A voice of reason
This is one arcticle that every security professional should read. The reason why security legislation and regulation fails to gain traction is a simple case of failing to understand how the business operates.
We talk about security as a separate activity, but this leads to it being seen as a cancer on business performance, with it eventually encroaching on every activity until is impairs the performance of the business.
Take ISO-27001:2005 for example, it mandates the creation of an Information Security Management System which can (If implemented properly) be used to manage all types of risk (Credit, Health and Safety, Financial etc) but it rarely does. The PCI-DSS is another example where people are employed (What does a Business Analyst actually provide over a good consultant BTW?) just to understand what the business does, because the security professionals aren't perceived to be able to. PCI-DSS projects, in particular therefore become focussed on the technology rather than the management of risk surrounding payment card information.
We need to throw the technical-focussed perception off ourselves, and free our minds to actually look towards understanding and supporting business objectives and processes to defined appropiate security mechanisms that support the management of risk within the organisation.
The main problem is that all of this intangible and requires time and effort which many companies don't see the benefit in expending, but the fact is that this is the reason why the credit crunch has happened and we need to use lessons learned to create a new perception about the usefulness of corporate governance.