Your mission? Explain the basics

If you have a desk job, there will almost certainly be a computer on that desk. And these days, how many executives don't have a laptop or blackberry for communicating while on the move?

In all this, infosec is left trying to play catch-up. We hear all the time how security architects only get involved at the last minute, and then present a large bill for a complex, "bolt-on" solution that was not budgeted for – the sort of solution that blows all your careful ROI calculations out of the water.

It's a vicious circle. As security professionals, we all know "bolt-on" security does not work as well, but we rarely get invited to participate at a project's inception.

When we are, we often come up with better solutions that also turn out to be cheaper and more secure.

Meanwhile, the goose that laid the golden egg is dying. Three-quarters of all email is now spam, and somewhere between five and ten per cent of email is malicious. What's more, the web is full of places I would not like my children to accidentally visit, and sites deliberately masquerade as banks with the aim of stealing your money.

It gets worse. The largest bot networks now have more processing power than the combined global top-200 supercomputers, and the internet, rather than making things better, has opened up new avenues for crime.

Today, it's normal for people to assume that if someone has not received an email, then "it probably got trapped in a spam filter". In short, the public are losing their trust in the internet.

Unfortunately, most unenlightened companies continue to believe the internet is safe and their intranet completely secure. We hear the horror stories of common mistakes being repeated over and over again in new systems – reliant on FTP to transfer critical information, using http rather than https when password entries are being made, and inter-business transactions that need to be secure and confidential being conducted over internet email. Those same businesses then wonder why they were infected by Sasser, or Zobot.

As information security professionals we hold our own future in our own hands. Yes, businesses need to understand the critical importance that infosec needs to play if their intranet and internet aspirations are to be delivered successfully. And yes, they need the vision and foresight to appoint an information security professional at CISO level to deliver on those aspirations.

However, we need to clearly explain to unenlightened businesses leaders why they need to create such a position in the first place, together with both the qualities and the qualifications that such a person should have.

And, more importantly, the ROI their company gains from creating such a position.