Information security professionals should plan to increase their technical and non-technical skills to ensure they are able to deliver value to their organisations in the future, according to an expert panel.
They should also seek to work more closely with all parts of the business, the panel told the (ISC)2 Security Congress, Europe, the Middle-East and Africa 2015 in Munich.
“First, they need to understand that they will need to develop their skills in dealing with people, processes and technology, because only a comprehensive approach will work,” said David Shearer, chief executive officer of (ISC)2.
Next, infosec professionals need to break out of their security silo and engage with all parts of the business to help every department understand the relevance and importance of information security.
“They need to work to ensure everyone understands the role and relevance of information security in the same way they do for things such as human resources management,” said Georg Freundorfer, European security director for Oracle.
“Infosec professionals should work to bring security into the mindset of management by explaining the cyber security-related risks to the business, which in turn should encourage senior executives to provide the resources necessary to mitigate and manage those risks,” he said.
Confidence in security
This is also about information security professionals changing their approach to the business, according to Adrian Davis, European managing director of (ISC)2.
“They need to make information security more interesting and relevant by working harder at raising the awareness of executives and tailoring their messages to make it clear to different departments how they can add value to the business,” he said.
As part of the engagement process, Freundorfer said infosec professionals should ask business managers where they see the risks or specific threats to their department to identify how they can help business leaders to gain confidence in the ability of security to support them.
“Infosec professionals who stay inside their silo will always tend to be reactive. Instead they should find out from the business how they can help,” he said.
Supporting business goals
Another key strategy for information security professionals should be to identify the goals of the business and then demonstrate how they can support those goals, said Lorenz Kuhlee, senior investigative response and forensic consultant for the European risk intelligence team at Verizon.
“They should also assume that the organisation’s network has been breached and work to ensure they have the capability to detect breaches and respond quickly,” he said.
In working with the business, especially on new projects, infosec professionals should also ask business leaders about confidentiality, integrity and availability, said Sebastian Broeker, chief information security officer at Deutsche Flugsicherung.
“They are often so focused on the project – on delivering the new product or service – that even if they have considered security and privacy, they often have not considered confidentiality, integrity and availability of systems, services and data,” he said.
Empowerment of employees
Finally, infosec professionals should work with business executives to help them to understand the cyber threat environment and how it works, according to Ciarán Mc Mahon, psychology research and development co-ordinator at the RCSI (Royal College of Surgeons in Ireland).
“At a senior executive level, fear has a role to play. They need to understand that they have probably been hacked, and that it is just a question of finding out to what degree,” he said.
In a presentation on the cyber psychology of information security, Mc Mahon said that in general, fear is not a good tactic to encourage good security behaviour. “Responses are not uniform and the impact tends to wear off quickly,” he said.
Instead, Mc Mahon said infosec pros should aim to help everyone in an organisation to understand they are part of information security and have a role to play, even consulting employees on drawing up the information security policy that reflects their values and beliefs.
“The emphasis should be on delegation and empowerment of employees – even temporary employees need to see themselves as part of the organisation,” he said.
The human aspect of security remains a significant challenge, said Mc Mahon. “People should be the strongest security control in an organisation, but are often the weakest link,” he said.