- Related Stories
-
Companies urged to move beyond passwords
September 14, 2005 -
Panel: New rules, tech needed for data privacy
September 9, 2005 -
Microsoft's leaner approach to Vista security
August 29, 2005
Jay Heiser, a Gartner vice president, said the fundamental problem with a purely technical approach is that IT security professionals have no understanding of business. Speaking at this week's Gartner IT Security Summit in London, Heiser said businesses must now mature and appoint individuals who understand the complexities of business, rather than the simplicities of security.
A "risk management officer" is now more critical than the traditional security professional whose job is either a part-time distraction from network management, or to "scare money out of the CIO" or block projects that could have been beneficial to the organization, Heiser said.
"You can take somebody straight out of college and they can manage your firewall," he added, urging businesses to get on with the more important task of understanding their risks and their priorities.
One company that has adopted the approach of using business-focused managers in senior security-focused roles is insurance giant Zurich.
Stefan Vogt, head of group IT risk at Zurich, told attendees that his company has outsourced the commodity aspects of IT and security, such as firewall and user provisioning, in favor of concentrating on more strategic issues.
"We don't consider managing the firewall to be our day-to-day job. We don't have people doing that within our organization. We are now working on a strategic level," he said.
"It has gone away from being reactive to being proactive and looking to see what might go on," added Vogt, who said policy now tops his list of priorities, while the firewall is at the very bottom.
Adopting this approach has contributed to cutting annual IT spending at Zurich from nearly $2 billion to "closer to $1 billion," Vogt said.
By recognizing risk early, rather than fighting threats reactively, Heiser argues there is also a large return on investment.
Companies that spend excessively on securing the perimeter, for example, may not have realize the greatest risk to their business is posed by the loss of intellectual property from within, as staff ferry portable devices in and out of the company unchecked, Heiser said.
"Stop being so technical and allow the business to become totally integrated with security," said Heiser, arguing that companies that continue to throw money at their IT department are living in "blissful ignorance" as far as the wisdom of their investment is concerned.
The ideal candidate for bridging this gulf, he said, will have communication skills and project management skills--probably with a business school background majoring in risk management.
Heiser added that there is little hope of technically minded individuals making the leap into this new middle ground from within the IT department without them also having a rare understanding of the bigger business picture.
Paul Proctor, a Gartner vice president, added that regulatory pressures have already gone some way to forcing this change as companies realize the IT department, though involved in the process of compliance, is ill-equipped to understand the wider business ramifications.
Will Sturgeon of Silicon.com reported from London.
See more CNET content tagged:
Zurich, Gartner Inc., risk management, information technology, techie
If you want a secure network, the last thing you want to do is hand the job over to Dilbert's pointy-haired boss.
Security management is a *business* function; technology helps to facilitate it by providing mechanisms, but without a governance framework (such as policies, standards, sanctions, and the management structure to back them up) and assurance mechanisms (such as risk management), which are driven by *business* factors (not technology), your security program will have little chance to meet the real needs of your organization.
No doubt, implementation of security products and tools requires proficiency. But similarly, you don't need to know how to configure a port filter in order to develop a comprehensive security program -- instead, you *do* need to understand how to analyze information assets, assign value, and recommend solutions to mitigate threats. These are analytical *business* skills, not technical skills, and it's "people like that" working *in conjunction* with technical security implementers who make good security happen.
Without both types of people, the business un-necessarily exposes itself to risk, and the technical security team becomes just another unjustified IT expenditure to cull during budget season.
So if you are one of the "sheep" companies out there that realizes that you just HAVE to outsource your entire IT department to India, Gartner's news is excellent! Now, you can still offshore your entire IT function, and when it comes to firewall and security management: Just hire an MBA!!
Or better yet, hire a Gartner analyst!!
Companies are starting to see this move as just another cost cutting ploy to reduce money that's realy needed for maintaining security or intranets and extranets as well as the secured data that's stored and accessed by millions of people worldwide.
Security is not just a set-it-and-forget-it onetime event its an everyday reoccuring challenge to patch, configure and implement the security needed for the everyday changes in security breeches and viruses which invade corporate datacenter servers everyday.
Letting an MBA manage the IT security system is like letting a 5 year old kid play with fieworks.
The realm of the MBA is strictly running and maintaining every business aspect whicle that of the IT pro is to secure and maintain the confidence and trust of customer and business data.
To ask an inverse question Should an IT pro be concerned about profit margins at all? No. That's the job of the MBA and neither should an MBA futz with the network of which the IT pro has many years of experience building and manitaining it.
Let the MBA's worry about the profit margins and ream through their spreadsheets and leave the security patches and viruses to the IT pros who have years of IT training and expertise know how to configure the systems best.
- Written like a true anti-geek...
- by September 17, 2005 7:45 PM PDT
- I spent time working under a CIO/CFO that knew the numbers well, but didn't understand the function of security. I now spend time in the company of computer hackers to hone my skills for security. I can tell you one thing for certain, if your plan is to cut back on security spending, I have some friends that will be able to travel the country for a few more years, speaking on the lax security they find in the many companies that they consult for.
- Like this Reply to this comment
-
(8 Comments)Your company's security is only as good as the amount of money you put into it. No system is truly secure, only fortified enough to make an adversary go away and find other pickin's. Given time, any system is vulnerable. I do agree that there is a fine line dividing adequate security and overkill. There is also a pricetag on the downtime you get when you are brought to your knees by some kid in germany who decides to make your server a warez server, based on some crack that microsoft hasn't issued a patch for yet. I wouldn't hand over the reins to an MBA any more than I should be given control of the books. We all have our place, and mine is securing your borders, patrolling the network and watching for the next event. Your place is finding ways to bring in more money, not cut my budget to the bone to make your bottom line look better.
I use the pronoun "I" because I cannot speak for the masses. I speak on what I know from my experiences, and those of my colleagues. If your experiences say that you should cut back on security, putting a pencil pusher in place of a security professional, then by all means, do so. I or one of my people will be coming to see you in a year or so, putting the pieces of your fragmented security back together. Hopefully, you will have moved on to another venue, and we can go about making sure things are the way they should be.
I have a better idea. Meet me in the middle. I'll listen to your ideas, if you will listen to mine. Understand that I spend what you might think is a boring life pursuing what I love, security, and it is what I do. I am a professional. If you'll take me seriously, I will take you seriously. If we can work towards a common goal, one that we both agree on, then we might just get some where. Otherwise we'll probably argue, and I will make it where you can't get your stock quotes when you need them most. :)