Alan Calder on IT Governance, information security & ISO 27001

An entertaining interview with Bruce Schneier in IT Security. He sets out in typically forthright style his view on big questions such as ‘Is security a solvable problem?’ He says, “Organizations need to be liable if they expose our personal information. That’s the kind of economic incentive that will result in more security.” Cases like the Nationwide Building Society’s recent £1 million fine demonstrate that this liability is becoming real, which will intensify the pressure on organizations to implement ISO 27001 as the best practice test of their infosecurity.

Two items here nicely illustrate the fact that IT leaders need to understand the business, not the other way around. Michael Farnum gives some examples that demonstrate it takes maturity on the part of infosec and IT professionals to realise that the interests of the business legitimately come before those of the IT function. While I fully agree with this point, the question arises of how IT professionals can acquire the broader business experience to develop this point of view.

Some potential answers are implied in a report from the Society for Information Management Advanced Practices Council, which calls for measures to increase the leadership ability of the next generation of CIOs. Its proposals, including structured career development, job rotation and performance metrics, appear to be confined mainly to the IT function. However, the same approach would surely make an excellent basis for exposing IT pros to the other functions within the business. Why not rotate promising IT leaders around appropriate roles in sales, finance and manufacturing too? That would produce a quantum leap in the business knowledge of CIOs and make them far better able to act strategically for the business.

David Lacey has a good post on his ComputerWeekly blog, questioning whether it makes sense to combine responsibility for both physical and information security. He highlights the potential benefits, but rightly points out that virtually nobody has all the skills required. It seems strange how many companies seem to be talking about appointing a Chief Security Officer when so few qualified candidates exist.

As I have said previously, this idea is good in principle, but is fashionable before its time. What are needed are some new training options to enable people to develop the necessary expertise. In the meantime, companies should put this bright idea back on the shelf and bring it down again in about five years, by which time supply may hopefully match demand.

Businesses and organisations operating within the United States face particular challenges when it comes to regulatory demands. This is keenly felt in the area of information security, where it is necessary to satisfy a complex web of regulations. ISO 27001 is something of a magic bullet for many of these demands, and the US has seen rapidly building interest in the new standard. To meet the need for information on this topic we have just launched www.27001.com, a new website that is specifically tailored to the United States and provides a one-stop-shop for all the key ISO27001/ISO17799 standards, books and tools currently available.

Through www.27001.com organisations can find out how an ISO27001 ISMS works with ISO17799 to help them meet their business needs for cost-effective information security, while at the same time meeting their information-related regulatory compliance objectives and preparing them for new and emerging regulations. US regulatory requirements currently addressed by the site include HIPAA, GLBA, SB 1386 and other State breach laws, PIPEDA, FISMA and EU Safe Harbor regulations.

We have aimed to make the site the Neiman Marcus of IT governance and security. It showcases the very best products and services currently available, including works by the most respected industry thinkers as well as uniquely focused products developed by us. Whether you need C-Suite guides to the regulatory landscape, or highly practical guides for project managers, it is all available in a single place.

The increasing incidence and serious nature of internal threats to the security of corporate information is well demonstrated by the recent need for Cable & Wireless to injunct a former executive to hand a 100,00-strong customer database back to her former employer. While the former executive denies the allegation, the BBC has established that the database is being used illegally by Pakistan call centres.

An effective information security management system (ie an ISMS in line with ISO27001) would have identified this risk and guarded against it. Identifying, investigating and responding to this sort of white collar corporate crime will increasingly be part of the ISMS operation, which is why we have just added a selection of useful books on White Collar Crime and Computer Forensics to our website.

We expect more stories of this sort.