Cyber security has been changing constantly since before I started working at the National Security Agency in what is now the Information Assurance group. And while the underlying pressures, technology, and people have changed over time, the underlying need to protect information, and the principals of confidentiality, integrity and availability have remained the same. We do find ourselves in an important moment, however, as the economics of protecting information are changing due to four trends that are currently impacting the industry.
In this three-part series, we will explore these four trends that are shaping the industry today and will continue to have relevance in the years to come. Firstly, information security professionals of today can no longer ignore the need to find their business voice. Secondly, security and risk management are driving the growing need for information security professionals within in the industry. Thirdly, the growing use of threat intelligence has emerged as another major trend. And finally, the combination of threat intelligence and log analysis- known collectively as continuous monitoring- has started to become widely discussed.
For today, let’s focus on the first trend, which is important to understanding the changing industry of security as it relates to the need for information security professionals to find their business voice. According to IDC, “61% of enterprise technology projects are now funded by the business rather than the IT department”. Today’s available social, mobile, and cloud capabilities have moved IT spending from the technology team to the marketing, sales, and product teams. In short, the businesses we protect have begun turning to the cheapest and fastest technology provider to meet their needs. When businesses have to make the choice between social and mobile capabilities and a solution that would offer their organization more security, social and mobile win out almost every time. And while cloud is a more nuanced area, I still hear about business leaders shutting down big-C Cloud projects because of risk worries.
In an effort to find this business voice, information security professionals need to translate security concerns into business imperatives and help business drive these external IT providers to offering security and risk management tools to protect company information and enable corporate security teams to work with business to manage risk. Too often, external services offer only the most basic security. Following historical trends, that security is bolted on after, rather than designed in.
Todd Inskeep is a Senior Associate at Booz Allen Hamilton. He leads Cyber Security Assessments at client companies measuring, managing investment, and enabling improved Cyber security programs. Todd has served on the RSA Conference Program Committee since 2002.