Opinion: Information Security - Shaping the Future

Security has been a function of IT for as long as I’ve been around

With a career in IT longer than I am willing to admit (suffice to say that it all began in a time when dinosaurs ruled the earth!), I am a relatively recent recruit to the Information Security profession.  Not that the concept of security was new or strange, after all, security has been a function of IT for as long as I’ve been around.  The thing is that the landscape has changed and those changes are exciting and challenging and that’s what hooked me.

Until the Internet came along and became the new way of life, the concept of computer security was largely confined to a narrow band of IT security administrators and specialists embedded deep within the shadowy realms of IT. 

With the evolution of IT in its myriad forms and wide-scale usage , security practices, complexity and scope have not only grown exponentially but the broader reaching Information Security has emerged to apply control context and relevance around information in all its forms – digital or otherwise.  In other words, a one size fits all security solution doesn’t cut it.  This development represents a fundamental shift that security professionals and those who employ us need to consider. 

A demand is created for a different type of skill set and organisational positioning which doesn’t necessarily align to the traditional IT Security profile.

There is an important and enduring link between IT and Information Security however they offer distinctly different services:

  • IT Security is concerned with the technology that handles information and as the title suggests is a function within IT.  Areas of responsibility may include security control design, maintenance, monitoring and operations.
  • Information Security is concerned with the security of information regardless of the form it takes across an enterprise.  As such it is necessary to understand the information, the business, the culture, who uses that information and how it is used, security awareness and education, applicable legal and regulatory requirements as well as suitable policies, technical and procedural controls. 

This is not such common knowledge and from experience these two areas are deemed interchangeable for many in the IT industry and even across security.

I’m talking basic stuff here but the message doesn’t seem to be out there or well understood.  Many companies still persist in rolling up Information Security into an IT function, generally producing painstaking and piecemeal results.  Aside from a potential conflict of interest, there is generally a lack of authority, jurisdiction, resources and often knowledge beyond IT to drive Information Security practices, yet somehow magic is expected to happen.

It is clear to me that Information Security is in the throes of change and that we are trail blazers, shaping the future of not only security but how organisations think and do things.  That’s powerful and exciting. 

Whether it is engaging a vendor, writing a contract, developing a business case or designing a system or process, we are influencing these activities.  A major shift from the IT shop that security was, in many cases only 5 years ago.

To use an analogy, Information Security has been going through puberty and struggling with growing pains.  To really stand up and be heard, as an industry and as individuals, we need to be assertive, consistent and innovative in articulating what our roles and responsibilities are and demonstrating the value we can contribute to the business.  Not an easy task but I am certain we are clever enough to rise to the challenge.

Read other CSO's industry opinion pieces:

Breadth First Hacking by Robert Layton

Value of Policy by Mark Ames

Fighting the botnet threat by Peter Coroneos

Enterprise Security Architecture as a discipline – the three viewpoints by Puneet Kukreja

Join the CSO newsletter!

Error: Please check your email address.

Tags securityIT security managerscareersopinionsecurity practicesinformation security managers

More about ecruitIT Security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Sue Strodl

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts