Alan Calder on IT Governance, information security & ISO 27001

David Lacey has a good post on his ComputerWeekly blog, questioning whether it makes sense to combine responsibility for both physical and information security. He highlights the potential benefits, but rightly points out that virtually nobody has all the skills required. It seems strange how many companies seem to be talking about appointing a Chief Security Officer when so few qualified candidates exist.

As I have said previously, this idea is good in principle, but is fashionable before its time. What are needed are some new training options to enable people to develop the necessary expertise. In the meantime, companies should put this bright idea back on the shelf and bring it down again in about five years, by which time supply may hopefully match demand.

More proof that the much vaunted convergence of information security and physical security is being made flesh: ‘Research from the Economist Intelligence Unit shows the number of CSOs taking ultimate responsibility for the security of a business has almost doubled year-on-year.’

As this article says, CSOs – and in my view CIOs too – need to understand the business and be able to relate security to its needs. The concept of the CSO is in principle a good one, but it calls for a very broad range of abilities and experiences, and I am a little concerned as to where that talent is being nurtured.

While there may have been a doubling in the number of CSOs, I worry that the difference between a good and an indifferent office holder may be down to luck for many employers. We need to see more work done in the area of defining the CSO’s role and consequently what training and career experience is appropriate for achieving this office. Only then can we begin to have some confidence that the CSO title will deliver the reassurance it suggests.

Just when you thought the IT security plate was sufficiently full, here’s the next big thing to digest: security convergence.

Given the rising tide of internet crime and international terrorist activity, companies are beginning to think about how to bring together the separate strands of IT security and physical security’. I’ve written before about the importance of taking a holistic approach to information security (including in my books about implementing information security management systems) and a very thorough article here at CSO Online reflects the experience of several major US organisations.

Of course, not every company has the scale or nature to require a Chief Security Officer on the board. However, it IS the interests of every company to have a coherent approach to ensuring overall security and business continuity. Becoming ISO 27001-compliant is the starting point for any business serious about managing IT security risks, but there are undoubtedly lessons in this article for SMBs as well as multinationals.

Expect to hear a lot more about this topic in 2006.

Boardrooms are full of people who understand numbers, and businesses are run by numbers. The questions that independent directors are really interested in asking the executives are usually: “how are the numbers looking?” The executives have a series of questions they ask senior people inside their organization. things like: “What’s our sales conversion rate looking like?” and “Are we on track to hit that cost-reduction target?” or “Why has the component failure rate crept up over 1.3%?” And, because all these measurements are important, people have answers; they also know that things that are not measured aren’t as important.

So, how do we get information security to matter in the board room? We try and frighten the directors, is usually how. Now, there’s nothing wrong with fear as a motivator (and we all know that there’s a lot to fear, whether it’s external threats or compliance requirements) but if information security is ever to have long term importance in the board room, it’s got to be something that has a set of meaningful numbers attached to it. And that’s hard, because not only is there no standard methodology, there aren’t even any commonly accepted methods of costing even the most common incidents, threats or solutions.

And this is not surprising. In an environment where fear is the driver, then most organizations will seize on any data they can use to support their pitch; for instance, the claim that spam is currently 80% of all e-mail and is growing at 20% per year is a pretty useless statistic - what will our e-mail system look like in three years time? And what does it matter if you have a properly configured spam filter? What is the real cost of filtering out spam? And does it matter more or less than the 100,000 viruses in the wild? What is the real cost of leaked information and what is the real incidence of this type of espionage? How many intrusions of what sort were blocked last week with what sort of benefit to the business? What metrics should be used to assess the deployment of an information security solution? Does anyone know the answers?

Until the information security industry can produce coherent, meaningful answers to these questions, CIOs, CSOs and CTOs will struggle to communicate meaningfully with their colleagues and businesses will struggle to really get to grips with the issues.