Any CSO or CISO who is still grappling with firewalls, antivirus, perimeter defence, penetration testing, patching, IDS, IPS, configuration management or encryption needs to think again. All of these are the bread and butter of the infosecurity world, but they should just be the start for any security professional.
If we are to exceed the expectations of the organisations in which we work, we have to start operating on a higher plane. Put simply, we need to be a leaders. We need to innovate – by, for example, broadening our use of technology, or by making our expertise available to more people. Only by doing this can we help not just to protect, but to grow the businesses we serve.
Information security is often listed as one of the top ten concerns of chief executives of some of the biggest organisations, but this never fails to surprise me.
Personally, I would rather that the chief executive concentrated on delivering results and shareholder value than on information security.
It is hard to escape the view that our business cases should live and die by their ability to cut costs, but it's not likely to set the world on fire. If we are to get our business leaders truly excited, we need to prove that our work can help grow their income.
There is still some way to go on this road. Security professionals may not be famed for their ability to innovate, but there's a lot we can do. As a first step, we need to look at how we can make it easier for our staff and, therefore, the organisations we support to do business. We should review policies and rules, while never losing sight of the end-user's point of view.
Take the technology used by our employees, for example. We operate in a world of mobile devices where our employees will probably make far more use of technology in their personal lives than in the office. Controls are all very well, but staff need to be able to fully harness the technological advances that are now commonplace.
Do we need to operate a nanny state, or can we trust employees to work in a secure fashion? By changing some of the basics, we can fundamentally improve the environment within which employees work.
So be proactive, be innovative, think out of the box and walk in your customer's shoes.
A word of caution. I am not suggesting that security professionals can give up the policeman role or stop responding to calls from the business. All of this is absolutely crucial to ensure continuity for our business.
But it is no longer enough.