Computers and new technologies such as Voice over Internet Protocol (VoIP) which facilitates voice telecommunication over data networks like the Internet makes me wonder if perhaps Information and Communication Technology should be a regulated industry.
Typically, governments regulate industries where there is an overwhelming need to ensure the integrity of professionals, such as in the medical field. Doctors must be licensed by a governing authority in order to practice. This governing authority establishes minimum competency and education standards, ensuring that the public receives care from a doctor who knows what they are doing. I don’t know many people who would want to be cared for by a healthcare professional who did not, for whatever reason, meet the standards established by the governing authority.
Information and Communication Technology professionals, in many organizations, are ordained with an extremely high level of trust. Many businesses and other organizations use technology to perform a large portion of their work. This might include maintaining personal and confidential information in a human resources database for a business to updating patient records in a healthcare system. By the nature of their job, ICT professionals typically have full and complete access to all systems, which includes the data they contain.
Many organizations have made headlines regarding data breaches. These include both large enterprises as well as smaller organizations. In many cases, there is little recourse to those who have had their personal information compromised and much of that information can be used to facilitate other crimes, such as identity theft.
Larger organizations may have the resources to provide complete background checks prior to hiring an ICT professional. Smaller organizations, however, often do not have these resources for security and background checks, often due to the costs associated with executing the checks. Background checks alone, however, do not eliminate all risks associated with a potential ICT professional.
As of today in Ontario, Canada, anyone can start their own Information and Communication Technology services business. There is no barrier to entry other than the costs associated with registering a business name with the government. With ICT devices, such as computers, mobile phones, tablet computers and more being used to store personal and confidential information, this is an area which I, personally, believe requires much scrutiny.
Smaller businesses often rely on outside vendors for much, if not all, of their Information and Communication Technology needs. These smaller businesses, however, do not typically have the knowledge or experience to vet their service providers and often trust what they are told by the vendor. Many ICT service firms do not employ staff who are intimately familiar with business class systems. Just because someone knows a little bit about computers does not necessarily make them qualified to perform ICT work for a business or enterprise. Many more of these technicians have little, or no, security training/education.
Businesses are facing pressure from regulators in regards to the safeguarding of personal and confidential information. These regulations can differ depending on the industry of the organization. A health care organization, for example, has strict rules regarding the storage, protection and disclosure of patient information. Similarly, a financial institution is regulated to protect the privacy of its customers.
Malicious hackers are always trying new exploits and trying new ways to break into secure systems. The ways they attempt this are numerous. If a business, for example, hires an ICT firm to set up a network for them at their place of business, what assurances do the clients have that the way the system is configured is secure against intrusion? Continuing on that train of thought, what assurances do the clients have that the ICT firm even knows about security considerations and how to make the system secure?
I believe that it is in the best interests of the public, whose personal and confidential information is stored in several different computer systems, often worldwide, that the Information and Communication Technology industry become a regulated profession. The industry should, in my opinion, establish a College of Information and Communication Technology who would define specific education, training and possibly experience requirements in order to be a ICT firm or to be an ICT professional at a business.
At the very least, I believe that we should open a dialogue to discuss options to work to ensure the safety of the information that we, as Information and Communication Technology professionals, have been entrusted to protect.
Another area where I believe that we, as an industry, should have a dialogue is the possibility of requiring disclosure of data breaches. Some locales, like California, already mandate that companies and organizations disclose when their systems have been breached and personally identifiable information has been compromised, but many more jurisdictions have not yet adopted similar legislation. I believe that a person has the right to know if their personal information was compromised, as well as how and through which organization (for example, a financial institution being compromised would likely be more of a concern to a person rather than a video store customer database being compromised).
I welcome your comments and ideas on this topic. Please feel free to add a comment.