Just saying no won’t cut it as a security strategy anymore, Gartner's Tom Scholtz told govinfosecurity.com in an interview.
As the security needs of business evolve, so must the skills of security professionals. And as much as companies don’t want to invest in training people anymore, that’s exactly what Scholtz urges employers to do.
Employers traditionally focused on technology skills, infrastructure skills, as well as some basic principles of policy management and information security, as Scholtz explains. It was about controlling behavior and keeping the bad guys out.
Increasingly, he says, security skills overlap with business skills:
… competencies [are] starting to cluster around the ability to interact with the business more effectively, so it's competencies like understanding business terminology, competencies like communicating effectively with the business, the ability to link security technology projects to actual business initiatives and maintaining line of sight between security projects and actual business requirements and business strategies.
I previously quoted David Foote, co-founder of research firm Foote Partners, also saying that security requires more business acumen:
... There are security issues in finance and accounting, security issues in HR with privacy, security in marketing with social networking and information risk. These days, some security pros are reporting directly to marketing managers. Businesses need security people who understand how to manage product launches over Twitter. It's not the classic IT person, but it is an IT person nonetheless.
Rather than just keeping bad things from happening, security pros must demonstrate the value in their work or be subject to increasing budget pressures, Scholtz says. To do that, security efforts must be much more aligned with business requirements.
And to develop the security skills of the future, companies must invest in their staffs. Send them to courses in business, marketing, communications and presentation skills. Broaden their IT skills in aspects such as enterprise architecture.
Says Scholtz of finding the necessary security talent:
I think the shortage is not necessarily so much in the technical skills and the ability to manage firewalls and security technologies. The biggest shortage is of those individuals that both understand the security technologies and the security disciplines, and also understand the business and can actually relate to the business and communicate effectively with the business.