Given that security breaches and intrusions continue to be reported daily across organizations of every size, is information security really effective? Given the rapid evolution of new technologies and uses, does the information security group even need to exist?

Obviously, this is a somewhat rhetorical question. I cannot imagine that any sizeable organization would operate well without an information security function. The real issue is whether the information security group should continue to exist as it does today, with its traditional mission and vision.

As information security professionals, we should be asking ourselves pointed questions if we wish to remain valuable and relevant to our organizations. Why do we exist? What should our role be? How are new consumer technologies shaping what we do—and can we shape the world of the consumer? How is the evolving threat landscape shaping us—and can we shape the threat landscape? Given the bewildering pace at which technology changes and new threats appear, how do we focus and prioritize our workload? What skills do we need?

Traditionally, information security groups within businesses and other organizations have taken a relatively narrow view of security risks, which resulted in a correspondingly narrow charter. We focused on specific types of threats, such as malware. To combat these threats, we applied technical security controls. To prevent attacks from reaching business applications and employees’ PCs, we fortified the network perimeter using firewalls and intrusion detection software. To prevent unauthorized entry to data centers, we installed physical access control systems. Overall, our thinking revolved around how to lock down information assets to minimize security risks.