Don't trust security to techies alone, Gartner says

Published: September 16, 2005, 7:40 AM PDT

By Will Sturgeon
Special to CNET News.com

Businesses should no longer let techies dictate how a company secures itself, analyst firm Gartner said this week.

Jay Heiser, a Gartner vice president, said the fundamental problem with a purely technical approach is that IT security professionals have no understanding of business. Speaking at this week's Gartner IT Security Summit in London, Heiser said businesses must now mature and appoint individuals who understand the complexities of business, rather than the simplicities of security.

A "risk management officer" is now more critical than the traditional security professional whose job is either a part-time distraction from network management, or to "scare money out of the CIO" or block projects that could have been beneficial to the organization, Heiser said.

"You can take somebody straight out of college and they can manage your firewall," he added, urging businesses to get on with the more important task of understanding their risks and their priorities.

One company that has adopted the approach of using business-focused managers in senior security-focused roles is insurance giant Zurich.

Stefan Vogt, head of group IT risk at Zurich, told attendees that his company has outsourced the commodity aspects of IT and security, such as firewall and user provisioning, in favor of concentrating on more strategic issues.

"We don't consider managing the firewall to be our day-to-day job. We don't have people doing that within our organization. We are now working on a strategic level," he said.

Google in SF: 'Wireless overlord'?

With these video games, sex sells

Giving the Web a fresh look

"It has gone away from being reactive to being proactive and looking to see what might go on," added Vogt, who said policy now tops his list of priorities, while the firewall is at the very bottom.

Adopting this approach has contributed to cutting annual IT spending at Zurich from nearly $2 billion to "closer to $1 billion," Vogt said.

By recognizing risk early, rather than fighting threats reactively, Heiser argues there is also a large return on investment.

Companies that spend excessively on securing the perimeter, for example, may not have realize the greatest risk to their business is posed by the loss of intellectual property from within, as staff ferry portable devices in and out of the company unchecked, Heiser said.

"Stop being so technical and allow the business to become totally integrated with security," said Heiser, arguing that companies that continue to throw money at their IT department are living in "blissful ignorance" as far as the wisdom of their investment is concerned.

The ideal candidate for bridging this gulf, he said, will have communication skills and project management skills--probably with a business school background majoring in risk management.

Heiser added that there is little hope of technically minded individuals making the leap into this new middle ground from within the IT department without them also having a rare understanding of the bigger business picture.

Paul Proctor, a Gartner vice president, added that regulatory pressures have already gone some way to forcing this change as companies realize the IT department, though involved in the process of compliance, is ill-equipped to understand the wider business ramifications.

Will Sturgeon of Silicon.com reported from London