Alan Calder on IT Governance, information security & ISO 27001

No, really, that’s what the Times of London claimed, in an article today, was the reason given by a Delhi Call Centre’s Head of Personnel for taking on someone who allegedly collected and sold account holder identity details. Addresses, passwords, credit card security codes, the works – and he said he could get 2,000 such details a month!

The Head of Personnel apparently had no qualms in taking him on, even though they hadn’t got any of the required three references. The reason that a company has clear rules on things like references, and rigorous cv scrutiny and checks, is that a significant percentage of people lie on their cvs and and at interviews. Organizations dealing with confidential information have an obligation to apply basic recruitment discipline – the principles of which pre-date the Internet.

Information security depends on people, process and technology – working together. When one component fails, there’s a hole – and the bad guys exploit holes ruthlessly. As this one Head of HR has found out.

“I wasn’t fussed about the reference because I thought he had vision,” she said. No lie!

Will she keep her own job after so egregious a breach of basic personnel procedures?

2005 will be the year that more organizations crash and burn through inadequate information security and IT governance practices – more IT projects will go wrong, more malicious incidents, more organised crime frauds and some serious terror attacks, along with even more viruses and increasingly clever spammers – remembering that 80% of organizations never recover from a serious business interruption (fire, fraud, terrorism, etc), the turn of the year is a good time to re-think security postures.

The revised and updated ISO 17799, due out in Spring 2005, will not, on its own, save many organizations – what will save organizations is directors and boards making a conscious effort to put information security on their board agendas and to keep it there throughout the year – and keep it there while they make sure that their organizations are tackling IT projects and information security strategically and systematically.

Seven surveys over the last six months all point to ongoing management failures to grasp the nettle of effective IT governance and information security. When you consider the risks – both financial and reputational – taken by organisations who fail in any of the areas highlighted by these surveys, you wonder why IT governance isn’t right on top of the board agenda. What do you think?