Alan Calder on IT Governance, information security & ISO 27001

While the UK cyber security strategy, published last week, is full of good stuff, it is lacking in one key area: compulsion. My view on this was quite widely reported last week: if UK organisations won’t take adequate action to protect personal data, under legislation that has been around since 1998, and won’t report breaches voluntarily to the Information Commissioner, then what on earth is going to cause them to share information about much more damaging cyber breaches?

The threat of a £500k fine hasn’t led to a dramatic increase in the number of UK organisations reporting data breaches, but nor has there been a dramatic decline in the number of successful hack attacks reported – initially, usually by the hackers, not by the hacked.

The European Commission appears to understand that organisations, public and private, are not pre-disposed to protect personal data. The proposed revisions to the European Data Protection Directive should, if enacted as currently drafted, bring substantial change – the threat of a fine equivalent to 5% of global revenue (applicable to EU entities, including EU subsidiaries of foreign companies) should bring a substantial change to data protection behaviour. Allied to a legal requirement to report breaches within 24 hours, this regulatory imperative may finally bring real protection to individual data.

Now, imagine how quickly UK organisations would get their cyber security houses in order if they were faced with a requirement to report all breaches within 24 hours and faced a very substantial fine – on top of the losses and other penalties they incurred. And imagine how quickly cyber security would find its way onto the corporate governance agenda and onto the list of issues about which shareholders are concerned.

It will be interesting to watch the progress of the EU directive and, alongside it, progress in implementing the UK’s current cyber security strategy. I hope there will be progress in both and fear that both may ultimately be ineffective – the EU law because the compulsion element is watered down, and the UK strategy because it is already quite watery.

According to a recently published Which? report (based on the results of an FoI requesst to the ICO), there were, in the year up to August 2010, nearly 1,200 allegations of breaches of the DPA made to the ICO in respect of UK banks and building societies. The Which? report said that only 13% of people knew they could report DPA breaches to the ICO, suggesting that the number of actual breaches may be much, much higher.

And who could be surprised?  UK financial institutions – which once had a reputation for honesty and probity – have been implicated in scandal after scandal – pension mis-selling, the bank fee/charges scandal, the debt crisis and, more recently, the payment insurance scam. (They’re now selling insurance against identify theft – watch this turn into another scandal, with another multi-billion compensation pot.)

UK banks appear to have invested heavily in their complaint-suppression processes. Consumers are to be exploited, not cared for, appears to be their real philosophy. At least a Nigerian Advance Fee Fraud is self-evidently dishonest – UK banks cloak their schemes in legalese. glossy advertisements and implacable complaints processes. Failure to protect data is just one of the areas in which failure follows inadequacy follows absence of care. While we can avoid buying the banks’s schemes, we can’t avoid the fact that they have our personal data. We can – and should – insist that our data is maintained in line with the DPA. Banks will not do this voluntarily.

I believe that we have reached a point where financial institutions should be required to immediately report all DPA breaches to the ICO, that breaches should automatically attract a compensation award to the individuals affected and that repeated breaches should automatically attract a significant fine from the ICO, with the amount of the fine increasing with every subsequent breach.

What do you think?

Gartner says that “IT & business leaders must face the fact that social colloboration is already a reality.” I agree. As a company, we have been working with social media in its varying, evolving forms for a number of years. This blog, for instance, has been in existence for five or six years – it’s never been a blog-a-day blog, but I’ve been writing about issues in and around information security and IT Governance irregularly for a long time. We published a Web 2.0 Best Practice Report in July 2008 and coined the phrase ‘Threat 2.0′ to describe the combination of threats to confidentiality, integrity and availability of date posed by the explosion in social media.

As a company, we’ve been producing the IT Governance blog for a couple of years, have a twitter feed (which we’ve just made the default way of ensuring that everyone inside the company is able to stay on top of our own news and developments), an IT Governance on Facebook page and a large number of topic-related IT Governance LinkedIn groups, all sitting under a single IT Governance profile.

We’ve grappled with social media for many years, from the early excitement of each of the ‘next big things’ through to the period of mainstream adoption, where issues like employee accountability, corporate resilience, privacy, compliance, confidentiality, data integrity and archiving are being taken increasingly seriously by business, IT and compliance leaders in organisations large and small across the world.

Our Social Media Governance Toolkit was developed out of a combination of our own experience, research and identification of existing good practice across the Internet. It continues to be informed by both internal and external feedback from actual use and we continue to make upgrades available to customers who have already purchased their own copy.  For instance, we will shortly be sending out a LinkedIn Group Policy template, reflecting our own experience with the need to ensure that LinkedIn Groups continue to be useful forums for exchanging information in a reasonably informal (but unspammed) environment.

We hope, as increasing numbers of organisations deploy our Social Media Governance Toolkit (or similar policies and practices), that we will between us keep the ‘free interchange’ aspect of the Internet working effectively.

One of the most frequent questions I’m asked by CEOs is: “But what’s the real bottom-line benefit of more effective information security, or of an ISO27001-certificated Information Security Management System?”

