Shift happens. How to deal with the consequences?
Attendees at Forrester’s 2009 Security Forum in San Diego, CA September 10 to 11 gained many insights into how to deal, and
how to address the three main shifts in expectations (budgets, staffing,
responsibilities), ownership (tech populism/consumerization, cloud), and
architecture (building a security foundation, compliance). We heard what CISOs
and security professionals are being tasked with, what their concerns are top
of mind. Here’s a summary of what security vendors, consultants, and service
providers need to know about their customers:

  • Addressing the shift in ownership is the most
    important.     CISOs will need to solve ownership challenges or else
    risk being marginalized or replaced.  CISOs must address consumerization
    and mobility head-on, as businesses will increasingly embrace both. Security
    can no longer be seen as simply as a documenter of concerns, but must become a
    problem solver. You must show how your solutions and services help these CISOs
    embrace these trends and deliver value to business stakeholders – who are
    exerting greater influence over security strategy, project prioritization, and
    product selection.
  • Business justification is a must.
    It’s not just about security anymore. Product vendors, consultants, and managed
    security service providers need to be able to present a clear business case to
    CISOs, and be prepared to discuss value proposition with a host of other
    stakeholders in the organization – line-of-business managers, legal, HR and
    others. This is not about finding an ROI argument. Partner with and help CISOs
    tie their security initiatives to business needs for internal stakeholders, and
    give them the tools to sell your offerings internally
  • Cloud services can bring opportunity, but it’s no
    magic bullet.      There is still more hype than reality at the
    enterprise level. It’s not enough for CISOs to assess what your – the security
    vendor’s – current cloud strategy is; they need to understand what your future
    plans are, and what you will be capable of doing for their industry. Security
    product vendors are focusing too much on putting their offerings in the cloud,
    but few if any are providing solutions to the issues of security cloud
    computing services in general, and scant few are providing any solutions to help
    protect organizations in cloud-enabling their IT infrastructure and
    applications.

What do you think? And are there
trends and demands from your security customers that you see that aren’t
mentioned here?

For more color and to follow what analysts and
attendees on Twitter had to say, check out #FSF09.

– Heidi Shey and Jonathan Penn