The Info Security Role Continues to Shift
Cloud Security Alliance Executive Director Jim Reavis says security roles will change depending on the organization—whether it’s a cloud provider or cloud consumer. Providers will need to be able to offer the whole stack of security expertise and technologies, while consumers will be looking to leverage higher layers of the cloud stack: SaaS (Software-as-a-Service) and PaaS (Platform-as-a-Service).For security professionals working at organizations that are cloud consumers, this may mean a shift from operational skills to application skills, and closer work with business units. Security professionals also need to help organizations ask the right legal and technical questions of a cloud provider to ensure their data is protected.
“As
information security professionals juggle multiple security initiatives
and compliance mandates, their role continues to shift from technical
operations to strategic, policy-oriented responsibilities.”
At smaller companies, where the information security manager wears a
lot of different hats, the role was more passive than at a midsize
company, where security managers tend to have more leverage to delay
projects due to security issues. Info security executives at large
enterprises appear to have the most influence on cloud projects.The Explosion of Mobile Devices
While security professionals wrestle with the security implications of cloud computing projects, they also are contending with the proliferation of mobile devices in the enterprise. More and more employees are bringing their iPhones, iPads, and other devices into the workplace and senior executives are eager to use the latest technology.
Senior executives are making security a priority in their adoption of mobile devices and telling security teams to figure out how the company can use the devices securely, says Phil Cox, principal consultant at security consulting firm SystemExperts. “Unlike many years ago, when security was an afterthought, it’s an initial thought,” he says.
Ongoing Role Shift
According to TechTarget, an online IT media firm, 55% percent of surveyed information security pros said their role has shifted from a highly technical and implementation focused one to having a heavier focus on policy, regulations and legal issues.
Oftentimes with new technology, businesses push ahead and security is an afterthought. But information security job candidates are getting asked about their knowledge of cloud computing, indicating that companies are thinking about security at the architectural stage of cloud initiatives.
Jonathan Gossels, president and CEO of SystemExperts says, “Instead of people being dedicated to hands-on security work, most security professionals are in charge of setting policy, evaluating technologies and dealing with regulations. The day-to-day security operations have been increasingly rolled into other IT operations.”
Ron Woerner, a cyber-security professor at Bellevue University says, “This trend continues today as more security professionals realize the necessity to understand and utilize risk management practices in their day-to-day activities. Security must collaborate with business partners in order to effectively manage risks and provide the appropriate levels of security controls.”
Technology Buyers & Sellers
Security professionals employed by technology buyers should expect their emphasis to shift towards vetting and managing vendors, as well as ensuring connectivity to hosted services. In such cases, IT strategy can be expected to originate in the business and not from the IT function.
From the seller or provider perspective, however, technical knowledge is essential to build secure and reliable service architectures. And in the provider organization, the technical strategy is the business strategy; therefore, security professionals should again expect to find themselves increasingly directed by business leaders.
Customer-facing sales and account management staff in providers today are being trained on security talking points and must be prepared to answer the security challenges terms in the buyers’ business context. Security knowledge is therefore being diffused throughout provider organizations to a much greater extent than before as providers need to both ensure technical security, as well as demonstrate security competency to purchasers.
Social Share
No comments:
Post a Comment