IT Week: As head of information security in northern Europe for professional services firm Ernst & Young, how do you rate the importance of human
factors in IT security?

Seamus Reilly: They are extremely important, but many IT people are not very good at impressing on business users how important security is. They need to be able to talk in the language of business to get this message across. For example, they need to be able to clearly explain to users when it is appropriate to use encryption. Firms’ policies should be easy to comply with; staff will not abide by a policy if compliance is too onerous. Also, there is no use having policies if you don’t give your people the tools they need to follow them.

Biometrics have long been touted as the answer to identity and access management problems, but to what extent are firms deploying these technologies?
Many firms have had technical trials, but few have launched full-scale rollouts. Sarbanes-Oxley was a massive driver for the improvement of controls in IT. A lot of firms came up with a tactical solution to meet regulatory requirements and now they are stepping back and looking strategically at security, seeing what they need to meet efficiency demands. The jury is still out on identity and access management. It’s a challenge for our clients to work out what to do in the identity space. People should look at the key things they need to achieve.

Do you think physical and network security is finally converging, despite the silos in many organisations?
Some of our clients are looking to bring them together. There is often a disconnect between the two that some organisations are overcoming, but there are cultural issues too. Another key issue is contract staff. Most organisations have a centralised HR database, but what about the temporary contractors? What access rights should they be granted?

How have your e-commerce customers minimised their exposure to fraud?
Online fraud is still at a relatively low level, despite the publicity it attracts. Any organisation that carries out online transactions should be looking at what can be done to prevent fraud in the first place.

A recent Forrester Research report suggested the role of the chief information officer (CIO) would eventually split to produce IT general managers and business-change agents. Do you agree?
Businesses’ priorities are always changing. One year a company might want a strategic CIO to get it into new markets, while the following year it might want to concentrate on service delivery. Organisations want different chiefs at different times, and smart CIOs will recognise that and sell themselves accordingly. Both types of CIO must engage with the business. We are finding business people from a non-technical background taking on the role, but we are still not seeing CIOs become CEOs – it’s a hard move to make because they’re still regarded as IT people.

What are the career prospects for IT security professionals?
There will always be demand for people who focus exclusively on security work. Higher up the executive ladder will be those security specialists who can demonstrate an ability to deal with new business challenges. There is also a need for professionals who can act as a bridge between the security specialists and the business-change agents.