The Security Skills Shortage No One Talks About - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Comments
The Security Skills Shortage No One Talks About
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
9/23/2014 | 12:26:04 PM
Re: The Security Skills Shortage No One Talks About
GonzSTL,

True.

The CIO cannot always be trusted to make an objective Decision between various  conflicting needs in an Organization.

Security should preferably report either to Finance/Compliance or Directly to the Board of Directors.

 
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
9/23/2014 | 12:23:05 PM
Re: The Security Skills Shortage No One Talks About
GonzSTL,

I have no doubt that you will prove to be (already are) an Awesome Teacher and your Students will most definitely be thanking you for your hardwork with them today(in the Future when they graduate and start working).

Yes,It would be better if Security reported directly to Finance (via Compliance) instead of reporting via IT.

Security just like Governance is very much an independent team today which should'nt be influenced or suppressed by IT.

 
GonzSTL
50%
50%
GonzSTL,
User Rank: Strategist
9/22/2014 | 4:08:53 PM
Re: The Security Skills Shortage No One Talks About

@ChrisMurphy Separation of duties is a fundamental principle of regulatory mandates such as SOX and GLBA. I believe that Mutual Fund Company falls under those regulations. This principle applies to IT also, especially in the realm of security. Unfortunately, I do not have statistics regarding the separation of those functions in organizations. Forward thinking organizations are taking that strategy, but many are still in the belief that their current CIO is able to make an objective decision when faced with a tie breaker. Whereas that may be true of their current CIO, what happens when the CIO leaves? It is bad legacy to leave behind. What is the guarantee that the replacement will be just as objective? Maintaining that status quo displays a lack of vision, and opens up security challenges in the future, if not already in the present.

ChrisMurphy
50%
50%
ChrisMurphy,
User Rank: Author
9/22/2014 | 3:53:53 PM
Re: The Security Skills Shortage No One Talks About
I have discussed that separate reporting for security and IT functions with a few companies, specifically a mutual fund company comes to mind, but I don't have a good sense of how common that is. Do you have a sense if it's the exception or the rule? I would think as more companies see the fallout from security breaches, that boards and CEOs will push for this indepdent security function.   
GonzSTL
50%
50%
GonzSTL,
User Rank: Strategist
9/22/2014 | 1:06:09 PM
Re: The Security Skills Shortage No One Talks About
@Ashu001 It is not necessary for Security to have a seat on the Executive board - some small companies do not have many on the board itself. What is really important is that the lines of reporting and accountability should be different. If there is no CSO/CISO, then have security report to some executive other than the CIO/CTO if they exist. IT and Security, although rooted on the same foundations, should eventually diverge to enforce a separation of duties and avoid the negative consequences of any conflict of interest.

On another note, I am sure that some of my students do not appreciate the amount of work they have to do, or the effort they must put into the communication criteria I like to impose, but I am not there to win a popularity contest. I simply want to prepare them for something they will surely face in their future work environments. It is gratifying to see how their work has radically changed for the better, though.
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
9/22/2014 | 12:16:44 PM
Re: The Security Skills Shortage No One Talks About
GonzSTL,

Brilliant Points Them all!

I am very sure that you make a Brilliant Teacher at University(and your students are really-really lucky to Have you on board).

Basically what you are saying is that Security should have a seat at the Executive Decision-making Board.

But that happens only in Companies where they have a CSO or CISO.

In other firms its usually the CIO/CTO who handles and looks at Security.

When you have Security Meshed amongst many other priorities,Security usually tends to take  a backseat.

Sad But True Experience.

 
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
9/22/2014 | 12:10:52 PM
Re: Security requires a conversation among peers
Charlie,

Very True!

Its this degrading of Peers which needs to be prevented(and the resultant Ego Clashes to boot as well).

We all can save enormous Time,Money and Resources in the Process if we just stay disciplined and organized about and around this Principle.

 
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
9/22/2014 | 12:07:45 PM
Re: The Art of How do we get to YES.
Aws0513,

Super Post!

Just wanted to add something else here ;Its important for Organizations to add a Dollar Value(as close as possible) on the Data they would Like IT-Security to Secure.

When you get Dollar Values for everything on the Table ;it becomes so much easier to decide when to Say Yes and When to Say No to whom and over which issue.

Does it make sense to spend 10000 Dollars for Security Products,Software,Processes,etc to Protect Data which is maybe at best worth 100 Dollars?

I don't think so.

This is very much an emerging area of IT Administration and Management that sooner IT Organizations get on top of it the better it is for everyone concerned.

 

 
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
9/22/2014 | 12:00:21 PM
The Writers Deserve an award for Stating Things so clearly.
Dear Writers,

You both Deserve a Massive-Massive Thank You and Award just for sharing these lines with the wider IT Audience

"I need people who understand that they are here to help the business make money and enable the business to succeed -- that's the bottom line. But it's very hard to find information security professionals who have that mindset," a CISO at a leading technology company told us

 

Its something which sounds so basic and Simple but its so so true and so ignored today!

As a Security Pro myself I get the Idea that Security can be a mega-Complex ,Mega-Engrossing and Messy affair which requires us to be tuned into Latest Trends and what not(which are often changing on a weekly and sometimes daily basis as well) because That's what Got us into this Profession (and keeps us there) today.

However,Not everyone cares or understands this about Security.Its important to Balance our Personal Passion for the Job with what the needs of the Business are which are always paramount .

After all,if there is no Business what's the point of IT and Security for that matter.

Getting the Right Balance in place is Mega-Critical.

 

 
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
9/19/2014 | 6:40:10 PM
Security requires a conversation among peers
Knowing the business and being able to talk technology to business people are soft skills that have always been in style, if short supply on the IT staff. It's the meshing of goals that requires a conversation among peers, and too often, someone in the conversation gets degraded from peer level, by one side or the other, before an agreement can be reached.
Page 1 / 2   >   >>


2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
News
How COVID is Changing Technology Futures
Jessica Davis, Senior Editor, Enterprise Apps,  7/23/2020
Slideshows
10 Ways AI Is Transforming Enterprise Software
Cynthia Harvey, Freelance Journalist, InformationWeek,  7/13/2020
Commentary
IT Career Paths You May Not Have Considered
Lisa Morgan, Freelance Writer,  6/30/2020
Register for InformationWeek Newsletters
Video
Current Issue
Special Report: Why Performance Testing is Crucial Today
This special report will help enterprises determine what they should expect from performance testing solutions and how to put them to work most efficiently. Get it today!
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll