Alan Calder on IT Governance, information security & ISO 27001

ComputerWeekly has flagged up a new report from (ISC)2 (the International Information Systems Security Certification Consortium) which contains various items of useful career information for security professionals, including job descriptions, likely salaries, career advice and listings of professionally recognised information security courses.

CW highlights the following fact: “More than 1.5 million people work in information security worldwide. The (ISC)2 expects that number to reach more than 2 million by 2010, an annual growth rate of 7.8%.”

As both the guide and the organisation give prominence to IT governance this should hopefully be a valuable tool in helping the next generation of CIOs prepare for the challenges of the boardroom.

News in Information Age that is simultaneously encouraging and puzzling: according to the Economist Intelligence Unit (presumably, rather than the ‘Economics Intelligence Unit’ the article credits):

“…globalisation and increasing competition in markets worldwide is driving senior managers to demand a closer alignment of IT to business goals. The research indicates that 69% of senior IT and business executives expect the primary role of IT, traditionally cost efficiency, to be elevated to that of enabling revenue growth within three years.”

However, the report talks of a ‘fissure’ between CEOs and board directors, who are supposedly pushing for this transformation in the role of IT, and CIOs and IT managers who are apparently dragging their feet.

This strikes me as odd, given that shift is inevitable and surely a golden opportunity for the IT function to secure the long sought-after guaranteed place at the top table. The evolution in the role of the CIO is about to go into fast-forward – let’s hope enough people are ready for it.

More evidence of the increasing sophistication of online fraud. Gartner says that phishing scams are increasingly targeting wealthy web users and that the number of adults to have received phishing e-mails has nearly doubled since 2004.

“The good news is that this year fewer people think they lost money to phishers, but when they did lose, they lost more,” said Gartner analyst Avivah Litan.

It will be interesting to see whether the anti-phishing measures in Microsoft’s IE7 have much impact on this, but my guess is that the best prevention will remain education, hence my book for home and SME users, ‘The Internet Highway Code’.

More meat on the bones of worries about Instant Messaging. A recent survey found that 81% of IT managers reported a security incident due to Instant Messaging or other ‘greynets’, such as Skype. These incidents cost companies real money – nearly $130,000 annually to be precise. The survey also shows that more users are adopting greynet applications, yet little progress has been made toward combating greynet-related attacks.

This being the case it is all the more vital to tackle the human dimension. Companies that implement ISO 27001 will have clearly communicated policies in place to cover such applications, audit processes to check that rules are being followed and unambiguous penalties for individuals who go against their responsibilities to the company and their colleagues.

Here is an article addressing an important topic, and written by someone who knows a thing or two about security having previously edited SC Magazine. So how, therefore, can it be possible for this lengthy piece to make absolutely no reference to ISO 27001?

Many of the measures suggested by interviewees are spot on, but where is the glue that holds all of these ideas together? This is precisely what ISO 27001 is for and it would be good to see titles like ComputerWeekly doing more to champion this vital management tool.

I would have thought by now that infosec professionals would have been aware of the extent to which spam is part of the malware armoury – but this article identifies the need to ensure that staff are also appropriately trained to identify and deal with those threats that inevitably bypass the best defences. ISO 27001, of course, provides clear guidance on staff training.

Doug Schweitzer raises an interesting point about the potential for webmail users to circumvent the best network security arrangements. He’s absolutely right when he says that the only realistic answer can be the right corporate policy supported by compliance audit and awareness programmes. Without stating it, his post is a call for a widespread adoption of ISO 27001, which directly addresses the security vulnerabilities that arise when technology and human beings interact, i.e. the real world.