How IT Security Roles are Changing in the Face of Broader Risk Issues

We’ve recently discussed how trends such as the Internet of Things and mobility have affected IT security. We’ve also touched on ways that more thorough measures can be implemented to rise to the challenges they create. But what about your role as the IT professional in the face of these burgeoning security challenges?  Not only do you need to understand these new challenges, you must also implement the safeguards. How will you need to shift your focus to survive and thrive in a new world of security-obsessed organizations?

The change to the security landscape also means real change in how your organization protects that infrastructure.

There are many more points for intrusion including web services, cloud access and storage, BYO and mobility, making it virtually impossible for any single individual or group of individuals to monitor every possible point of entry. ”Today's WAN has so many doors, we can no longer expect to have a security specialist standing guard at each one,” says Jay G. Heiser, research director at Gartner.

Likewise, what used to be the wheelhouse of the security IT specialist — implementing firewalls, installing anti-virus software and implementing other perimeter controls —have become more of a commodity-oriented task, one that is often now handled by administrators, consultants, and even end users themselves.

That means you can be relieved of some of the operational burdens previously placed upon you. But instead, you must develop new skills that empower your organization and your users to implement intrusion prevention as an integral part of their everyday practice. Instead of investing time addressing problems that have known solutions, your focus should shift to the new problems brought about by greater levels of connectivity and portability. This should include a better understanding of your organizations' risk profiles, in addition to information security.

Some modifications in both thinking and approach for the evolving IT security pro should include:

  • Making security more of a business issue than a technology one, and promoting a security mindset that involves the entire organization, not just the IT department
  • Moving beyond managing devices to managing vendors and consultants
  • Educating all end users on information risk and security safeguards to minimize unintentional missteps
  • Setting policies that align with organizational culture and technology, and then communicating them thoroughly

“Security professionals have so much to offer in providing value and increasing profit through a more mature risk management process,” says Jeff Spivey, international vice president of ISACA and director of Security Risk Management Inc. “Change management, culture, monitoring of risk, mobility and BYOD all demonstrate the accelerated pace of risk due to new and better technologies. The secret is in establishing the correct framework to understand and manage new and evolving risk to the enterprise.”

In the last few posts we’ve reviewed the new security landscape, how it’s affecting IT processes and the people who implement them. What else can be done to further protect your environment and that of your constituencies? For more information and a helpful list of controls, check out our new white paper: Protecting Your Network and Endpoints with the SANS 20 Critical Security Controls.