One real benefit is the effective information security protects the bottom line. The reason you put money in a bank, is to protect it. The reason that you secure information, is to protect it – and the company that is responsible for the information. 

The recent security breach at ACS: Law has been widely reported. A law firm appears to have broken a basic law (the Data Protection Act), is now apparently under investigation by the Information Commissioner and by the Solicitors Regulation Authority and, in addition to the possibility of a fine of up to £500k, it faces unquantifiable current and future damage to its reputation, brand and future business. It’s not always clear that firms subject to this level of challenge will survive the resulting storms.

So, what might effective information security actually have cost ACS: Law? Well, a Web Application Penetration Test might have set them back £3k; implementation of an ISO27001 ISMS in a firm of this size might only have required an investment of about £10k (with another £3k or so for certification). Of course, effective information security also requires top management commitment as well as the deployment of internal time and resource – but, when you’re implementing an ISMS, you’re in control of the process. When you’re responding to a serious breach, you’re not.

Let me put it another way: an investment of about £20k, plus internal effort, might have been sufficient to prevent financial damages that could be somewhere between 10 and 100 times greater than the investment – or more. That’s the point about ‘unquantifiable damages’.

Prevention, in information security, is always better than cure.

The UK’s Financial Services Authority (FSA) this week fined Royal Bank of Scotland Group £5.6m for ‘failing to have adequate [IT] systems and controls in place to prevent breaches of UK financial sanctions’. The Australian IT News quite rightly identifies this as a massive failure in IT governance – which, of course, it is.

IT governance is defined as “a framework for the leadership, organizational structures and business processes, standards and compliance to these standards, which ensure that the organization’s IT supports and enables the achievement of its strategies and objectives.“ (IT Governance: a Pocket Guide)

“RBSG’s automated screening failed to screen the majority of trade finance SWIFT messages generated in the international trade transactions that it carried out,” said the FSA; it could have gone on to say something like: ‘RBSG’s Board of Directors evidently does not have in place any formal process for ensuring that it’s IT infrastructure supports and enables its compliance to UK laws and regulations or the achievement of its strategies and objectives,’ but it didn’t. That, nevertheless, appears to be the case.

It always seems to me a pity that organisations have to be pushed, by substantial fines, to do things that have significant business benefits – but there we are!

This interesting article explains why old-fashioned crime – robbing a bank, say – has now gone online. It’s quicker, easier, and safer for the criminal. That does mean that organisations have to take care to protect themselves against cyber-criminals – and the steps that can be taken range from the simple (see 10 Rules of Information Security for the Smaller Business) to the sophisticated (implementing a best-practice Information Security Management System based on ISO27001, for instance).

At the very least, anyone with corporate responsibilities should have a reasonable understanding of cybercrime – as well as of cyberterrorism and its close cousin, cyberwar. There is a wide range of issues that today fall under the heading of White Collar Crime, and which need attention. Your business is at risk – finding out about the risks is a good first step to taking appropriate action!

The new Information Commissioner, Christopher Graham, has recognised that current penalties for breaching the UK Data Protection Act are derisory and has called for the introduction of prison sentences for reckless breaches.

Excellent.

But not enough - the ICO is only responding to pathetic sentences given to private investigators and others who actively and deliberately breached the DPA. As I have said on previous occasions, we need to go much further. The only way that we will develop a real culture of compliance is if directors of companies that breach the DPA are personally liable for fines and prison sentences for failing to ensure that their companies took adequate steps to comply with the DPA.

After all, if larger organisations took appropriate steps to protect personal data, it would be that much harder for the unscrupulous smaller operators to breach their security to illegally obtain data, wouldn’t it?

While I’m probably more interested in governance than the average person, I do sometimes worry that contextualising information and compliance challenges as governance issues can delay organisations from taking the obvious, common-sense action.

This intelligent article on mobile security governance, for instance, identifies all the steps that organisations should take in considering risks to data posed by the mobile network. See how far you have to read through it before you find guidance to apply encryption to key mobile devices - all laptops and any USB sticks or PDAs that carry sensitive information. The sensible approach is to first apply encryption, which deals with the largest number of mobile device-related risks while keeping you within regulatory requirements, and then to stop and consider what other risks might need mitigation.

You don’t want to have to tell 1,000s or millions of customers or members of staff why someone leaving a laptop at the busstop has exposed all their personal details to fraud and identity theft. Explaining that you were considering the range of risks before deciding what action to take is likely to elicit the same sort of response as a UK MP explaining that their inappropriate expense claims were ‘within the rules’.

