Opinion: Now is the time for IT to update its information security program

Computerworld - The good news for security teams is that they are more visible to the business than ever before. High-profile data breaches, costly compliance requirements, and a bleak economic market mean companies are more willing to invest in information security to protect their digital assets. But there's bad news, too: Security teams are more visible than ever. With visibility comes an increased set of responsibilities.

Chief information security officers (CISO) have long enjoyed a love-hate relationship with the business. They often serve as strategic counsel and help advise the business on the risks being undertaken. When times are good, companies generally have a stable risk appetite, and CISOs help avoid potential threats to the business. But when times are bad, companies are tempted to change their risk posture in order to enter new markets, reach out to customers through new channels, augment staff, etc. That's when the CISO's job gets tricky.

I've had the opportunity to interview dozens of CISOs over the last few months as Forrester prepares for our upcoming Security Forum in September. Sure, there are lots of tactical questions that come up like "What's the best way to tackle data security?" and "Are other CISOs experiencing head count or budget reductions?" But increasingly, I've seen a clear inflection point in these conversations. CISOs are acknowledging that times are bad, but they're actually pretty comfortable with that. The challenge -- and here's where things get tricky -- is to prepare for what comes next. For security and risk management professionals, the inevitable upturn in the global economy is scary. Why? Because it's an unknown, and CISOs are tasked with the nearly impossible imperative of quantifying the business impact of the unknown.

So, as we enter the second half of 2009, Forrester strongly believes that CISOs and their security and risk management staff must continue to stay one step ahead of their business and IT peers. If you're in the security industry, then it's time to polish off that crystal ball and see where you fit in the new world.

Why you need to navigate a new security and risk landscape

Shift happens. As a security and risk management professional, you need to deal with the consequences. As an industry, we've been discussing "change" for years: how the future of IT will bring dramatic changes to workplace dynamics, sourcing models and application portfolios. But change is no longer hypothetical -- it's real. You need to move beyond discussions of the economy plunging into free fall and the resulting decrease in budgets, jobs and discretionary security projects. Instead, you need to understand how to navigate the new security reality in today's topsy-turvy business climate. Your challenge is to rethink the role of security within your enterprise by finding ways to get close to the business; create efficiencies with governance, risk and compliance (GRC); establish the right set of priorities; and implement an architecture that responds to these security shifts.