Over the next few years, the main role of chief information security officers will be to communicate security risks and threats to business managers and infrastructure teams, according to a recent report from Cambridge, Mass.-based Forrester Research.
But a failure to keep IT in the security equation could result in operations teams eventually "setting [technology] policy and creating their own [technology] standards," the report says.
Increasingly, security professionals will need to be able to deliver "on-demand, business-driven security services" throughout the enterprise, says Christofer Hoff, director of enterprise security services at Western Corporate Federal Credit Union.
"The ability to perform proactively and also respond in real time to threats, to measure risk, defend and recover from attacks, and gain a solid foothold on business impact is paramount," he says. "Leveraging technology to simplify and consolidate information into actionable intelligence is critical."
Such a security manager will need to be functionally on par with or even above those in the organization -- such as the CIO -- who might oppose him, says Dennis Treece, director of corporate security at the Massachusetts Port Authority.
This will allow the security organization to perform more efficiently while also enabling it to compete better with other functions for money and influence, he says.
"You need a security leader who works for the CEO and who acts as the policy wonk, budget overseer, training overseer and performance overseer," Treece says.
At a very high level, such a manager's role would be to identify root causes of risk for business process owners to fix, says Robert Garigue, CISO at Bank of Montreal. At the same time, it's also important to preserve the direct responsibility line leaders have for the security of their own business units, he says.
"If you don't keep this link, then they will soon begin to consider security as an increased cost that will not cost them politically if it fails," Treece says.