“‘Companies must think of security as a business process and not place too much responsibility on their chief security officers and consultants,’ the author of two best-selling CISSP books said at the Information Security Decisions conference Wednesday.

‘There’s too much reliance on consulting companies to do the work for you,’ said Shon Harris, CEO of Logical Security. ‘A better approach is to make everyone in your business a little more educated on security. [Logical Security's] goal is to help companies identify where they are at, what their goals are and then get them to help themselves. Companies must understand security in their own house.’

Harris, contributing author of the book Hacker’s Challenge, said many companies are setting themselves up for trouble in the future because they have:

Defined policies but no security program;
A security program with no real structure;
A security program with only certain pieces structured;
A structured security program with no support from the business units; and/or
A structured security program that is hampered by cultural resistance.

‘We expect one person to integrate security into the entire business plan,’ Harris said. ‘We don’t have information for business-oriented people; no road map. We’re asking them to do things they don’t understand. We need to grow up now. Information security is no longer a black art. It’s integrated into business now and isn’t going away.’”