Survey. Security organizations, driven by regulatory mandates, are segregating responsibilities and giving more attention to people and process issues.

"In a nutshell, security is now about risk management," says Ron Woerner, information security manager for ConAgra Foods. "You cannot properly manage risk at the operational level. You must be at the strategic level in order to match the severity of threats and vulnerabilities with the business' risk appetite. This shifts the knowledge and experience requirements for information security from the technology to the business."

    Requires Free Membership to View

How Much Money Will You Have?

More than 45 percent of the 405 security professionals surveyed--including IT staff and mid- and senior-level managers--said next year their business skills would be more important than their technical capabilities, while 61 percent said their organizations would do a better job of managing risk. Many will do so by engaging owners of different lines of business in discussions about the impact of risk on specific business processes and whether that risk will be accepted, transferred, avoided or mitigated.

"This cannot be accomplished by a technician, but by a business leader with the proper authority to see that appropriate business decisions are made," Woerner says.

Ironically, the strategic shift emerges from the confidence that the tactical side of the house is in order. Only four percent of respondents were unsure about their abilities to harden network perimeters against external attacks and to hold malware attacks in check.

"My job as information security officer is not technical," Swindon says. "I own everything that touches and contributes to the protection of information. Information systems are some of my customers. They involve me in project development and looking at security before we do things like implement new systems. It gets less expensive from a business perspective."

Security managers are instead turning their attention and wallets toward risk assessments and evolutionary technologies for streamlining identity management needs, providing secure remote access for employees and partners, and complying with federal regulations. Sixty-seven percent of those who took the survey expect security budgets to increase, and 34 percent project at least a 10 percent jump.

This was first published in December 2005

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: