Talk of so-called "sea change developments" and "paradigm shifts" has long been rife among the IT media and the web's wider technology commentary channels.

Right now we're all talking about cloud, mobile empowerment (let's not forget the Bring Your Own Device tagline here) and virtualized computing resources as we re-align many of the mechanics that drive our collective IT resources. But does all this talk of "new compute models" leave us at risk of forgetting other large-scale departmental changes, which still have to be brought to bear by the CIO?

I'm simply talking about security here.

The CIO is now also being joined by a CISO (Chief Information Security Officer), although in many cases this turns out to be one and the same person. The CIO's security remit now must encompass absolutely all of the people, processes and technology that impact the day-to-day running of the business and this is no small matter.

What needs protection?

Well, if you want a shopping list of assets that need protecting, it's not just applications and the data that resides within them - it's also financial monetary assets, data pertaining to customers, the Intellectual Property and "business goodwill" that exists inside the firm and the overall brand and image that is presented to the market.

But risk averse CIOs come in different shapes and sizes.

On the one hand there is the more passive "protect and respond" type who will read the news and the threat reports and act as best they can to remediate security breaches and take action against new dangers as they crop up.

Then there is the more progressive "serve and protect" type who sees it as his or her responsibility to shake up the boardroom into action and champion the cause of breach preparedness and total security maturity across the business.

While perhaps too many CIOs (and CISOs) will find themselves falling into the former more passive category due to budget constraints and day-to-day management responsibilities, there is a very real need for CIOs to make the "critical shift" to the latter of our two character types and take on a role that assertively embraces holistic risk management from every user endpoint to every server switch.

It's wake up time.

As information security now becomes a regularly tabled boardroom topic of discussion, we are almost seeing a new role for the CISO to step into the shoes already worn by the CFO in the seventies (when the accountancy function came forward to play a senior role in the boardroom) and the CIO in the eighties and nineties (when the "IT guy" started to appear at the Annual General Meeting in jeans and talk about employee connectivity) - it's a potentially painful "critical shift"... but it absolutely has to happen.

In a white paper report released last year, HP suggested that enterprise organizations have been under security attacks for the past decade, but the security events in 2011 have created a ripple effect that will be felt for years to come and will actually start to shift the way enterprise organizations view security.

According to the 2011 top cyber security risks report, "The year 2011 saw a significant increase in activity from hacktivist groups Anonymous and Lulz Security (LulzSec). The motivation for these groups' organized, systematic attacks on businesses or individuals - retaliation for perceived wrongdoing - brings new visibility to a security threat that has been looming for years and highlights a new era of security risk that must be addressed."

Prioritize protection policies and processes.

The threats are very real, but we also know that simply unplugging the business from the Internet is not a viable security option. As we now look to minimizing risk to the most critical assets of the business without interrupting or impeding business operations we will need to prioritize our protection policies and processes.

There are critical shifts afoot; this might hurt - a bit!

This post was first published on the Enterprise CIO Forum.