Security has to evolve into something that supports business, rather than the other way around, according to a senior member of the technical staff at Carnegie Mellon University's Computer Emergency Response Team (CERT).

Security has got a bad rap in today's enterprises, said Lisa Young. The tendency is to want to start locking things down. This way security has become something that disables, not enables, business, she added.

Young said this was still an area where boxes and technology ruled. "Solving your security problems by buying another box is just wishful thinking. But security is bigger than that," Young said. "As security managers it's up to us to elevate the profession, and include both people, processes, not just technology.

She added that IT managers hadn't thought of a way of incorporating security as part of the business process. "People just haven't thought of security as a discipline that can be measured, managed and mapped. It's a new way of looking at it," Young said.

To simplify efforts to make changes to security strategy, Young's development team at CERT has developed the Resiliency Engineering Framework (REF), which was launched last year.

It doesn't compete with other frameworks, such as ITIL. REF identifies enterprise-wide processes for managing operational resiliency – including everything from training to compliance management – and provides a structure from which an organisation can start to improve.

"You can reduce cost, eliminate duplicate efforts and improve compliance efforts, for example," Young said.