(cross-posted from T2PA)
A common challenge as an infosec professional is the legacy association of the field with information technology (IT). This challenge can be quite detrimental to the enterprise, as an acute focus on technology will inevitably overlook critical issues (and I don't just mean policies!).
This year may provide the perfect opportunity to demonstrate this perspective. As budgets continue to tighten, it should quickly become obvious that "security" is far more than just an IT matter. If your organization takes a serious, deep look at all security responsibilities—arguably including risk management and assessment, policy, compliance, training and awareness, contract support, maybe litigation support, and possibly even audit—then the conclusion must necessarily be to decouple the future of your security program from the future of IT personnel.
To understand what I'm talking about, let's digress for a moment. Traditionally, for better or for worse, "security" has been pigeonholed into an IT/operational role, often to the chagrin of security professionals who've been clamoring for strategic changes in the enterprise. To this day, main executives and senior managers equate security to firewalls, antivirus (AV), IDS, etc; i.e. technical solutions. I submit that this "security" should henceforth be reclassified as just another component of IT operations, allowing true security professionals to focus on larger issues.
Case in point, it is irrelevant whether or not a firewall admin has a a CISSP, because the CISSP does not add much deep value for a techie in a specialized roll. Moreover, firewalls themselves really ought to just be lumped in with other network admin functions, managed through similar change control processes, with perhaps an additional layer of oversight from a security architect.
The point here is this: if you fully integrate operational security responsibilities with your existing IT operations, then you can redefine the focus of your security team, allowing them to have a more strategic outlook and level of influence.
This security team then becomes an integral part of your business management and enterprise architecture capability. In fact, you may even find that you can more easily move security out from the IT or COO structure to be either a separate C-level report, or possibly even moving them under the General Counsel's office to help identify and manage risk and liability (*note: this is an intentional mixing of terms reflective of convergence that I believe must happen sooner than later amongst risk managers).
From a practical perspective, I'm asserting nothing less than a radical recasting of security. Removing the historical obligations to IT operations creates two key opportunities. First, it opens the door to streamline resources and processes for managing IT infrastructure. In this day and age, this could literally mean a two-for-one reduction in resources.
Second, recasting security in this manner—including positioning them as true risk managers—creates the opportunity for significant efficiency gains. These gains come from a de facto alignment with existing risk management directives, as well as by building on the existing authority of these risk managers to help influence—and, in fact, direct—strategic enterprise activities that directly apply to policy, compliance, and more effective risk resilience.
In the end, these difficult times should be looked to as an opportunity to reinvent our security programs. Instead of continuing the losing battle with security bound to IT, we instead have an opportunity to spin off and integrate operational security responsibilities, realigning resources in a more efficient and effective configuration.