Security professionals are set to move beyond IT director control in future, as they take a more proactive approach in order to secure their organisations, according to a study from the Information Security Forum (ISF).

The ISF is an international organisation dedicated to benchmarking and best practices in information security. "This study is part of an ongoing set of deliverables looking at the management of security in organisations," explained Adrian Davis, ISF's senior research consultant and the report's author.

"At the end of last year, we looked at where security would be in five years' time. We held workgroup meetings around the world and backed up this up by questionnaires. We gathered a very large dataset to mine data from."

The ISF is currently in the process of producing the report's deliverables, and could not reveal a lot of detail. However Davies did talk to Techworld about the highlights of the report.

"The vision of information security going forward is that the degree of change is very significant," he said. "For example, currently, less than 3 out 10 information security professionals believe they are focused on delivering solutions to the business."

"In the future, we predict 6 or 7 out 10 will be focused on delivering solutions."

"This means that skills will need to change," he added. "How security interacts with business will change. Security professionals won't be reporting to the IT director. Currently 5 out of 10 report to the IT director. But less than a fifth will do so in future."

Davies points out that there is currently a large increase in information security professionals reporting to chief risk officers (CRO), chief security officers (CSO) and chief operation officers.

"These CRO and CSO are not IT people," he said. "They are typically the same level as the IT director. The IT security professional is moving away from IT, toward business and business support functions."

"This move away from the IT arena, is in part driven by Enterprise Risk Management, as well as the convergence of physical and information security, ie the merging of the guns and the guards, a one stop shop to protect your installation."

Davies feels that currently IT security professionals are focused on the protection of the organisation's information and to a certain extent, the organisation's reputation and brand.

"Going forward, they want to move towards being more strategic, more advisory, and providing assurance that the organisation is secure."

So how do security professionals achieve this? "Well there are many components to that," said Davies. "Looking ahead, security professionals need to look at what is likely to happen, rather than waiting for it to happen, what we call scanning the threat horizon and understanding what the threat impact could be. Second component, which is a management cliché, is embracing change. Better to be changing securely than being on the outside."

"Lastly, there needs to be a real understanding that a lot of these problems cannot be solved by technology alone," he said. "You need to deal with processes, people aspects, not just the bits and the bytes."