It can be better to be needed than wanted

Oscar Wilde once said "There is only one thing worse than being talked about, and that is not being talked about." I was reminded of this last month when I attended the first London meeting of a new group called the CSO Interchange, an event that drew senior information security chiefs from banks, manufacturing and media firms.

The group is international and is intended to provide a private forum for professionals to exchange their experiences through presentations and, more importantly, through small round-table discussion groups.

Organised and sponsored by Qualys, it looks to be a successful formula for getting people together without commercial pressures, and allowing them to share experiences with their peers. I strongly urge you to join.

Anyway, one of the features of the day was a series of quick on-the-spot surveys, using handheld wireless devices, where the delegates were given multiple-choice questions. And when a question came on the screen asking how security was viewed in their organisation, 48 per cent answered "A necessary evil", while only 28 per cent said "A business enabler."

Sounds bad, but as it emerged in subsequent discussions, being recognised as a necessary evil is a big improvement over being an unnecessary evil, as many of them felt a year ago. Those who have risen to being a business enabler really are on the road to stardom.

The reasons for the change are obvious, given the general publicity given to viruses, worms, phishing attacks and identity theft. But there is more to it than that. As one delegate said, his own job has been transformed from a purely technical role three or four years ago, to being an influencer and persuader, dealing with finance, risk management and legal compliance, as well as other business units.

He had managed to make the leap from necessary evil to business enabler, which is where we would all like to be. But another delegate sounded a note of warning. He was from a large bank, where compliance had become a huge part of his job.

He said the requirement to tick the box on so many new areas of legislation could militate against information security winning the hearts of the rest of the firm.

To become a business enabler, you need to be known as the person who likes to say 'Yes' to new projects and offers advice on how to achieve it. But compliance, he warned, will force us increasingly to say 'No', not because we want to, but because that is what Sarbanes-Oxley or Basel II say we should do.

In other words, infosec could become a scapegoat, blamed for all the delays and restrictions placed by other departments and regulations.

What this means is that you will still be talked about, but that the best you can hope for is probably 'A necessary evil'.

Ron Condon is editor-in-chief of SC Magazine