For years, infosecurity has begged executive management for respect and struggled to get IT security on the corporate road map. Now that it's actually starting to happen, it turns out that many of us are unprepared to embrace the change.
In thousands of organizations, there's a growing expectation that risk managers will not only be able to track and manage all forms of operational risk -- including information and IT risk -- but report on it in enough detail to satisfy regulators and the board of directors that it's being adequately managed.
Management and government are imposing these new expectations through laws, regulations, accounting and auditing practices and the evolving concept of what constitutes good corporate governance. This change hasn't happened overnight. At publicly held firms, multinationals and especially financial institutions, it's been in process for several years. But it isn't just big companies that can expect a higher level of risk management scrutiny. Firms of all sizes, especially if they deal with personal data, must explicitly demonstrate that their information risk is actively managed.
Corporations are responding to this pressure by increasing the stature and scope of their risk management efforts. Expressions of this new religion include the appointment of a new high priest -- the chief risk officer (CRO) -- and the introduction of corporate dogmas in the form of best practices.
For a lot of people in the infosec profession, this new level of attention to risk will mean a lot more scrutiny to what exactly it is that we do. We'll be expected to make IT risk transparent, explaining it clearly and comprehensively in business terms -- using the risk vocabulary used by the rest of the organization. If we fail, the consequences are clear: We won't get much of a say in decision-making.
This is a marked change from the past, when executives were willing to make gut decisions on IT risk. They accepted our claim that information risks were too complex to explain to them. Under the new rules, that little trick won't work anymore.
In the short term, the transition from technical security to corporate risk will bring dislocation, including job loss. Those who can't accommodate themselves to the new corporate approach to risk will either have to find safe technical havens, where they can hide from risk reporting scrutiny, or choose a new career. Yes, there will always be a place for raw engineering talent, but the career opportunity pendulum is swinging towards management skills.
Under the new rules, cybercrime (in its various guises) isn't our primary concern. A greater priority is a corporate-wide comprehensive approach to the maintenance of information utility, including data accuracy, service continuity and even program management. There will still be specialists in disaster recovery, incident response and network security, but they will be increasingly expected to help information owners understand and manage their own risk.
The new risk discipline is a good thing for us, because it forces us to be honest. The constant supervision by risk management specialists and the application of corporate governance models to information security will mature our profession, finally aligning it with corporate business goals.
In the long term, this new emphasis represents job security for us. The corporate commitment to risk management isn't a fad, but a reasonable response to decades of increasing external demands. Because the new risk regimes are required to meet external requirements, they are permanent.
Likewise, the external change in rules is permanently altering the framework in which we work. The blinders are being forcibly removed from our faces. The only way to thrive in this new environment is to recognize and meet the new challenges.
About the author:
Jay Heiser, CISSP, is a London-based security analyst with TruSecure Corp.