Legislation Not the Answer for Information Security?
Legislation Not the Answer for Information Security?
December 20, 2007: Speaking at the annual Information Security Forum in South Africa, Professor Mervyn King has explored the idea of legislation not being the quick fix we need for information security.
South Africa’s ICT industry is something of an international curiosity, the potential for investment is extremely high and fraught with peril, this doesn’t seem to worry the Victorian Government who are attempting to encourage investment north of the cape peninsula.
Addressing the Information Security Forum at their annual congress, Professor Mervyn King told the packed auditorium that “legislation is not the recipe for good corporate or IT governance and that it is impossible to legislate against dishonesty.”
While some circles may disagree, the issue is a hotly disputed one thanks to a large swathe of organisations not wanting to come to the information security party unless they’re forced too.
“Quality is more important than quantity when it comes to governance; and the market is the ultimate compliance officer.” said King.
The former Supreme Court Judge and advisor to the World Bank went on to advocate the adoption of the Information Technology Infrastructure Library (ITIL) which is the set of concepts designed to manage IT with more of a business mindset.
“IT governance is specific to each business and a ‘one size fits all’ approach is not possible; alternative standards such as Cobit and ITIL should be used as a framework for IT governance.” said King.
Cobit is of a similar grain to ITIL; however it focuses more on establishing a set of best practices for managing IT to establish a broad framework.
King is also advising a higher level of interactivity between IT departments and management, particularly in the boardroom where the lions share of the big decisions are made.
“IT governance is a Board level issue and because of this it is increasingly important to have the CIO as a Board member.” said King.