The organizational role of the information security professional sits at a crossroads that may be more meaningful than we realize. The security world is in the midst of major changes as businesses struggle with the simultaneous evolution of technology, economics, and business applications of new technologies. We can look back at the information protection challenges that occurred when organizations first connected business systems to the Internet and consider how the role of the security manager took on expanded meaning due to new threats. The current environment may be presenting a course correction of similar magnitude for information security roles.
Several new technology areas grabbing headlines at present have been on the horizon for some time, but adoption seems only now to be gaining momentum across the general business spectrum. Cloud computing, virtualization, and mobility, for example, have all existed in some usable form for years, however, each is now attaining significant degrees of technical maturity, market acceptance, and the integration between them is rapidly increasing. The integration of these emerging technologies, and business understanding of them, appears to be reaching critical mass. As emerging technology has progressed, new economic realities have closely followed. We now observe a more active technology marketplace, a meeting of service buyers and sellers, each with respective roles, responsibilities, and challenges. This new environment is far more complex than the traditional technical product marketplace.
At the same time, we see business leaders as the ultimate purchase decision makers, the economic buyers in the new market who are integrating technology strategy into business strategy with substantially less reliance on internal tech experts than before. Historically, the introduction of new technologies into an organization was supported by knowledgeable specialists that had a rare understanding of the new technology. However, in today’s world the technology architecture is largely abstracted from the user/buyer and somewhat irrelevant; We can purchase and use SaaS and other cloud services without necessarily understanding how they are assembled. Vendors have succeeded in “dumbing down” the purchase decision, effectively removing the technician from the decision process. Therefore, the business decision maker can view subscribed or hosted services in the same way he or she views the acquisition of any other production technologies -- simply from a perspective of utility; deep technical knowledge is not necessary to derive business value from the technology.
As a result, the information security skills required of technology buyers and sellers are changing. In other words, the buyers (and therefore users) of new technologies derive little benefit from deep technical knowledge because the technologies are abstract; important details cannot be viewed, much less analyzed. Security professionals employed by technology buyers therefore should expect their emphasis to shift towards vetting and managing vendors as well as ensuring connectivity to hosted services. In such cases, IT strategy can be expected to originate in the business and not from the IT function.
From the seller (provider) perspective, however, technical knowledge is essential to build secure and reliable service architectures. And in the provider organization, the technical strategy is the business strategy, therefore security professionals should again expect to find themselves increasingly directed by business leaders. Customer-facing sales and account management staff in providers today are being trained on security talking points and must be prepared to answer the security challenges terms in the buyers’ business context. Security knowledge is therefore being diffused throughout provider organizations to a much greater extent than before as providers need to both ensure technical security as well as demonstrate security competency to purchasers.
Information security professionals should consider these trends as they make important career decisions and seek to develop new skills. Along with vertical market expertise, understanding of the unique challenges of the provider and buyer viewpoints, respectively, will become increasingly important. More generally, these trends should make positions based in or closely aligned with the business much more attractive than positions within the IT function. Unfortunately, current industry focus seems somewhat fixated on important, but merely fundamental messages, like the need for stronger passwords and more frequent patching. The technology environment has become more complex and interrelated, and security professionals would be well served to understand the new reality if they hope to continue to add value. Understanding the differences in security roles from provider and buyer perspectives may become essential to succeeding as a security professional.
About the author:
Paul Rohmeyer is the program director of the graduate information systems program at Stevens Institute of Technology. He provides technology risk management guidance to firms in the financial services industry, and previously held management positions in the financial services, telecommunications and pharmaceutical industries. Send comments on this column to firstname.lastname@example.org