My view is that IT and information security is a business enabler, writes Peter Wenham. However this seems not to be a generally held view, but why would this be so?
In my view the information security professional in a company is not getting this message across to those that matter, partly because those individuals are not seen as professionals in the way accountants or lawyers are; and partly because those in the infosec role are not able to effectively communicate with the board and senior management. This line of thinking leads to infosec being treated as a secondary issue and not staffed as a full-time function or even defined as a unique role. It would help a great deal if infosec were covered in management training in the first place.
The main challenge facing the infosec industry is the real or perceived lack of professionalism. While there have been infosec certification schemes around for quite a while, none has caught the public’s eye in the way that qualifications held by doctors, lawyers and accountants have. A fresh approach is now being taken to professionalise the infosec industry and this is being promoted by the UK government via the CESG certification scheme for information assurance (IA)) professionals. BCS is one of three groups who will operate this scheme on behalf of CESG, which promises to put the infosec profession on a par with other professional groups.
The bottom line for the infosec professional in this increasingly connected world is to ensure that sensitive or confidential data/information is not leaked. Should the unimaginable happen, the infosec professional should be able to undertake swift damage control. The infosec professional must be able to understand and articulate the threats, vulnerabilities and risks to senior managers and their board in a business-understandable way and its corollary, to be able to identify practical cost-effective infosec measures.
Peter Wenham is a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management.
This was first published in December 2012