Envisioning the security team of tomorrow
Certain skill sets may be a commodity in the IT field these days, but EMC's Security for Business Innovation Council's latest report may have some solutions for building an effective security team
By Steve Ragan , Staff Writer
September 16, 2013 — CSO — A growing skills shortage in IT has created both problems and opportunities, the result of which will mean that the security team of tomorrow is going to be much more diverse. With that in mind, EMC's Security for Business Innovation Council has published seven recommendations to make the transition easier.
In a new report from EMC's Security for Business Innovation Council (SBIC), the notion of building the security team of tomorrow is examined, as are the reasons for it. Last year, business leaders had their eyes opened to the fact that 25 percent of mid-market and enterprise organizations reported a "problematic shortage" of IT skills, along with the fact that 83 percent of enterprise organizations reporting that it was difficult to recruit and hire information security specialists.
According to the SBIC report, information security is no longer just about implementing and operating security controls, but the mission has evolved to "include advanced technical and business-centric activities such as: business risk analysis, asset valuation, IT supply chain integrity, cyber intelligence, security data analytics, data warehousing, and process optimization."
This mission growth translates into a need for specific skill sets, but the shortage of such talent makes building an effective team a monumental task. However, with this problem comes an opportunity.
"In many organizations, personnel outside of security are starting to realize that they — not security — own the risks to their information assets and they need to actively partner with security to manage those risks," the SBIC report states.
"To be successful, the information security function is a cross-organizational endeavor, with security processes deeply embedded into business processes."
In the not so distant future, the security team of tomorrow will include personnel within IT, business units, and departments throughout the organization including legal, procurement, and marketing. The core security team, which is what exists today, will work with the others to coordinate the overall efforts, while focusing their energies on tasks that require specialized knowledge or centralization.
"The core security team's expertise should be primarily focused on delivering consulting, providing direction, driving strategy, identifying and explaining risks to the business, understanding threats, and moving the organization forward — not be encumbered by the day-today routine operational activities," said Bob Rodger, Group Head of Information Security for HSBC Holdings.
The SBIC has offered seven recommendations designed to help organizations build their extended security team over time. CSO has included a brief overview of those suggestions below. Additional details can be found in the full SBIC report.