Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

BLOG: Governments risk fragmentating cyber-security strategy

John Colley | May 2, 2013
Too many countries and global organisations are working in silos

Information security professionals are scrambling to get up to speed with the EU's shiny new Cyber Security Strategy from Neelie Kroes. This is only the latest development in the awakening of governments to the economic importance of cyber-economies and their very real vulnerability to cybercrime and warfare. 

Political parties around the world are campaigning on cyber-issues. For professionals that have fought to make themselves heard over more than two decades, this is a welcome development. But does it represent progress?

Information Security is a discipline that has from the outset developed on an international level. Recognised principals and codes of practice have developed from the grassroots, driven by the need to share information and access others' experience.

As the profession developed in a connected world, one was just as likely to plug into that valuable nugget of experience from someone around the world as around the corner. It's a dynamic that remains essential to the health of the profession today, given the constantly changing nature of the technology and threat landscape.

However, as we enter the age of the national cyber-security strategies, we may find unanticipated barriers that could upset this dynamic. While we have always faced a complex legislative environment, now we have a series of global frameworks that lay new foundations for how legislation should be developed on a national or regional basis.

The incentives driving these frameworks differ greatly. The US, for example, is highly driven by national security, the EU by the development of an enabling digital agenda, and the UK is somewhere in between these two. This suggests the world of professional cyber-security is about to become much more complicated.

These strategies also put a spotlight on the need to develop skills within national economies. Unfortunately, this is fuelling a proliferation of initiatives to define new standards for skills that do not necessarily reflect the norms already recognised by the practising professionals. Beyond the obvious waste of public finances, companies and governments may well be put at risk by the confusion that ensues.

International organisations such as the International Standards Organisation (ISO), the EU, and individual countries have entered the race to influence the cyber-skills standards.  There is little evidence that these groups recognise each other's work or are making any effort to ensure harmonisation. Worse many countries  the UK among them, see this as an opportunity to develop competitive advantage.

For the practitioner on the front line, working in an international environment that has always been his or her jurisdiction, these developments represent a potential nightmare. There is little evidence that the professional community is even being properly consulted.

I am not suggesting that governments should leave the issues alone. Far from it but if we are to see progress from their effort, we need to see a commitment to understanding what progress looks like, and where their investment can have significant impact. 

Governments need to understand what it means to listen. The profession too must play its part; make an effort to understand these developments and actively work to ensure they can be heard.



Sign up for CIO Asia eNewsletters.