Alan Calder on IT Governance, information security & ISO 27001

An interesting announcement this week:

The Open Compliance and Ethics Group (OCEG), a nonprofit organization with a mission to help organizations align their governance, risk and compliance (GRC) management activities to drive business performance and promote integrity, announced today the launch of the OCEG IT Forum. The OCEG IT Forum integrates multiple events and publicationsto create a sustained resource available throughout the year where ITexecutives, GRC program managers, solution providers as well as thought leaders exchange and validate best practices and confront the technical and operational challenges that they face.

Read the full release here.

I read a scary article in the UK’s Computing News last week – it reported that the EU Commission is launching a ‘five-year technology strategy to foster economic growth and job creation’ and goes on to say that, in order to make the EU the most competitive knowledge economy in the world, the EU strategy focuses on ‘regulation, R&D, and closing the digital divide.’

Now, the scary thing is that someone, somewhere, not only believes that regulation is a critical leg of a triune strategy to boost competitiveness, but also believes that we’re all going to buy into it. The only thing that regulation does is restrict competiveness, as the highly regulated and determinedly sclerotic economies of old Europe have been demonstrating for some time. Of course, some people do very well out of regulation – a major part of the BS7799 business is to do with demonstrating compliance with the regulation – so I shouldn’t complain!

According to Compliance Week, 582 companies have – under Sarbanes Oxley’s section 404 – so far disclosed material weaknesses or significant deficiencies in internal controls in respect of last year.

Wow!

Considering the amount of time that all companies have had – and the number who have not had to make disclosures – this is a disturbing number. Remember, these are meant to be serious internal control weaknesses, so its unlikely that anyone is making disclosures just to cover their backs – Moody’s is one ratings agency that talks of re-considering a company’s rating if there are disclosures. In fact, a Moody’s analyst pointed out that the disclosures called into question the management’s competence to run their business.

Apart from all the inevitable questions there must be about what the directors are actually paid for, and how come they aren’t all fired, there is a more fundamental question: if it took Sarbanes Oxley to flush out all these internal control weaknesses, what would be happening without it?

There is, apparently, a growing complaint movement from boards and directors about the requirements of Sarbanes – but it seems to me that Sarbanes didn’t come a moment too soon.

It is clear, from market activity and recent surveys, that the two highest profile threats driving boards to pay real attention to information security today are punitive regulatory action for non-compliance and terrorist activity. If boards were to do effective risk assessments, however, they might find that these threats both fall into the ‘high impact, low probability’ category. Yes, it’s good news that the Director General of MI5 is encouraging business to ‘broaden [its] thinking about security issues.’ It’s good news that product vendors are getting senior management attention with slogans such as “Pay lip service to compliance and kiss your job goodbye”.

However, it’s the more boring, mundane threats that are really costing businesses – both financially and reputationally. While there is no standard methodology for estimating the cost of an information security incident, survey after survey reports businesses admitting to their occurrence and, in the case of the authoritative CSI/FBI survey (carried out amongst the CSI’s supposedly security conscious member firms), admitting to an average cost per incident of nearly $2 million – and this excluding the cost of any reputational damage.

This, to any business, is real money – and the cost of avoiding these losses is usually less than the cost of the losses themselves. Boards would be better advised – and shareholders better served – if they implemented comprehensive risk assessment methodologies that if they simply responded to high profile newspaper and government scare mongering.

35% of Global 2000 companies now have a Chief Compliance Officer – and not all of these companies are in the financial sector. The weight of compliance legislation (particularly Sarbanes Oxley, Corporate Governance codes around the world, Privacy regulations, etc) the workload faced by the audit committee and by the CFO are, between them, encouraging a number of major organisations to appoint a Chief Compliance Officer. The question is: is this role really going to make a difference, or is it simply going to create more confusion inside organisations?

The issue is that, today, compliance fundamentally depends on technology and has significant financial involvement – from reporting through to costs. Already, on balance, CEOs and CIOs are failing to communicate. The CCO will have to communicate with the CEO, the CIO, the CFO, the audit committee and the IT governance committee (if there is one) – and will need substantial legal expertise to boot. If the CCO can effectively co-ordinate all these business functions, then there is a possibility that compliance will actually be improved – if not, the CCO will simply add to bureaucracy and inefficiency, without any significant improvement in the information security posture of the organisation.

There is an argument that IT security departments are so hard at work dealing with yesterday’s threats that they’re deeply incapable of reacting effectively to the developing threats and vulnerabilities that are inevitable as businesses push the frontiers of digital working and communication.
Certainly, IT departments and boards of directors don’t really understand one another and IT (and especially IT security) is all too often seen as a barrier rather than as a business enabler. The huge efforts and investment going into compliance computing (around both privacy and financial/operational reporting) can only increase the extent to which IT is seen as a barrier to the deployment of a cost-effective, flexible, business-centric IT infrastructure.
We need to develop a different approach – one which deals with risks and vulnerabilities – but which enables the organisation to compete flexibly and fast – we might call it real-world security.