Posted by Martin Zinaich on October 3, 2015.
I recently spoke at the IT Audit and Controls Conference in Florida. I was doing my normal cantankerous venting about how businesses do not get that Information Security is a business problem and not just an IT problem. In fact, one recent study found that 80% of the total value of the Fortune 500 now consists of intellectual property and other intangibles. I hope that I do not have to explain how that intersects with Information Security.
One of the innocuous finds I recommend for auditors is to see if there is an Information Security Charter. A basic document defining the role, scope and authority of an Information Security Office to operate. While I was making the point I paused and asked a room full of auditors from all over the country, “How many of your companies have an Information Security Charter”. As all looked around the room, one person raised a hand. I then asked, “How many of your companies have an Audit Charter”. Every single hand in the room went up. As everyone again looked around the room, a dusting of chuckles broke out. To which I responded, “Do I need to say any more… I’m done, any questions?”
Of course, we went on to finish the presentation. Yet I could not shake that moment. I have done that in most of my presentations on auditing Information Security. The result is always the same, year after year. If Information Security “professionals” do not professionalize, I will continue to be able to do that.
Therefore, for my basic shtick to keep working, I hope we do not professionalize. However, I would happily give that up for my professional sanity.Submitted in: Expert Views, Martin Zinaich |