Alan Calder on IT Governance, information security & ISO 27001

Outsourcing, particularly in the information security space, should be about helping clients improve their security performance, rather than about vendors improving their performance at the expense to their clients. A recent comment from security software firm Solutionary, as reported in SC Magazine here, was that security audits are a bad thing in that they can encourage complacency. While there is sometimes truth in the argument, I think this is bending reality a little too conveniently to suit someone’s own marketing agenda. Of course complacency is the last thing that we need if IT security is to be achieved, but the answer isn’t necessarily to outsource the whole problem to a (doubtless excellent) security provider like Solutionary. IT security is a real concern for a lot of businesses for whom a security audit is an integral part of a balanced and comprehensive approach to information security. For these firms, security audits are very definitely an essential part of an affordable security solution. The important point is to ensure that audits don’t exist in isolation but are part of a proper ISMS system that ensures compliance with - you guessed it - ISO 27001.

Positive developments in Portugal: a group of IT professionals has teamed up to form an ISMS community to promote best practice in information security, with a focus on ISO 27001 and ISO 17799. The community maintains a Portuguese blog and an English language page here describes its activities.

How many board directors know what ISO 27001 or ISO 17799 are? For that matter, how many still don’t know a firewall from a fire extinguisher? We are finding that, although an increasing number of non-IT company directors want to get to grips with data security, a limited technical understanding continues to frustrate the efforts of many. As a result, information security remains something of a ‘Bermuda Triangle’ in the executive role - everyone knows it’s there, but it’s surrounded in mystery and few have actually ventured in.

Clearly, this is a situation that has to change and we have just launched a new book to help bridge this boardroom knowledge gap. ‘A Business Guide to Information Security‘ is written for non-IT directors and is co-published by Kogan Page and the UK’s Institute of Directors, which has also endorsed the book because of its relevance to SMEs as well as large businesses. We have taken data security issues from the ground up, in order to explain the various threats to a company’s systems and what has to be done to address them. (If you are interested, the book is widely available through bookshops and also here.)

It would be good to hear some feedback on directors’ current awareness and concern about the data security issue - we think it is definitely on the increase but has a long way to go. What will it take to really get it onto every boardroom agenda?

If anyone is asking what all the fuss is about ISO 27001, ISMS and all the rest of it, this article from SC Magazine should make them stop and think. Apparently, 1 in 4 Americans won’t be shopping online this Christmas because of security fears. On the upside, the article reveals that many consumers are taking sensible and active steps to protect themselves online. However, there is clearly a long way to go, and all that caution from millions of shoppers is bound to have a negative impact on prosperity in general. If this is true of the IT savvy United States, you can bet it is just as true elsewhere around the globe.

Where does ISMS fit into this? ISO 27001 is precisely the kind of confidence building measure that businesses need to put in place to make society more at ease with e-commerce. Getting certified is great for a company at the individual level (reducing business risks, reassuring customers, providing a competitive advantage), but it is also vitally important for society as a whole. We all know that the Internet is a long way from realising its full potential as a creator of wealth and improver of life quality; what more companies have to realise is that ISO 27001 is one of the vital building blocks that will help us reach that goal.

I was pleased to talk about ISO 27001 this week with Chad Nantais, who blogs on IT security issues at Information Security News. You can find the podcast of our discussion here.

The recently launched ‘Aligning Cobit, ITIL and ISO 17799 for Business Benefit‘ is a welcome step toward making IT governance more usable for most organizations. There has long been confusion over which of these three frameworks is really an IT governance framework; for an equal length of time, the answer has been that each is a component of such a framework, as I proposed in IT Governance Today: a Practitioner’s Handbook earlier this year.

While I’m delighed at this progress, there is (as I’ve already argued) further still to go in integrating and simplifying IT governance frameworks, and I will be taking this further in the 2nd edition of the Practitioner’s Handbook when it is published early next year.

Spotted an interesting article at SC Magazine talking about concerns over the security of VoIP. If ever a story pointed, unwittingly, at the fact that good information security is a business-enabler, this is it! Technology helps businesses perform better, more efficiently, and more profitably.

New technology also creates opportunities for new attacks. Effective information security - a key leg of IT governance - enables this new technology to mostly bring benefits, rather than problems.

It would be useful if rather more executives focused on the critical role that information security and IT governance can play in helping their businesses advance to success.

Less than a month ago, I commented on the greater likelihood that a developing world company would have its CIO on the board than would a developed world company.

An article in Express Computers, India’s leading IT weekly, emphasizes the point. In words that might have come from my own IT Governance: Guidelines for Directors, Shashwat Singhal emphasizes the duty of executives to make IT decisions in the interests of shareholders and other stakeholders.

If he’s correct, that many organizations are implementing IT governance structures, and if his point of reference is primarily the South Asian market, then the developed world is undoubtedly falling every further behind.

It’s like a game of leapfrog - except that in the information age, after you’ve been jumped, you go bust.

Shareholders in Primark, a UK budget fashion retailer, would have been concerned when they heard about the fire that, overnight on 2 November, destroyed its offices, distribution centre and a substantial part of the stock, just at the start of the busy pre-Christmas period. Shares in ABF Foods, its parent company, declined about 2% in early trading the next morning.

The shares, however, quickly recovered and then went up. Why?

According to Times Online: “the shares moved back into positive territory following ABF assurances that it was fully insured for stock loss and disruption and that it had moved swiftly to repair its supply chain.”

Clearly, the board of ABF had, at some point, decided about an appropriate level of stock loss insurance and, even more importantly, had made adequate business continuity arrangements that would enable the business to continue trading in spite of a major disaster such as this one.

Is business continuity planning a major board governance responsibility? You bet!