Security has to evolve into something that supports business, rather than the other way around, according to Lisa R. Young, senior member of the technical staff at Carnegie Mellon University's Computer Emergency Response Team.

Security has gotten a bad rap in today's enterprises, said Young, in Stockholm to speak at the European Computer Audit, Control and Security Conference.

The tendency is to want to start locking things down, so security is something that disables, not enables, business, according to Young.

It's still an area where boxes and technology rule, she said.

"Solving your security problems by buying another box is just wishful thinking. But security is bigger than that," Young said.

"As security managers it's up to us to elevate the profession, and include both people, processes, not just technology," she said.

Today, security processes are often not mapped to business processes

"People just haven't thought of security as a discipline that can be measured, managed and mapped. It's a new way of looking at it," Young said.

Security requirements have to spring from business-process needs, she stressed. "Requirements should be driven by owners of business processes, not the caretakers of technology," Young said.

For companies that learn to evolve, rewards are plentiful.

To simplify efforts to make changes to security strategy, Young's development team at CERT has developed the Resiliency Engineering Framework (REF), which was launched last year.

It doesn't compete with other frameworks, such as ITIL. REF identifies enterprisewide processes for managing operational resiliency -- including everything from training to compliance management -- and provides a structure from which an organization can start to improve.

"You can reduce cost, eliminate duplicate efforts and improve compliance efforts, for example," Young said.

The IDG News Service is a Network World affiliate.