The nature of the IT security job within most organizations is going through a subtle, yet critically important, transformation. Instead of trying to prevent things from happening that might jeopardize the security of the organization, security professionals are increasingly being charged with finding a secure way to allow thing to actually happen.
For instance, while using Dropbox.com to share sensitive data creates a lot of risk for the organization, it’s become clear that most organizations need a secure way to share sensitive data. Gary Loveland, principal and leader for of the global security practice for PwC, says that means that the people charged with security responsibility within the organization are being asked to find a way to actually make that happen.
In a series of videos that can be found here, executives from the IT and business consulting firm highlight how security professionals are increasingly transforming end to end business processes to make them secure. Instead of routinely saying no to anything that might have any attenuating risk, Loveland says security professionals says that security professionals are being asked to balance security versus productivity. That doesn’t mean allowing anything to happen in the name of productivity, but it does means not preventing things from happening by finding more secure alternatives.
Unfortunately, Mark Lobel, a principal with PwC, adds that too many security professionals are still focused on fighting the last battle. They are spending most of their time trying to prevent the last breach from recurring again, rather than working through a more strategic approach to risk management. Business by definition is risky. The challenge is to find ways to secure the company’s most important intellectual assets rather than making certain that every last port on the edge of the network is closed.
Organizations and nation states have been stealing intellectual property from each other since the dawn of time. Today that activity has moved into cyberspace where it’s increasingly becoming easier to target specific types of data and even the individuals that are most likely to possess it. The important thing from a security perspective is that transactions need to be conducted, which means that security needs to be seen more as an enabler for making that happen versus an inhibitor that everyone feels compelled to work around.