The time has come for chief information security officers to become less tactical, more strategic.Tim Wilson, site editor at our sister site, Dark Reading, covered some comments from former CA CIO Dave Hansen. Hansen now heads CA's Security Management business unit.
This part of the story struck a cord with me:
For their part, security pros need to do a better job separating operational issues from strategic business issues, Hansen said. "You are serving as a security strategist in the organization. Don't allow yourself to be consumed by the day-to-day tactical demands of the job. Build a strong team so that you can deliver value to the C-suite. Build a security framework that matches the goals of the business."
Security people need to build their visibility within the organization, but not solely as the "cops" who say no to everything, Hansen said. Security teams should look for ways to enable the business to do more, rather than just disallowing activities that might pose a risk.
Security managers do need the ability to pull the plug on initiatives that will pose greater business risk than business value. But they need to clearly articulate why certain initiatives may pose more risk than they're worth -- such as applications that somehow soared through development without a single security check until two weeks before the go-live date.
They'll be more valued when they can master the art of helping to devise innovative systems and initiatives that meet business objectives but also can be deployed securely.
InformationWeek VP and editor in chief Rob Preston said it well in this column:
The sooner security pros can converse in the language of risk mitigation and business opportunity, the more they'll be involved in strategic planning and the less they'll be considered a cost center.