By Rick Blum, INS\n\nRemember the good ol\u2019 days of security\u2014back when knowing the latest virus\u2019s footprint or how to configure a firewall would vault you to the top of the most valuable list? Ah yes, those were the days when security professionals could simply concentrate on identifying faulty code and leave the business to others. \n\nWell, it\u2019s time to wake up. Sure, there is plenty of room for techies on today\u2019s IT security team\u2014in fact, more need than ever. But, security is no longer just a sport for techies. Now the most effective lineups boast players with financial acumen and people skills\u2014at least according to a recent survey conducted by INS.\n\nThe survey of 84 security professionals asked a number of questions about the state of security today. And there\u2019s a lot of good news to report. Nine out of 10 organizations place security among their top priorities, with 29 percent listing it as numero uno. Further, more than three-quarters of survey respondents are satisfied with their IT organization\u2019s security capabilities and an even higher number (85 percent) are satisfied with the products available to improve those capabilities. Unfortunately, those products can come at a steep price\u2014which is where financial acumen comes in.\n\nSecurity products are constantly evolving to meet the ever-changing array of threats that are conjured up daily by the mischievous as well as nefarious. They also have to constantly add functionality to comply with new government mandates as well as meet simple business imperatives, such as not making the nightly news by losing sensitive customer data. All this churn comes at a price. And that price erects barriers to improving information security capabilities. In fact, 57 percent of survey respondents say that the cost of products and tools is too high. Additionally, 54 percent say that justifying the cost to upper management when compared to the potential benefits is a significant barrier to improving security.\n\nDoes this mean that security professionals need to get MBAs in order to move ahead? Maybe it does. Certainly, there will always be a need for technical skills, but understanding how to build a business case that the CFO can read and say, \u201cNow I get it,\u201d is just as critical to boosting security. Unfortunately, demonstrating the value of security investments is among the toughest tasks IT can undertake. While that hot new Web service might have the potential to generate new revenues\u2014and show a solid short-term return on that investment\u2014security improvements are usually all about potential cost avoidance. In other words, if it works, no one will notice. Yet, not making the investment might sink the business. It\u2019s up to you to prove the danger, and the cost of the remedy. For this you\u2019ll need numbers\u2014cost numbers and potential cost numbers. Time to get familiar with some new acronyms like NPV and IRR.\n\nIf cost of improving security is the top barrier in today\u2019s environment, then end-user laxity is the top issue. Nearly one-third of survey respondents say that the issue that causes them the most concern about potential security breaches is simply that end users are inadequately trained on proper security procedures, or are just unconcerned about the consequences of their actions. Neither of these situations can be cured by security products with more cryptographic code. \n\nSecurity professionals have recognized for a number of years the importance of creating comprehensive security policies and procedures, and generally have done a good job of documenting them once created. Where they often fall down, though, is getting the people who are on the front lines to actually read and follow them. Simple dictums and other one-way efforts are likely to be ineffective.\n\nPutting together a highly effective program that will educate users to proper security procedures\u2014and create the types of incentives that will instill those procedures into everyday activities\u2014requires knowledge of both educational theory and psychology. Plastering posters around the workplace won\u2019t stop the writing of passwords on sticky notes left in plain view, nor will they be adequate reminders when that person on the other end of the phone line just really, really needs a record of his transactions last month. Enabling employees to recognize potential security holes requires lots of hands-on training and constant reinforcement. Not the favorite activity of your typical security savant.\n\nSo the bottom line is that building information security is not much different than most other business activities. Its value to the organization must be proven in order to be funded, and wishing for cooperation is no substitute for active programs. The truth is, nerdiness is no longer the only characteristic looked for in a security MVP candidate. The security stars of tomorrow are going to be equipped with a financial calculator and a copy of Psychology Today\u2014as well as a can of Red Bull, just in case.\n\nRick Blum is senior manager of strategic marketing at INS, a global provider of business-driven information technology consulting and software solutions based in Santa Clara, California.