Since the personal computer appeared in businesses in the early 1980s, the information security industry has evolved through two phases, and now it is moving into the third phase. The first phase of security was typified by dumb terminals, batch processing and centralized planning of applications and IT. Security was maintained by dictating what users could do, and computing power and data was controlled by the IT department. The second phase of security fell behind user-driven IT trends and resulted in hackers and cyber criminals successfully exploiting technology vulnerabilities to impact the business, and then security leaders had to react to each new threat by applying a point product to shield the vulnerability from attacks. As the security industry moves to this third phase in its evolution, security leaders will be building security into each new wave of technology when it enters the business, as well as into each new business process. Going back to the first phase of security is not an option - increased consumerization of IT, increased mobility and new trends such as Web 2.0 mean users will gain more control, not less, at the most successful businesses, said John Pescatore, vice president and distinguished analyst at Gartner. This next phase of security is about building security in as the users needs move forward, not chasing them. Most businesses have approached regulatory compliance with reactive and one-off implementations. More mature organizations have already moved to a more proactive and coordinated implementation to reduce the cost of compliance. This third phase of security focuses on protecting customer and business data first and then implementing automated processes and integrated compliance efforts to demonstrate how those security controls satisfy compliance requirements, Pescatore said. Laying the foundation for an integrated compliance and operational risk architecture is key for mature information security organizations. This architecture will enable the elimination of some compliance process controls because equivalent system controls will be inherent in the evolving architecture. Before spending a lot on compliance technology, companies should first use a risk assessment to identify which are their key controls and standardize those controls across the business, Pescatore said. Those key controls are where to focus technology investment. During this third phase of security, the goal for IT leaders is to keep up with the pace of business while reducing the overall cost of security to the business. IT leaders must have security standards and architectures, so that all new business systems can implement critical security controls and integrate into critical security processes. Companies should manage the selection of IT and IT security vendors to focus on the most effective solutions, not the best of breed on a single product basis, but not on a single vendor either, Pescatore said. Choose the best security platforms, while maintaining a separate security control panel to allow fast reaction to new threats. Source: www.dmreview.coma>