Re: Failing security threatens FTSE100 firms

[InfoSec News <isn () c4i org>]

Forwarded from: Mark Bernard <mbernard () nbnet nb ca>

Dear Associates,

There are two sides to this story. For a long, long time It
professionals never put much stock in a piece of paper called a
certificate. However, in recent years a few of these certificate
vendors have strategically positioned themselves with governments and
alike. Justifiable or not an affiliation, (not a formal endorsement),
to a known organization will help a company gain enough creditability
to make millions of dollars without holding any accountability.

The other side of the story is the need to assure senior management
that your staff have a defined level of InfoSec competency. Since
Universities are only beginning to jump on this it will take two or
three years before the certificate landscape changes to degrees. Even
now some certification organizations are hustling to have their
certification accredited by a public body.

The down side is that with all the focus being on certifications that
the real and tangible goals are being pushed to the back of the
InfoSec bus. Anyone with experience in IT Tech or IT Management can
tell you that staff credibility is only one element of a complex
solution in achieving asset security and being able to assure it.

Speaking of creditability, currently there is no link between
national, state and-or provincial InfoSec legislation and the people
that perform the work. Unlike lawyers, doctors and even bus drivers
there is no requirement for someone practising InfoSec to be licensed.
However it wouldn't surprise me if that changes in two or three years.

In closing; It would be interesting to see a survey conducted here in
North America, that is Canada & the USA not just the USA, to see how
many hospitals, banks, insurance companies have certified personal
doing InfoSec work. My guess is less than 2%, because the mentality
has always been to make do with what you have and that will never
change!


Regards, 

Mark.


----- Original Message ----- 
From: "InfoSec News" <isn () c4i org>
To: <isn () attrition org>
Sent: Friday, September 05, 2003 4:06 AM
Subject: [ISN] Failing security threatens FTSE100 firms


> http://silicon.com/news/500013/1/5876.html
>
> Will Sturgeon
> 4 September 2003
>
> Shareholders in some of the UK's most prestigious companies may be
> horrified to hear that only 16 per cent of FTSE100 firms employ a
> properly qualified, dedicated security specialist to safeguard their
> systems from cyber attack.
>
> These findings have caused one IT training organisation to hit out
> at what it calls "boardroom apathy" regarding the issue of security,
> with too many CEOs adopting an 'it couldn't happen to us' attitude.
>
> Despite a recent spate of high-profile virus attacks, and the
> constant threat posed by hackers, companies still appear to be
> leaving a lot to chance - a stance which Robert Chapman, co-founder
> of The Training Camp, who conducted the survey, says displays a
> worrying level of "ignorance".



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.