It’s great that Hector Sants has said that “delivery of supervision has to be done in partnership with responsible firms, shareholders and auditors.” (It’s a pity that Sants is inconsistent, but that’s another matter.)
The thing is, he’s not exactly saying anything new. I summarised the current position last year in my book on Corporate Governance (the square brackets are my current interpolations):

Institutional Shareholders

The Combined Code [UK Combined Code on Corporate Governance – in place for 10 years] also requires institutional shareholders to interact proactively and objectively with the companies in which they are invested. There are three main principles for institutional shareholders to observe: 

1. Institutional shareholders should enter into a dialogue with companies based on the mutual understanding of objectives. (E.1)
2. When evaluating companies’ governance arrangements, particularly those relating to board structure and composition, institutional shareholders should give due weight to all relevant factors drawn to their attention. (E.2)
3. Institutional shareholders have a responsibility to make considered use of their votes. (E.3)

The Combined Code explicitly recommends that institutional investors should not accept a ‘box-ticking’ approach to corporate governance, and that their consideration of disclosures made by the company in relation to the Code should take into account the “size and complexity of the company and the nature of the risks and challenges it faces” (supporting principle to E.2)

The Combined Code recommends (supporting principle to E.1) that City [ie investing] institutions should follow “The Responsibilities of Institutional Shareholders and Agents – Statement of Principles”, which were drawn up by the Institutional Shareholders’ Committee (ISC)^[1], whose associations represent virtually all UK institutional investors.

The principles were the first comprehensive statement of best practice governing the responsibilities of institutional shareholders and investment managers in relation to the companies in which they invest. 

“They aim to secure value for ultimate beneficiaries – pension scheme members and individual savers – through consistent monitoring of the performance of those companies. This is to be backed up by direct engagement where appropriate.  The principles make it clear that if companies persistently fail to respond to concerns, institutional shareholders and investment managers, ISC members will vote against the Board at general meetings.

The principles set out best practice for institutional shareholders and investment managers, under which they will:

· Maintain and publish statements of their policies in respect of active engagement with the companies in which they invest;
· Monitor the performance of and maintain an appropriate dialogue with those companies;
· Intervene where necessary;
· Evaluate the impact of their policies; and
· In the case of investment managers, report back to the clients on whose behalf they invest.”^[2]

What’s the reality? 

The reality is that active shareholder engagement has – in both London and New York – been extremely limited; after all, the management fees they were earning from ignoring the real risks being run by the companies in which they were invested supported an exciting personal life style. The real victims are the ordinary folk who fell for the polished pitch of the fund managers, who sold so effectively the idea that managing cash is so difficult and complex that ordinary people can’t do it. (An ordinary person said, on a panel interview programme here a couple of weeks ago: ‘I can’t run a bank; can I get a £695k pa pension?’). It’s all very well asking the institutional investors to exercise their governance responsibilities responsibly, but they too have their fingers in the till.

So, isn’t it time we taught basic financial risk management to ordinary people? I know this might require breaking the centuries-old link between financiers and politicians, but perhaps that might start a move toward a society in which those who produce the cash don’t have it conned out of them…..sorry, that’s a bit hopeful…

The essential difference between the US and the UK models of corporate governance is that, in the UK, there is a clear understanding of how board rooms work combined with a flexible, principles-based approach while, in the US, corporate governance is essentially an expensive compliance activity that gives CEOs a level of autonomy that allows them, sooner or later to wreck their companies - and the economy.

The usual situation, in a US-listed company, is that the CEO is also the Chairman of the Board; in the UK, this is highly unusual and, whenever it happens, there is a furore amongst investors and in the press.

The usual practice, in the UK, is that the board is chaired by an independent director, who is usually non-executive and who is genuinely independent – and it is recognised that, once a Chairman has been in situ for too long, he (or she) ceases to be independent. The CEO – however mighty, however well-rewarded – reports to the Chairman and, when the CEO fails in his role, the Chairman is responsible for ensuring that appropriate action is taken to ‘drop the pilot.’  The UK board is made up of a majority of independent directors and, in larger companies, there will usually be a recognised ‘senior director’ whose role it is to ensure that the Chairman doesn’t ‘go native’ and who would be expected to lead the board’s annual review of the Chairman’s performance.

US CEOs talk of themselves serving ‘at the pleasure of the board’; of course, this doesn’t really mean much as it is usually the CEO who chairs the board which, itself, is usually made up of ‘outside’ directors with whom the CEO has personal relationships. CEOs of US American companies are therefore usually in place for far too long and, because there is no genuinely independent control over their compensation packages, are hugely overpaid. (I’m never that impressed by a CEO offering to take a $1 salary for a year – it would be so much more impressive if he also volunteered to return 50% or more of the previous year’s multi-million dollar over-compensation to the company.)

While the UK corporate governance model doesn’t always protect UK shareholders from incompetence or stupidity on the part of their boards, it does at least help UK companies avoid a situation where their CEOs turn up in Parliament with a begging bowl, having flown there on parallel private jet flights. One would have thought that any Chairman worth his or her salt would immediately have sacked a CEO who is so far removed from reality that, when asked the direct question on camera about whether they would immediately dispose of the private jet and return home by commercial airline, he couldn’t even come up with a plausible response.

And, while the world has clearly been living beyond its means for far too long, it’s also clear that the US cult of the CEO ego is right at the heart of the huge, ill-considered, crazy bets that their companies have taken – and as a result of which we all now face a long, hard few years.

The US now needs a corporate governance code that resembles the UK’s Combined Code; in the UK, in the meantime, we need to get on with improving our own performance. We also need institutional shareholders tough and determined enough to insist on board changes when their boards are destroying the investments for which they have a fiduciary responsibility.