Thomas encourages security professionals to find opportunities to participate in the innovation process. “Innovation tends to happen in clusters. The extent to which you have people on that journey together really matters,” he says. “Security has done a good job of that historically.”
Two other opportunities for security professionals might be more of a challenge. The first is generating and contributing to data mastery and organization. “Lots of security practitioners tend to create their own data siloes, which contributes to lack of mastery of information and data that’s so critical with the types of challenges that we face,” says Thomas. “Security practitioners can very much contribute and engage here."
Second, shift focus to addressing root causes of security problems. “Poor management practice and technology management practices are the root cause of so many security vulnerabilities that organizations have,” says Thomas. “That can be addressed through better engineering and automation processes around updating, configuring, and controlling the environment.”
Thomas doesn’t see any company operating with fully, holistically integrated IT and security yet, although a number are on that path as they question some of the foundational assumptions they have about how they operate and organize their technology groups.
“It’s repeated events that change behavior,” says Thomas. “Most people throw technology at [security problems] for a while, and then something really bad still happens. That’s when they do a reassessment. That’s how some of the early movers in this space start to experiment with different ways in how they run and operate their technology operations.”
Sign up for CIO Asia eNewsletters.