This second point I can not emphasis enough. I am finding that it is not simply a matter of educating people about the new policies that are being passed but that there is a level of education that needs to happen before the policies are passed so that the policies are written properly and to the correct audience. I come from healthcare and industry. Now, working in academia I find that the change controls that were appropriate for industry are different than the change controls we would use here at the school. That said, I also am finding that I need to educate the people I work with about the value of ITIL so that we may find a happy medium.
On a separate note I wanted to mention the business that has been going on in Washington. and around the world. First the most obvious world news. With the death of Binladen I think that we in the security space need to keep an eye on the horizon for the potential of a cyber backlash. As they say, for every action there is an equal and opposite reaction. It the past this could have been assumed to have been a physical attack but since 9/11 we have clearly seen an increase in cyber warfare and it would not be unheard of for the response to this action to be a cyber attack. While I applaud our Military for this success I wonder what the response might be.
In other news I look to Capitol Hill and welcome the bill proposed by Kerry and McCain on Commercial Privacy Bill of Rights. I think this type of legislation, while it certainly will make the work we as security professionals much harder, is the right step for the consumer and for the industry. The more standardization we can get in this type of legislation the better off we will all be. It would be nice if Congress would work to unify some of these laws and to repeal some of the out dated laws so that we could consolidate some of our compliance efforts. I know this will never happen but the ideal is a nice one.