Time for change?

Since the dawn of the new millennium, we have seen many changes in the way that modern business communicates with clients and consumers alike; Web2.0 is firmly upon us due to the proliferation of faster internet connections and the abundance of ways to access it beyond the traditional PC/laptops through tablets, smartphones and even games consoles. We are therefore now working in an era where security is not possible as a concept anymore, despite the raft of compliance frameworks ranging from technically specific (eg PCI DSS) through to the governance heavy such as CobIT and ISO/IEC-27001:2005. The mantra of “good enough” security has been repeated for some years, and the compliance burden is spiralling out of control.
We have reached a stage where standards such as ISO/IEC-27001:2005 are treated with disdain for not being specific enough, despite them promoting the level of understanding of information assets, risk management and cyclical management of risks that are part of daily “offline” business. When many of my clients cite their lack of adoption of ISO/IEC-27001:2005 as being due to the burden of keeping the badge, that shows to me that we as an industry have failed in our delivery.

As I cast my mind back to the late 1990s, I remember the new opportunities resulting in a raft of qualifications such as the MCSE and CCNA, which meant that a person could actually get a relatively senior role as the intellectual goldrush ensued for people who could bolt an IT infrastructure onto a willing organisation without any integration into the business itself. An analogy to be drawn here is that of the busy parent looking after baby twins (IT Ops and IT Security). As the parent organisation didn’t have the time to devote in nurturing the embryonic IT infrastructure, the IT department learned bad habits, argued with its sibling and, as it reaches its teenage years, is now out of control.
So what does the parent do? He/she looks to Super Nanny and the range of behavioural psychologists – think of the array of industries capitalising on the failure of security to communicate, with business analysts, BCM consultants and programme managers being employed to address the failings of the industry to be able to integrate into the business. The parent simply doesn’t understand its offspring and is now considering adopting an older child in the cloud space, which the twins are now distrustful of and a battle ensues.
Confidentiality, Integrity and Availability
The sad fact is that we have created a monster of our own making, despite the myriad of frameworks, we often have little notion about what information is important and where it is. Even worse, despite talking about the Confidentiality, Integrity and Availability (CIA) risks to information, we merely look to manage the confidentiality risks. In my experience, organisations actually care about their information being accurate and available to them when they need it, and once they have information they can trust, they value it and want to keep it safe.
We have created an environment of fear amongst the boardrooms rather than opportunity, which now seriously threatens the adoption of Cloud services, which have the real opportunity to provide tangible fiscal benefit from their leveraging of the skilled resources that typically drain HR budgets in contractors to develop in-house systems. Worse still, our poor communication has provided the allusion that mere compliance and associated periodic audits have delivered data security within internal networks beyond the level that an external service provider could deliver.
We need to help businesses understand that the information is the only thing that is important and that once they obtain a detailed understanding of their information, and manage the associated risks, that an opportunity to practice a level of business agility previously unheard of presents itself. We also need to reach out to the various specialisations within a wider Information Risk Management community and look to earn our places in the boardrooms again.
Des Ward, president CSA UK & Ireland, is speaking on ‘What Compliance Juggernauts Are Coming Down The Road For Security?’ in the keynote programme at Infosecurity Europe – the No. 1 industry event in Europe – where information security professionals address the challenges of today whilst preparing for those of tomorrow. Held 19-21 April at Earl’s Court, London, the event provides an unrivalled free education programme, with exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk

Please register to comment on this article