The information security profession should use the governance regulations as a opportunity to gain influence in the boardroom, says John Colley.
The end of last year saw a flurry of regulations in the corporate governance arena in Europe, with Germany, the Netherlands and the UK all announcing initiatives in December.
The European trend follows the US Sarbanes-Oxley Act of July 2002, a speedy response to the infamous corporate scandals of recent times. This comes on top of existing codes of practice and Basel 2 regulations which cover Europe's financial services industries, and will take effect in January 2006.
I would argue that this trend represents an unprecedented opportunity for the information security profession to gain the influence for which it has been fighting for a long time.
In complying with the governance regulations, we can expect management boards to review many processes within their organisations as they become directly responsible for the validity of the information on which they base their decisions.
However, if the information security profession is going to play a crucial role in business, it has some maturing to do. We have been the nay-sayer for too long. We have not made sufficient effort to position ourselves as business enablers. We say, "Security isn't about technology, it's about business." However, our attempts to justify expenditure, even when dressed in risk management terms, all too often tie to technology-motivated objectives.
Most of us are cocooned within IT departments which do not allow for the scope of influence that is required. Very few of us have achieved senior appointments or support for management-driven policy.
Of most concern is that we are hampered in our own inability to assess and communicate our real value: for example, to address organisational issues to reduce cost as well as vulnerability; enhance rather than control the product development process or external relationships.
To meet this mandate, firms and individuals should re-assess their training agenda. The argument goes beyond ticking the governance-compliance box.
A new emphasis is on broad-based objectives, such as developing policy and standards, having a solid understanding of best practice and the global perspective to meet an organisation's objectives. This is a departure from the supplier-driven training programmes that have dominated the market to date.
Such change is essential, not just for IT and security professionals, but for business in general. Unless the profession can get to the point where it is going to gain the influence it needs, the governance risk will remain wide open.
John Colley is the new president at the International Information Systems Security Certification Consortium