Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Why flexibility tops list of must-have information security skills

Modern companies have to constantly be prepared for and protect against potential information breaches. As data protection lapses have evolved into a major threat to businesses' operations and bottom lines, information security professionals have become the drivers of cybersecurity strategy efforts as companies strive to protect their assets.

In a series of video interviews from the ISSA International Conference in Orlando in October, SearchCompliance editor Ben Cole discussed modern cybersecurity strategy with speakers, ISSA members and attendees. Here, information security consultant J. Michael Butler discusses how information security skills must evolve as data protection becomes a top business priority.

What cybersecurity threats should be on companies' radars right now?

J. Michael Butler: All of them. What I usually tell people is that I'm most concerned about the threats I don't know about. We see a lot of things coming in our AV software, we get indications of particular types of threats. We can go look for that, we can go investigate that, but what I'm concerned about is when there might be something out there that we have no clue is there. The general wisdom is to always assume you've been acquired by someone, somewhere, so I'm concerned about finding that is true.

More Q&As from the ISSA Conference

Advancing technology poses big threats to business infosec

Company-wide security focus required to adequately protect data

Education, awareness key to cybersecurity

Former CIA CISO implores companies to remember the data protection basics

Are there any universal cybersecurity strategies that have proven effective, or is it more important to stay flexible to adapt to evolving threats?

Butler: Both. All of the tools are important, but more important than the tools is having the appropriate personnel that know how to use the tools. You certainly want to use everything to your advantage to track what might be happening in your systems. At the same time, you have to remain flexible because the technology is so flexible. You don't have a choice.

As these threats and the tools to combat them evolve, how must information security skills evolve? Does this change information security professionals' roles in their organizations?

Butler: I don't know if it has changed it so much as people are getting a better idea of what that role really means. When I started training in forensics, which is my specialty, it was several years before there was an incident that caused the legal department to find out I could do what I could do. Then I became more active and they have kept me busy ever since. I think that may be typical in any area of security. Once we develop the skills and see what it can do for us, we can get the right people behind it that have the right skills to support the tools and the systems. Then, we can actually get back the data that is going to help us ward off the threats.

How do companies balance numerous compliance requirements with cybersecurity and data security efforts?

Butler: It's going to depend on the company. It depends on what your product is; it depends on what your organization is trying to do as to what tool is going to be best, what method. That really morphs depending on the organization you are in, the kind of data you have and how you are trying to protect it.

How have professionals' information security skills or roles changed in the last several years, and how can companies educate and train them to make sure they are prepared?

Butler: I think the role has changed in that we are becoming more important to the organization. I see security roles expanding, I see more and more people involved in security as different organizations find out how important security is. That's a big part of it: How you stay fresh and approach your task and do what you need to do. That requires a lot of training, a lot of webinars, whatever it takes to keep up with current trends, with the changes in technology, to address the new threats.

Let us know what you think about the story; email Ben Cole, site editor. For IT compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

View All Videos

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How has the information security professional's role at your organization changed due to increased and expanded data threats?
I don’t know that their role has changed so much as they have received more backing and have a stronger presence with the department. Whereas previously our security team was part of a larger group within IT, they now report directly to the CISO, so they have more backing and a larger voice within the organization, even though their roles remain relatively unchanged.
I've heard that a lot in recent years: Companies are starting to realize how important data security is to business operations, so CISOs and other security personnel have become much more involved in business decisions. As companies have seen that information has become a huge business asset with many vulnerabilities, security has started being "baked in" to more processes during the development stage. 
This is a no-brainer. Sometimes you wonder why a news story even showed up on your TV. This is one of those items. IT and infosecurity are the way of the future. Especially as we are connected 24/7 everywhere we go. If you don't think BYOD is the future, then the need for infosec could be less. But people want their access, their devices, their speed and their convenience. That's only going to happen with the guidance of info security personnel.
That's nice. The problem is that we don't have enough security professionals as it is, and they're not making them fast enough.
It is a no brainer that companies should be more reliant on info security pros because of BYOD/increased connectivity- but as Sharon said there is a shortage of good ones and this could only get worse as threats persist. Even experienced infosec professionals will also have to constantly seek training and education as threats continue to evolve.
All IT professionals need to constantly seek education and training if they are to remain relevant. I think the bigger issue is, as Sharon and Ben point out, that the number of qualified security professionals, which is too small to satisfy current demand, cannot be grown fast enough to support expected growth. To realistically address that issue, there needs to be a paradigm shift from the current way the role is currently implemented to something a bit less specialized and more agile.