The once arcane world of security is changing fast, as businesses seek systems that can meet the challenges of operating in an increasingly connected and collaborative landscape where old organisational boundaries no longer apply.

Security professionals are having to become more adept, not only at understanding the needs of their users and the diverse range of tools, services and techniques available, but also at explaining security options and risks in a language the business can understand.

Christine Ashton, group strategy director at Transport for London (TfL), believes security is changing. “Not long ago, it was mainly about firewalls, anti-virus and low-level stuff. Now the business wants to know things such as how long they should be keeping their emails, whether it is safe for employees to leave BlackBerrys unattended, and so on,” she says.

Ashton is looking for security people to up their game. She does not want professionals who are experts in a particular area, she needs staff who are familiar with policy and how to communicate requirements to senior managers.

“What options do we have? What is the minimum we need to do? Answering those questions requires a different set of skills. It is the difference between being an average guitar player and Eric Clapton,” says Ashton.

“It is not good enough any more to throw a standard on the table and tell the business we have to implement it. Managers need people to interpret these policies in context and present them with options. That requires skills such as consultancy, relationship management and analysis. There is also a need for good project management, because security is often about wide-ranging programmes that encompass a host of things.”

Many IT leaders share Ashton’s sentiments, according to Paul Simmonds, chief information security officer (CISO) of ICI and a board member of user group the Jericho Forum.

“Obviously, you still need point skills, but the real skills will be around translating the business requirements into a security architecture that meets business needs, rather than saying, ‘put a firewall around it’. Managers want to know what is going to give them the best bang for their buck, what options they have and what the risks are of each,” he says.

“Effectively, security professionals need to become internal salesmen for the security function. There is a huge need for those selling skills because you cannot use any technical terms with most users. Security professionals will need to have the ability to develop appropriate analogies, demonstrations or
other techniques to explain a very complex subject area.”

Simmonds says that only the top-flight chief security officers have appropriate selling skills at the moment, but there is a need for such specialisms to permeate lower levels.

Problems are not just confined to business skills. Another issue is that in the wake of the terrorist threat of recent years, many organisations implemented fairly draconian security procedures that some now find overly restrictive. If policies are too difficult for users to follow, they are more likely to subvert them.

“We need to return to some of the usability issues that were put aside for a while after 9/11 and 7/7,” says TfL’s Ashton. “On one level, that is about being more customer-centric, standing in the user’s shoes and asking what they are trying to do and how you can help them. And that applies to both internal business users and external customers ­ – in our case, the travelling public.”

Next week, ICI’s Simmonds will be speaking at the Infosecurity Europe conference in London (22-24 April) on the security issues surrounding social networking.

He believes the trends towards remote and collaborative working are key drivers of organisations’ changing security skills requirements.

“I think there are several related issues hitting IT departments,” he says. “The first is deperimiterisation ­ – the fact that your borders are, in effect, breaking down. Related to that is the shift to collaboration-oriented architectures. The business is asking us ­ – or forcing us ­ – to enable collaboration.

“And if you are going to do business in that environment, it brings a whole new range of security challenges. The problem at the moment is that no one is providing the skills. And there are a number of
skills that will be needed. One is a change of mindset.”

Simmonds says the days of thinking you can just put a firewall around something are long gone. Most firms, he says, are drilling through your firewalls with a rich set of applications ­ – and IT leaders first need to understand the wide range of alternative tools.

“One of the Jericho Forum’s ‘11 commandments’ is ‘understand the context you are developing for’,” says Simmonds.

“If an application works securely in one environment, that does not mean I can use it in a different context and still expect it to be secure. Too often people assume one size fits all, but that is simply not the case.”

TfL’s Ashton agrees that collaborative working has significant security skills implications. “The more we go into shared environments, managing who is on the system, what they are allowed to access and knowing what they are doing becomes ever more critical,” she says. “As a public organisation, we have to share information with all sorts of different bodies, so we need security process skills and the ability to understand the security implications of collaboration and social networking.”

Another area security professionals will need to understand is legal and regulatory compliance, whether industry-specific regulation such as Sarbanes-Oxley for financial firms operating in the US, or government regulation such as the Data Protection Act.

Chris Coulter, a partner at specialist technology law firm Morrison & Foerster, says the Information Commissioner is increasingly pointing to specific technical measures businesses should have in place.

“IT departments will need to be able to monitor the Commissioner’s pronouncements and implement adequate technological solutions to meet these requirements,” he says.