Make IT workers accountable, experts urge
By
Vivian Yeo, ZDNet Asia
Friday, June 09 2006 07:18 PM
Industry players in Hong Kong, Malaysia and Singapore are urging for greater control over IT security professionals, to safeguard the interests of both professionals and businesses.
ZDNet Asia contacted several industry observers across the region who support the legislation of security specialists and believe this path is inevitable.
Aloysius Cheang, president of the Special Interest Group in Security and Information Integrity (SIG^2) in Singapore, said in an e-mail interview that legislating information risk and security professionals is a "must-go", given the increasing importance of securing a company's assets.
The idea is to elevate the profession to that of doctors or lawyers, he said. At a more extreme level, IT security professionals should be held liable for errors or negligence during the undertaking of an IT security project, Cheang added.
Despite the importance of IT security, he noted that those in the profession are still not accorded the appropriate level of respect. For example, instead of directly to the CEO, the chief security officer often reports to the head of finance or head of operations. This makes it difficult for him or her to carry out security audits on the chief finance, information and operating officers.
IT security today is, therefore, still "a soft science" with no common baseline of measurement of an IT security executive's professionalism, Cheang said. "There is no professional association that regulates IT security, governs the profession and sets a baseline of performance, ethics, progression and career development," he said.
Lee Kwok Cheong, president of the Singapore Computer Society, added: "IT infrastructure is no less important, and life-impacting, as physical infrastructure like buildings, roads and bridges.
"You would not buy or live in a building not designed by qualified architects and engineers. Why would you accept anything less from the IT profession?" he said.
Husin Jazri, director of the National ICT Security and Emergency Response Center (NISER) in Malaysia, agreed. He noted that a high standard of professionalism in the area of information security is now crucial. "Organizations realize the importance of certified information security professionals with current skills and knowledge, to ensure a safe environment for them to conduct businesses," Jazri said.
ZDNet Asia understands that the issue of legislating IT security professionals is still a nascent one in Malaysia. According to NISER's Husin, more discussion is needed to gather inputs of stakeholders in the country.
Industry player and businesses also need to be given "ample time to understand the necessities and implications", he added.
In Hong Kong, Sin Chung Kai, a legislative councilor who represents the Information Technology Functional Constituency (ITFC), said he does not rule out such requirements in future.
However, rather than mandate a license for all types of IT security personnel, only qualified personnel should be licensed and publicly recognized, he said in an e-mail interview. That would pave the way to ensure businesses adhere to the use of qualified IT security professionals for "certain mission critical projects", he noted.
Issues to resolve
However, while there is now recognition of the need to certify IT security professionals, experts caution that the IT security industry is very young compared to the medical, legal or accounting industries.
"The Hippocratic Oath (observed by medical practitioners) is 2,000 years old, the legal profession is at least 1,000 years old, the accounting profession is 500 years to 1,000 years old... computer security hasn't been around for 20 years," said Anthony Lim, vice
Get RSS feeds
#1
