By Will Sturgeon, 15 September 2005 08:35
NEWS Analyst house Gartner has hit out at companies who are allowing their techies to dictate how the organisation secures itself and has called upon businesses to mature and embrace strategic rather than technical thinking.
Speaking at the annual Gartner IT Security Summit, Jay Heiser, research VP, said the fundamental problem with a purely technical approach is that IT security professionals have no understanding of the business.
He said businesses must now mature and appoint individuals who understand the complexities of business, rather than the simplicities of security.
Heiser said a 'risk management officer' is now more critical than the traditional security professional whose job is either a part-time distraction from network management, or latterly to "scare money out of the CIO" or block projects which could have proven beneficial to the organisation.
Heiser said: "You can take somebody straight out of college and they can manage your firewall", urging businesses to get on with the more important task of understanding their risk and their priorities.
One company which certainly understands risk and has adopted the approach of using business-focused managers in senior security-focused roles is insurance giant Zurich.
Stefan Vogt, head of group IT risk at Zurich, told delegates his organisation has outsourced the commodity aspects of IT and security, such as firewall and user provisioning, in favour of concentrating on more strategic issues.
He said: "We don't consider managing the firewall to be our day-to-day job. We don't have people doing that within our organisation. We are now working on a strategic level."
"It has gone away from being reactive to being proactive and looking to see what might go on," added Vogt who said policy now tops his list of priorities, while the firewall is at the very bottom.
Adopting this approach has contributed to a halving of annual IT spend at Zurich from nearly $2bn to "closer to $1bn", said Vogt. And, by recognising risk early, rather than fighting threats reactively, Heiser argues there is also a large return on investment.
Heiser said no two companies are the same and fire-fighting and throwing money at all emerging threats may not be relevant. Companies who spend excessively on securing the perimeter, for example, may not have realised the greatest risk to their business is posed by the loss of intellectual property from within, as staff ferry portable devices in and out of the company unchecked.
Companies must therefore look beyond the obvious technical solutions, said Heiser, and understand both operational risk and acceptable risk.
But tradition techies "are people for whom acceptable risk is an oxymoron", he added.
"If you're going to make profit you have to have risk. Taking risks is part of making a better business."
"Stop being so technical and allow the business to become totally integrated with security," said Heiser, arguing that companies who continue to throw money at their IT department are living in "blissful ignorance" as far as the wisdom of their investment is concerned.
The ideal candidate for bridging this gulf, he said, will have communication skills and project management skills; probably with a business school background majoring in risk management.
But he believes there is little hope of technically minded individuals making the leap into this new middle-ground from within the IT department without them also having a rare understanding of the bigger business picture.
Paul Proctor, a Gartner VP, added that regulatory pressures have already gone some way to forcing this change as companies realise the IT department, though involved in the process of compliance, is ill-equipped to understand the wider business ramifications.
Comments
There are 7 comments. Join the discussion
1. John Hall
Stop the press where have I heard that comment before?
Is that the comment Microsoft uses for selling exchange?
Ok maybe that's a bit unfair but that's how it sounds at first, and as for the comment
"You can take somebody straight out of college and they can manage your firewall"
I don't know think so, colleges are anything up to two years behind commercial standards and as such wouldn't let them near a entry point till they'd have had some more guidance.
Now lets get down to business “strategic“ lovely word isn't it but what does it mean. Well is simple terms its a movement that allows you to have more options in the future so in this sense I could say that Apache and PHP are strategic as they give me more options that IIS does, but equally I could say its strategic to have a secure network as if nothing working not a lot of point.
2. anonymous
It never was just a technical issue, as any real security professional will tell you. Hence the UK Government's CSIA. Hence the Jericho Forum.
3. anonymous
And yet another outsourcing scheme has been offered by the pundits of profit. At some point American businesses and those who write for their consumption, will come to realize that the art of business is often more than just the bottom line and reduced overhead. Being self-sufficient and self-reliant are far more important issues and concerns. It would be better for businesses to grow their own technically astute managers and business astute technical staff. A redevelopment of the corporate family is far more a necessity than finding a model of lean and mean. Yes, there are differences in conceptualization process for business personnel and technical personnel but bridges need to be created at least as strong as the Brooklyn Bridge. Imagine, if you will, the US military outsourcing its Air Force to France and its Navy to New Zeeland, all in an effort to reduce overhead. Long term solutions that may not produce immediate measurable results are difficult but essential. Companies must secure and control their own destiny and infrastructure, not place it in the hands of others. America businesses can only further weaken its position in the world market by jumping on the latest bandwagon in search of short term solutions. While this article was merely a report on an event, I believe it feeds a feeding frenzy that is pervasive.
4. Lando
I agree. But then again...when was security NOT just a tech issue?? The idea, in a nutshell for most cases, IT security is to protect BUSINESS assets, and you can't do that locked in your office with your head buried in a PGP manual.
Some may not like this, but it's business that drives IT, not the other way around.
5. anonymous too
Hmm, I bet if we looked at the service contract that Zurich has with whoever is managing their perimeter security there will be lots of words about keeping the Firewalls patched and up-to-date with the latest versions of software.
Although I applaud the ideas, I find these strawman statements both arrogant and hypocritical. Yea, sure Zurich are managing the problem strategically, they have outsourced it to someone to manage.... derrr! That's what a lot of companies do anyway. Well done Zurich, you successfully jumped on the bandwagon.
6. anonymous
Sounds like someone who has never suffered a major security breach.
Just wait until he loses money or credibility because the company who has been given control of network security screws up because they haven't lived up to expectations because they wanted to cut their bottom line and didn't want their techs to hold up the project becase of "technical" reasons.
In a couple of years they'll be announcing that IT security skills are important, and should be properly cultivated. This is because the outsourcer have follow the advice to cut their bottom line by reducing the amount of time spent on design and auditing.
7. Foodawg
This is just another example of short-term gain winning out over what's good for the business in the long term. It appears that the corporate officers main focus is to rape the company for as much as they can while they are there for their 3 or 4 years. Reorganize every 6 months to buy time, rape the company into ruin, cash in your profits, and move to the next one.