The responsibilities of information security are rapidly changing as enterprises digitize. Technology now enables business strategy and is transforming product, channels, and operations. In this new context, information security is expected to take a strategic role by helping business leaders understand the security implications of their digital strategies; support a quicker pace of technology exploitation and experimentation; and govern a larger, more varied project portfolio.
Digitization has spurred three company-wide shifts, creating the need for three associated new information security roles.
Shift 1: Strategy over governance
Information security increasingly plays a larger role in advising business partners on strategy. A key driver is the growing difficulty of executing digital strategies securely. Technology enablement of product, channel, and operations introduces new potential vulnerabilities that can only be spotted by information security’s keen eye. More business leaders are recognizing security’s centrality; in fact, CEB data shows that 81 percent of boards of director review information security matters in most or every meeting (disclosure: I work for CEB).
New role: Strategic consultant
These developments require information security to seek out professionals with skills like communication and business acumen, and to develop employee knowledge that spans beyond risk management. To address this need, the role of strategic consultant is becoming more popular. A strategic consultant provides guidance on the entire ecosystem of information, systems, security, threats, and business trends to business and IT leaders. At some companies, strategic consultants may also advise on R&D initiatives and evaluate new security ventures and products.
Successful strategic consultants have a deep understanding of the company’s business model and industry knowledge along with typical consulting skills such as problem analysis and communications.
Shift 2: Customer-centricity
Security concerns are starting to shape customer preferences as outcomes from cybersecurity attacks become more destructive. Product features like network connectivity have enabled scenarios such as the remote car hacking, a home security system takeover, and pacemaker manipulation. This means information security must ensure that security controls meet customer risk appetite, usability needs and regulatory requirements, while reducing the risk of costly breaches.
New role: Product security specialist/manager
To ensure the connection between security and customer preferences, more teams are using product security specialists/managers. Those in this role support product teams in the R&D phase by designing security capabilities in customer-facing products and services. This role is most common in the consumer-product sector, but in other industries individuals in this role might be responsible for designing capabilities for internal users or maintaining security for operational technology.
Successful individuals in this role often have a background in market research, project management and development, or finance, but also have traditional security skills such as risk management and advanced threat monitoring and detection.
Shift 3: Continuous solutions delivery
To take advantage of new technologies faster, organizations are scaling continuous solutions delivery and delivering minimally viable products. Advances in APIs, microservices, containers, and other technologies provide corporate application development teams new tools and capabilities to scale and speed development. Rather than creating applications from scratch, these technologies allow developers to construct applications using building blocks that provide critical functionality.
New role: Dedicated application developers
Information security can support the goal of moving faster by automating security governance. A dedicated applications developer makes good security the fastest and easiest option for project teams by automating adherence to security policies and guidelines using patterns loaded directly into environment builds. This is done by means of building secure code, APIs, and security features into the container.
Individuals in this role often have a blend of security and core application developer skills, as well as experience developing APIs and microservices. Collaborating with groups like infrastructure, EA, and applications to design and test build environments calls for individuals who are effective at working in teams. The dedicated applications developer role can be a good stretch opportunity for application developers looking to add new skills and responsibilities.
Information security functions are starting to see their portfolio grow larger and more varied. To ensure that companies are able to find the talent they need, it’s critical to understand the changes in the business and threat environments that are happening due to digitization and the associated impact they are having on security.
Daria Kirilenko, IT research consultant at CEB, also contributed to this article.