Operational and tactical considerations continue to dominate the IT security agenda, despite a growing need for more strategic approaches to data protection, said attendees at the Computer Security Institute's annual conference in Washington, D.C., this week.
Contributing to the status quo is a troubling lack of communication between security organizations and business units, as well as the challenges of dealing with an increasingly complex environment of threats to IT systems, security managers said. "We're still fighting a lot of yesterday's battles," said Fred Trickey, information security administrator at Yeshiva University in New York.
Instead of focusing on ways to make IT security an enabler of business initiatives, security managers spend far too much time dealing with unreliable code and chasing the latest viruses, worms and spyware, Trickey lamented.
"We've no choice," he said, adding that many IT security staffs don't have the resources or management support they need in order to become more proactive.
Tony Spinelli, vice president of information security at First Data's merchant services group, agreed that security initiatives have to be about more than just mitigating threats. But Spinelli said he thinks that a lack of understanding of business needs on the part of security managers is a big source of the problem.
"What's really needed is more of a strategic planning process that involves business executives and technologists," Spinelli said. Instead, security managers all too often offer "nothing by way of a long-term strategy" for IT security.
Security practitioners need to learn to speak the language of business users and try to understand the kinds of problems they're facing, according to Roger Fradenburgh, a consultant at Greenwich Technology Partners.
For example, working with the business side to classify data and determine the level of protection it needs is a good way for security staffs to demonstrate their value and deliver a tangible return on investment, Fradenburgh said. But the continuing failure of many security managers to communicate in such a fashion has created a perception among end users that IT security is an impediment to business.
"In a lot of situations, business people look at the security people as purveyors of fear who are always saying that the sky is falling," Fradenburgh said.
Changing business requirements and the growing complexity of threats can keep security managers tied to operational and tactical issues -- even if they want to focus on broader ones, said Terri Curran, director of information security at Bose.
Curran and other conference attendees noted that they're also being pinned down by mounting regulatory requirements and the increase in the number of opportunities for attacks fostered by the adoption of technologies such as wireless LANs and Web services applications.
"The complexity of the day-to-day world is increasing by leaps and bounds," said Joseph Popinski, director of network security at Information Engineering, a security consulting firm. "You can get very bogged down in the operational stuff."
Issues such as network access control, intrusion detection, network operations and help desk functions can take up much of a security staff's working hours, said Popinski.