Alan Calder on IT Governance, information security & ISO 27001

I think it’s a great pity – but clearly unavoidable – that the FSA has arrived at the view that it will have to fine individual board-level executives of retail banks if it is to get them to take adequate measures to protect customers’s information. I think this is excellent news – particularly the clear statement that ‘FSA wants to avoid executives palming off overall security responsibilities onto the IT department. Chief executives, compliance officers and board-level IT directors could all be held responsible.’

One would have thought that banks might have spotted that protecting customer information might be a fundamental part of customer care in this identity-theft age but, then again, I guess we might have expected banks to have spotted that it might not make sense to lend someone of limited income 130% of the already-inflated value of a house. 

A number of UK banks have been – or are about to be – taken into public ownership. The UK government doesn’t exactly have a great track record (eg HMRC, MOD, etc) when it comes to protecting personal data, either. So we have to hope that the FSA will have the courage to fine the government-appointed directors of nationalised banks where they fail to ensure their organisation takes adequate steps to protect personal data – or the protection of personal data in the UK will just become even more difficult.

Well, that’s a relief – the UK government has caught up with the fact that there are criminals on the Internet. The government has said that it will spend £7 million to establish the Police Central E-crime Unit (PceU) in London, that it will be run by London’s Metropolitan Police and will be more than half-funded by the Met.

I’m not going to waste time talking about the fantastic stupidity of creating and then, after three years, disbanding the High-Tech Crime Unit (creating SOCA, the Serious and Organised Crime Agency, whose priorities were drugs, people smuggling and similar more ‘traditional’ crimes) just as serious criminals migrated to the Internet. I am, though, going to make the obvious point that, even if the PceU does get going fairly early in 2009, it will still be something like two years before it will start being effective – it just takes a long time to get a new organisation (particularly a publicly-funded one) working, to get objectives and modi operandi and personnel and media and all those things properly sorted. And, in that time, cybercrime will become more sophisticated and the challenge of controlling it even more complex.

Let me put it another way: establishment of the PceU will be no panacea, anytime soon, for cyberthreats. Sensible organisations are just going to have keep on doing their own risk management around this issue.

I’ve always thought organisations that sell their ‘software solutions’ entirely on the basis of Fear, Uncertainty and Doubt should on principle be shunned by all right-thinking CIOs and IT managers. Of course, there is a certain amount of FUD that software solutions have to combat, but sales should primarily be made to deliver quantifiable returns on investment (and I recognise that is not always an easy calculation).

It’s therefore a pleasure to see that Microsoft and Washington State’s Attorney General have filed lawsuits against scam artists who frighten consumers into buying useless software, and I hope these scam organisations are stopped.

The scary message, though, is this: ‘A recent report from North Carolina State University showed that most internet users are unable to tell the difference between genuine and fake pop-up messages. “This study demonstrates how easy it is to fool people on the web,” said co-author Dr Michael S Wogalter, professor of psychology. Despite being told some of the messages were fake, people hit the OK button 63% of the time.’ 

In other words, FUD will sadly be an effective sales tactic for so long as people allow themselves to be duped. Awareness and training become an ever more essential aspect of preparing people – consumers and employees – for what they will find on the Web.

I watched the Congressional clash of ideology and pragmatism play itself out in the US stockmarkets yesterday and through Asia overnight.  While I’m not entirely clear on the point of a vote that avoids spending $700 bn but triggers a $1 Trillion stockmarket slide, I am clear that the financial disaster will negatively impact the real economy. Even though this month’s Fortune magazine argued that, in the real (US) economy, there was no evidence of a recession, I can’t see how a combination of restricted credit, devalued assets, deleveraged businesses, increased unemployment, and reduced output can translate into anything other than a downturn.

While I largely agree with the analysis in this blog: Impact of the Economic Crisis on Security, I do think that Boards and IT management teams have it within their power to avoid the traditional knee-jerk response to a crisis, which is usually to cut investment, cut training, and cut corners. The key strategic fact is that IT is now fundamental to both survival and success – and, in a tougher economic climate, those organisations that more effectlvely leverage their information and IT investment are likely to be those organisations that are still standing at the end of the shake out. Of course, I’m only talking here about those organisations that have a living, breathing enterprise risk management framework – as we’ve seen, those who substitute hope for objective risk management get to go bust.

Put another way, effective IT governance will, in many instances, be the difference between success and failure.

The increasing incidence and serious nature of internal threats to the security of corporate information is well demonstrated by the recent need for Cable & Wireless to injunct a former executive to hand a 100,00-strong customer database back to her former employer. While the former executive denies the allegation, the BBC has established that the database is being used illegally by Pakistan call centres.

An effective information security management system (ie an ISMS in line with ISO27001) would have identified this risk and guarded against it. Identifying, investigating and responding to this sort of white collar corporate crime will increasingly be part of the ISMS operation, which is why we have just added a selection of useful books on White Collar Crime and Computer Forensics to our website.

We expect more stories of this sort.