Thanks to the regulatory efforts of the state of New York a wave of title inflation may soon erupt across the entire IT security sector.
As part of a sweeping set of rules that address everything from vulnerability testing to documenting incident response, the state of New York is seeking comments on new rules that require banks and insurers to appoint a dedicated chief information security officer (CISO).
The rules themselves are based in part on three separate surveys of 200 regulated banking institutions and insurance companies conducted by New York State Department of Financial Services (DFS). The DFS also says it met with both industry executives and cybersecurity experts to discuss emerging trends and risks, as well as due diligence processes, policies and procedures governing relationships between financial services firms and third party vendors.
Naturally, the two most significant implications of these rules for IT security professionals comes down to the implications these rules have for their careers. The first implication is that anyone carrying a CISO title needs to have their own dedicated security budget. The days when security is allocated a percentage of the annual IT budget that is subject to change at any moment are coming to a close.
The second more personal implication is the assumption that other states, and even countries, will apply similar types of rules. In fact, there’s no reason why these rules should be limited to the financial services sector. Once that occurs, demands for managers with enough IT security expertise required to be a CISO will skyrocket.
Of course, that may only exacerbate an already difficult situation. There is already a significant shortage of qualified IT security experts. Creating a requirement for financial services firms to appoint a CISO might lead to promotions that might not be as well-deserved as others. Possibly worse yet, some organizations might appoint a business executive to fulfill the role to mitigate some other battle over turf inside the organization. On the plus side, however, many IT security professionals that toil ceaseless to defend the integrity of their organizations may finally be soon getting their due.
Business executives rarely get excited about more regulations. But from an IT security perspective it’s already clear that more needs to be done to address a wide range of IT security. The banking sector in particular is hard pressed because as an industry it bears a much higher brunt of the sophisticated IT security attacks being launched.
The question now is to what degree similar rule changes might be adopted around the globe. Assuming that most politicians are going to view IT security issues as mandate to protect the consumer, chances are high that similar requirements will be globally applied. The challenge will become finding a way to rationalize those regulations in a way that makes it simpler to universally comply. Right now, organizations of all sizes are looking at having to contend with rules that are likely to vary from one state to another.
In the meantime, IT security professionals may not be able to take any extended time off any time soon. But they should at least take some comfort in the fact that there are forces at work to make sure they are well compensated for their efforts.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot.Mike also blogs about emerging cloud technology for Intronis MSP Solutions by Barracuda.