Josh Corman retweeted Alan Mather who pointed me to an article on that bears the ominous title IT Departments Have Become Completely Useless. The article tries to make a point that in many (most?) organization, the CIO doesn't actually deal with much information.

And it makes a few excellent points.

Way back, when I was still in college to take courses for my undergraduate degree in "information management and technology", one of our best professors always pointed out that, while we often talk about Information Technology, we generally focus on 'T', whereas it probably should be on 'I'.

Technology is something that many of us are comfortable with, it is something we can touch, something we can control, and just as importantly, something we can hide behind. But, technology just an enabler; focusing on the 'information' part of information technology will allow you to think long-term and, hopefully, make better decisions.

Fast-forward to the information security world. We do so much the same; how many of us focus on securing technology, rather than on focusing on protecting the organization for which we work? How many of us choose to hide behind firewalls, intrusion prevention systems, SIEM's, NAC devices, etc., while we should be out in the organization interacting with decision makers and operational staff alike?

While it has been repeated so many times in the past, we have to remember that information security consists of equal parts of technology, people and processes.

And don't get me started on the role of the security professional in organizational innovation. We must stop being roadblocks, and act more as innovation facilitators.

The article linked above is a good reminder of that.