I was just reading an article about I.T. spending called “Credibility Problem” from Information Week that mentioned security as the number one spending priority in a survey of I.T. executives. The article goes on to call out the discrepancies of priorities among I.T. executives and business line leaders for major projects, and the negative repercussions of what this may bring. So much focus has been put on aligning I.T. with business, that it is surprising that what is being projected doesn’t match what the business wants. In the article, the top priorities identified in the survey (security, virtualization, infrastructure, storage) are referred to as “blocking and tackling”, and I have to agree. Everybody should be doing those things, but that doesn’t mean they aren’t important. Instead, those priorities should be delivered as part of what IS wanted by the business line leaders.
The top business priorities called out in the survey (social networking, I.T. service initiative, mobile apps, collaboration, mobile device management) are perfect opportunities to deliver services to the business, with enhanced security, greater virtualization, and upgraded infrastructure and storage. To be opportunistic with projects isn’t something that should just be exercised during rough economic times, but something that should be ingrained in the culture and built-in to projects.
Security should definitely not be an afterthought with new technologies, but built in. Security practitioners should not be a blocker for any project or new technology, but instead the trusted advisor that helps you navigate the true risk to understand the ramifications of the business and technology decisions.
If you’re just getting a “report” or “tool output” from your security practitioners, be warned…you aren’t getting what you need. Those material pieces make up what true security is all about, but you need business oriented technical professionals to be trusted advisors.