Jay Heiser, a Gartner vice president, said the fundamental problem with a purely technical approach is that IT security professionals have no understanding of business. Speaking at last week's Gartner IT Security Summit in London, Heiser said businesses must now mature and appoint individuals who understand the complexities of business, rather than the simplicities of security.
A "risk management officer" is now more critical than the traditional security professional whose job is either a part-time distraction from network management, or to "scare money out of the CIO" or block projects that could have been beneficial to the organisation, Heiser said.
"You can take somebody straight out of college and they can manage your firewall," he added, urging businesses to get on with the more important task of understanding their risks and their priorities.
One company that has adopted the approach of using business-focused managers in senior security-focused roles is insurance giant Zurich.
Stefan Vogt, head of group IT risk at Zurich, told attendees that his company has outsourced the commodity aspects of IT and security, such as firewall and user provisioning, in favour of concentrating on more strategic issues.
"We don't consider managing the firewall to be our day-to-day job. We don't have people doing that within our organisation. We are now working on a strategic level," he said.
"It has gone away from being reactive to being proactive and looking to see what might go on," added Vogt, who said policy now tops his list of priorities, while the firewall is at the very bottom.
Adopting this approach has contributed to cutting annual IT spending at Zurich from nearly US$2 billion to "closer to US$1 billion," Vogt said.
By recognising risk early, rather than fighting threats reactively, Heiser argues there is also a large return on investment.
Companies that spend excessively on securing the perimeter, for example, may not have realise the greatest risk to their business is posed by the loss of intellectual property from within, as staff ferry portable devices in and out of the company unchecked, Heiser said.
"Stop being so technical and allow the business to become totally integrated with security," said Heiser, arguing that companies that continue to throw money at their IT department are living in "blissful ignorance" as far as the wisdom of their investment is concerned.
The ideal candidate for bridging this gulf, he said, will have communication skills and project management skills -- probably with a business school background majoring in risk management.
Heiser added that there is little hope of technically minded individuals making the leap into this new middle ground from within the IT department without them also having a rare understanding of the bigger business picture.
Paul Proctor, a Gartner vice president, added that regulatory pressures have already gone some way to forcing this change as companies realise the IT department, though involved in the process of compliance, is ill-equipped to understand the wider business ramifications.
Will Sturgeon of silicon.com reported from London.
As an advocate if business centric security methodologies for some time now I am thrilled that these concepts are starting to become more mainstream.
The reality is that Information Asset Protection is a core business requirement, that like all other business requirements, should be mandated at the board level as a strategic issue, not at the IT Department level where the issues can become lost amongst the rush to implement technology.
Until organisations truely embrace policy driven outcomes for information security, determined by the senior executive of the business, they do not have any hope of achieving regulatory or standards compliance for Information Asset Protection.