Security 'no longer a tech issue', argues Gartner

Analyst house Gartner has hit out at companies who are allowing their techies to dictate how the organisation secures itself and has called upon businesses to mature and embrace strategic rather than technical thinking.

Speaking at the annual Gartner IT Security Summit, Jay Heiser, research VP, said the fundamental problem with a purely technical approach is that IT security professionals have no understanding of the business.

He said businesses must now mature and appoint individuals who understand the complexities of business, rather than the simplicities of security.

Heiser said a 'risk management officer' is now more critical than the traditional security professional whose job is either a part-time distraction from network management, or latterly to "scare money out of the CIO" or block projects which could have proven beneficial to the organisation.

Heiser said: "You can take somebody straight out of college and they can manage your firewall", urging businesses to get on with the more important task of understanding their risk and their priorities.

One company which certainly understands risk and has adopted the approach of using business-focused managers in senior security-focused roles is insurance giant Zurich.

Stefan Vogt, head of group IT risk at Zurich, told delegates his organisation has outsourced the commodity aspects of IT and security, such as firewall and user provisioning, in favour of concentrating on more strategic issues.

He said: "We don't consider managing the firewall to be our day-to-day job. We don't have people doing that within our organisation. We are now working on a strategic level."

"It has gone away from being reactive to being proactive and looking to see what might go on," added Vogt who said policy now tops his list of priorities, while the firewall is at the very bottom.

Adopting this approach has contributed to a halving of annual IT spend at Zurich from nearly $2bn to "closer to $1bn", said Vogt. And, by recognising risk early, rather than fighting threats reactively, Heiser argues there is also a large return on investment.

Heiser said no two companies are the same and fire-fighting and throwing money at all emerging threats may not be relevant. Companies who spend excessively on securing the perimeter, for example, may not have realised the greatest risk to their business is posed by the loss of intellectual property from within, as staff ferry portable devices in and out of the company unchecked.

Companies must therefore look beyond the obvious technical solutions, said Heiser, and understand both operational risk and acceptable risk.

But tradition techies "are people for whom acceptable risk is an oxymoron", he added.

"If you're going to make profit you have to have risk. Taking risks is part of making a better business."

"Stop being so technical and allow the business to become totally integrated with security," said Heiser, arguing that companies who continue to throw money at their IT department are living in "blissful ignorance" as far as the wisdom of their investment is concerned.

The ideal candidate for bridging this gulf, he said, will have communication skills and project management skills; probably with a business school background majoring in risk management.

But he believes there is little hope of technically minded individuals making the leap into this new middle-ground from within the IT department without them also having a rare understanding of the bigger business picture.

Paul Proctor, a Gartner VP, added that regulatory pressures have already gone some way to forcing this change as companies realise the IT department, though involved in the process of compliance, is ill-equipped to understand the wider business ramifications.