IT departments should not be calling the shots on security, according to Jay Heiser, research VP at Gartner Research. Instead, companies need to take a business-oriented, risk-management approach. Stepping back from technical details allows a company’s IT practices to be forward-looking, aligned with the core business, and provide better return on investment. Zurich Financial Services halved its IT costs by outsourcing the commodity aspects of IT and security and focusing on policy rather than the technical aspects of the firewall. Heiser says that IT training is not enough anymore, but the job of managing IT risk requires a business school background majoring in risk management.
I would agree that risk management is an important part of computer security. You need to decide what is important. What it would cost if damaged. What it would cost to repair, what it would cost to protect. That is a business decision, not a techie decision. However, if you remove the decision from the IT department itself, or remove it from the CIO or CSO then there is a communications gulf that becomes difficult to cross.
It has always been the security techs job to explain what the problem is, how it will effect business, and what it will cost to fix. Was I.T. training alone ever enough?
In the same venue, there is an article in SC Magazine that say the next generation of security experts will need to be business savvy as much as they are technically knowledgeable. “take your best and brightest security people and teach them more about business rather than worrying about getting them CISSPs and CISMs.”
Soft skills are essential. But that doesn’t mean you can just take a suit and turn him into a Information Security professional. At the same time, unless you want to get relegated to the basement (like I.T pre-2000) you need to have the interpersonal skills, you need to be able to explain security issues, you need to be able to communicate with your manager, your director and your CIO and relate why this is important.