The information security profession has reached an inflection point and is poised for growth, according to Adrian Davis, managing director for Europe, Middle East and Africa at ( ISC ) 2 .
“If we as a profession and as a society can create the conditions for success, we will see information security explode in the sense that there will be more interest in it and more demand for it,” he told Computer Weekly at the (ISC) 2 Emea Congress 2016 in Dublin.
He said the event itself was aimed at helping to educate members on an ever-wider range of security-related topics in consultation with members of the (ISC) 2 regional advisory council.
Davis said he would like (ISC) 2 to be at the forefront of information security’s change in direction by helping to improve understanding of the profession and he is keen to ensure the opportunity is not missed.
“It requires very careful handling,” he said. “It requires government, academia, information security professionals and the community to have a properly informed discussion about who does the training and education, who owns the risk, who delivers the benefit, and what it will achieve.”
Davis wants to change public perception so that information security professionals are seen as business people above all else, and he believes the role of (ISC) 2 is to help members to be as successful as possible in the profession to put it on a steep trajectory.
“My vision is to help create and support a thriving, diverse and open information security community to ensure we do not become some sort of coterie or clique,” said Davis.
He wants to dispel the perception that cyber security is something that belongs only to the realm of government rather than ordinary business and everyday life. He also wants to grow the information security community as a whole to include as many cyber security-aware people as possible.
“Information security is not just government stuff,” said Davis. “It is about people, society, business and the economy, which is why skills in these areas are also relevant, not just technical skills. And the more people who are cyber aware and can take in the basics, the easier it will be for the experts to deal with the tough stuff.”
Think more strategicallyHe said one of the key roles of (ISC) 2 is to provide the tools that information security professionals need, not just to do their day-to-day activities, but also to help them think more strategically about the business.
This is over and above the standard membership benefits available to those who attain (ISC) 2 certifications such as the CIISP and SSCP , said Davis. “We are continually looking to provide the tools and route maps to help people who come from the technical side to engage with the non-technical side, and vice versa,” he added.
Information security in the context of the digital world is barely 30 years old, said Davis. “We are still trying to define who we are, what we really do, and what we expect of people,” he said.
“But we are trying to do it in a world that is relentlessly technology-driven and consumer-focused, while other professions have been working these things out at a much slower pace and over a much longer time period of time without having to contend with the same rapid pace of change.”
Davis said it is challenging for information technology professionals to adjust, in a relatively short period of time, to a more business-oriented approach considering the profession’s technical roots.
Can’t be brilliant at everythingAs part of the maturation process, he believes information security professionals need to avoid setting too high expectations of themselves and to recognise that although there is a need for more business focus, they cannot be expected to be “brilliant” at everything.
Instead of beating themselves up for not being perfect, information security professionals should assess what gaps need to be filled most urgently in their own particular role and go in pursuit of the skills required to fill that gap, said Davis.
“In one company, a mainly technical chief information security officer may be perfect, while another company will require a CISO who is more of a risk manager than a technician,” he said.
“As important as it is to understand that each organisation’s needs are different, it is important to understand that cyber threats are business risks just like any other and that they need to be managed according to the organisation’s requirements and risk appetite.”
Only when organisations see cyber risks in the same terms as all other business risks will they be able to have informed discussions about the kinds of people and skills they need to ensure the security of the organisation’s data, said Davis.
“Without this understanding and without having those discussions, organisations will typically continue to hire people with the standard security qualifications and technical skills that may not necessarily meet the organisation’s particular needs,” he said.
Read more about information security skills Companies struggling to fill info sec roles should focus on finding people who can do what they need , not on qualifications, according to a security industry panel. Expert Joseph Granneman explains important business skills that information security pros need and how to acquire them as the discipline matures. Information security professionals need togrow their skills, engage with the business, increase security awareness, set business goals and tailor their messages , says a panel of experts. Which skills will boost the information security officer’s salary ?
Helping information security professionals to develop and enhance thei
