The good news for security teams is that they are more visible to the business than ever before. High-profile data breaches, costly compliance requirements, and a bleak economic market mean companies are more willing to invest in information security to protect their digital assets. But there's bad news, too: Security teams are more visible than ever. With visibility comes an increased set of responsibilities.
Chief information security officers (CISO) have long enjoyed a love-hate relationship with the business. They often serve as strategic counsel and help advise the business on the risks being undertaken. When times are good, companies generally have a stable risk appetite, and CISOs help avoid potential threats to the business. But when times are bad, companies are tempted to change their risk posture in order to enter new markets, reach out to customers through new channels, augment staff, etc. That's when the CISO's job gets tricky.
I've had the opportunity to interview dozens of CISOs over the last few months as Forrester prepares for our upcoming Security Forum in September. Sure, there are lots of tactical questions that come up like "What's the best way to tackle data security?" and "Are other CISOs experiencing head count or budget reductions?" But increasingly, I've seen a clear inflection point in these conversations. CISOs are acknowledging that times are bad, but they're actually pretty comfortable with that. The challenge -- and here's where things get tricky -- is to prepare for what comes next. For security and risk management professionals, the inevitable upturn in the global economy is scary. Why? Because it's an unknown, and CISOs are tasked with the nearly impossible imperative of quantifying the business impact of the unknown.
So, as we enter the second half of 2009, Forrester strongly believes that CISOs and their security and risk management staff must continue to stay one step ahead of their business and IT peers. If you're in the security industry, then it's time to polish off that crystal ball and see where you fit in the new world.
Why you need to navigate a new security and risk landscape
Shift happens. As a security and risk management professional, you need to deal with the consequences. As an industry, we've been discussing "change" for years: how the future of IT will bring dramatic changes to workplace dynamics, sourcing models and application portfolios. But change is no longer hypothetical -- it's real. You need to move beyond discussions of the economy plunging into free fall and the resulting decrease in budgets, jobs and discretionary security projects. Instead, you need to understand how to navigate the new security reality in today's topsy-turvy business climate. Your challenge is to rethink the role of security within your enterprise by finding ways to get close to the business; create efficiencies with governance, risk and compliance (GRC); establish the right set of priorities; and implement an architecture that responds to these security shifts.
To get started, Forrester recommends that you must master three major shifts: 1) a shift in business expectations; 2) a shift in ownership; and 3) a shift in security architecture.
Shift in expectations: Modernizing your security and risk management practice
In the next 12 months, you'll need to modernize your SRM practice -- in a world where security budgets are flat or down. You must re-evaluate how you are communicating with your business peers, streamline your organizational structure, examine your staff to make sure you're hiring and developing the right security talent, and even reassess your own skills and leadership capabilities. You'll need to realign expectations by focusing on a more streamlined org structure and improved metrics that measure and demonstrate value to the business. You'll also need to identify the emerging skill gaps and recruit top talent with concentrations in data security, cloud computing, risk management and GRC.
Shift in ownership: Protecting data outside your four walls
A new generation of outsourcing and the consumerization of IT are usurping control from IT. The introduction of cloud computing gives IT the flexibility to tactically outsource IT services. At the same time, your workforce is demanding more flexibility, and employees sporting consumer-grade gear are eroding traditional security controls. The result? You don't own your data anymore. You need to get up to speed on how to govern and secure data housed with external providers and employees, rethink new outsourcing and employee contracts, embrace Tech Populism (Forrester's term for empowered employees who use consumer IT products and services in the workplace), extend audit controls to third parties, and determine which security services belong in the cloud.
Shift in security architecture: Building a flexible, compliant foundation
An unbounded enterprise requires a unique approach to security architecture. Enterprises bemoaning the weakening security perimeter need to think how to architect an IT environment that embraces cloud computing, hosted services, Web 2.0, consumer devices and virtualized assets. Your CIO needs you to retool your information security architecture to ratchet up identity and access management, data security and an evolved security operations center. Oh, and of course, you must do all this while not only controlling costly compliance requirements but also using them as a basis for building a resilient security foundation. The savvy companies are already turning to prescriptive mandates like PCI DSS to shape that foundation.
Determining your 2010 infosec priorities
Although all of these shifts are critical and will reshape your company's information security priorities, it will be difficult to tackle all three at once. Forrester recommends that you start by focusing on the shift in ownership -- specifically, the pressures introduced by IT consumerization. Why? Because it's the biggest unknown, and your job is to quantify the business impact. Realigning business expectations and building a new security architecture have a renewed sense of urgency, but they're not new problems. However, mitigating the risks imposed by the frighteningly fast-paced introduction of consumer hardware like iPhones, netbooks and Macs combined with consumer software like Google Docs, Twitter, Facebook and TripIT should be your first priority. No longer can CISOs simply play the "veto card" and prevent the use of such technologies in the workplace. Entering 2010, you'll need to get on board with business demand, update new acceptable-use policies to include consumer hardware and social media, and implement technical controls to monitor data as it flows outside the four walls of your organization.
Robert Whiteley is a vice president and research director at Forrester Research, where he serves security and risk professionals. He helps craft Forrester's research agenda for chief information security officers. He will be hosting and speaking at Forrester's Security Forum, Sept. 10-11, in San Diego.
Forrester is offering Computerworld.com readers a $405 discount off the standard conference rate for Forrester's Security Forum 2009. To register, call Forrester Events at 888-343-6786 and reference VIP Code SF9CWD.
The discount applies to new registrations at the standard, non-client rate. It cannot be combined with other offers.