A new research report released by RSA, The Security Division of EMC, from the Security for Business Innovation Council reveals the composition of a forward leaning security program” starting with building a next-generation information security team to the lifecycle management of cyber risks in today’s global enterprises. The last 18 months have seen big changes in the overall requirements for success for information security teams against a backdrop of a hyper-connected business environment, evolving threat landscape, new technology adoption, and regulatory scrutiny. In response to this changing environment, essential activities and responsibilities of enterprise information security teams are very much in transition. The latest report titled,” Transforming Information Security: Designing a State-of-the Art Extended Team,” argues that information security teams must evolve to encompass skill sets not typically seen in security, such as business risk management, law, marketing, mathematics, and purchasing. The information security discipline must also embrace a joint accountability model in which responsibility for securing information assets is shared with the organisation’s line of business managers and executives who are beginning to understand that they ultimately own their own cyber risks as a part of business risk. Many of the advanced technical and business-centric skills needed for security teams to fulfil their expanded responsibilities are in short supply and will require new strategies for cultivating and educating talent, as well as leveraging the specialised expertise of outside service providers. To help organisations build an extended security team, the Council drafted a set of seven recommendations, which are detailed in the report: 1. Redefine and Strengthen Core Competencies” Focus the core team on increasing proficiencies in four main areas: cyber risk intelligence and security data analytics; security data management; risk consultancy; and controls design and assurance. 2. Delegate Routine Operations” Allocate repeatable, well-established security processes to IT, business units, and/or external service providers. 3. Borrow or Rent Experts” For particular specialisations, augment the core team with experts from within and outside of the organisation. 4. Lead Risk Owners in Risk Management” Partner with the business in managing cybersecurity risks and coordinate a consistent approach. Make it easy for the business and hold them accountable. 5. Hire Process Optimisation Specialists” Have people on the team with experience and certifications in quality, project or program management, process optimisation, and service delivery. 6. Build Key Relationships” Develop trust and influence with key players such as owners of the” crown jewels,” middle management, and outsourced service providers. 7. Think Out-of-the-Box for Future Talent” Given the lack of readily available expertise, developing talent is the only true long-term solution for most organisations. Valuable backgrounds can include software development, business analysis, financial management, military intelligence, law, data privacy, data science, and complex statistical analysis. Art Coviello, Executive Vice President, EMC, Executive Chairman, RSA, The Security Division of EMC said:” For this transformation to be successful security must be seen as a shared responsibility that requires active partnerships to manage the inherent risks to the business in the ever-evolving threat landscape. It is imperative that organisations can develop a security team with the right expertise needed to get the job done.” Bob Rodger, Group Head of Infrastructure Security, HSBC Holdings also commented:” The core security team’s expertise should be primarily focused on delivering consulting, providing direction, driving strategy, identifying and explaining risks to the business, understanding threats, and moving the organisation forward” not be encumbered by the day-to-day routine operational activities.”
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.