Alan Calder on IT Governance, information security & ISO 27001

The Business Software Alliance believes that the private sector is waking up to IT security issues. In a survey of IT decisionmakers they found a greater proportion are now concerned about the potential harm to their business from downtime and security breaches. Good news, but tellingly only 22% of non-IT specialist directors were felt to be exerting pressure on the IT security issue. There’s a long way to go before generalist directors come to recognize IT security as a vital executive responsibility.

ISO 27001 is becoming a hot topic. Since we began providing eBooks and online guidance about certification last October when the new standard was published we’ve seen traffic to our website rise by over 30%, and sales of our guides and toolkits are well ahead of expectations.

To make this information more widely available in a convenient format we are now offering our guides as printed books. The Case for ISO 27001 is a plain-English book designed to give non-technical directors an understanding of why information security is a C-Suite responsibility and how their companies need to respond to the IT security threat. Nine Steps to Success – an ISO 27001 Implementation Overview is a practical guide for IT security project managers that provides a rigorous process through which compliance and certification can be achieved without delay.

The books are priced at £29.95 each and are available from leading online booksellers, including Amazon, Waterstones, Barnes & Noble, Borders, FT Books, The Guardian Bookshop and Telegraph Books. They can also be bought directly from us here.

Timely advice here from Doug Schweitzer at Computerworld, re the importance of making sure your new Christmas tech toys are all internet-secure. With laptops, iPods, et al now a gift of choice for all ages, it is really important to make sure that the lucky recipients of your gifts properly understand how to protect themselves. Don’t assume that everyone knows about viruses, hackers, trojans, etc., because the figures show that an alarming number of people still blunder on unaware. We’ll be addressing this issue in the coming months with a new issue of our IT security guide for the home user, ‘Internet Highway Code’. More on that soon.

Outsourcing, particularly in the information security space, should be about helping clients improve their security performance, rather than about vendors improving their performance at the expense to their clients. A recent comment from security software firm Solutionary, as reported in SC Magazine here, was that security audits are a bad thing in that they can encourage complacency. While there is sometimes truth in the argument, I think this is bending reality a little too conveniently to suit someone’s own marketing agenda. Of course complacency is the last thing that we need if IT security is to be achieved, but the answer isn’t necessarily to outsource the whole problem to a (doubtless excellent) security provider like Solutionary. IT security is a real concern for a lot of businesses for whom a security audit is an integral part of a balanced and comprehensive approach to information security. For these firms, security audits are very definitely an essential part of an affordable security solution. The important point is to ensure that audits don’t exist in isolation but are part of a proper ISMS system that ensures compliance with – you guessed it – ISO 27001.

The Firefox spin is getting slightly more desperate. In a story about the security holes in Firefox, Mozilla’s director of engineering is described as arguing that the feedback they get from their user community – and which helps them identify flaws – proves that security isn’t an afterthought.

Forgive my slowness but, if security was a pre-thought in Firefox, why would they need the feedback? Either they did think about it, and did it badly – which is quite scary if you’re a Firefox user – or they didn’t think about it. And if they need the feedback to identify the holes they failed to identify in the first place, why do they pretend they’re different from the other lot – who they accuse of treating security as an afterthought? I wonder if they know how to use the words pot, kettle and black in a meaningful sentence?

The other lot at least have a systematic, reliable method of patching the holes once they’re discovered.

Tony Lock writes interestingly about the Niku Corporation’s recent survey: 6 out of10 major European companies plan to deploy information governance and management solutions over the next two years.

It’s good news that such organizations want to effectively manage and measure IT performance; ensure that IT projects are prioritised in line with business needs; and that IT service delivery should be aligned with business requirements.

But it’s also old news: organizations have wanted to do that since the advent of computing as a key business tool.

The emergence of IT governance is to do with the “who” and the “how” of IT is governed – and at the heart of IT governance is the notion that the board should recognise its accountability around IT and structure itself so that it is able to properly discharge that accountability. And this most emphatically does not require the deployment of IT governance “solutions” – “solutions” have a long history of expensive (albeit fashionable) failure, and IT governance is about moving away from IT industry inspired “solutions” to a goverance framework that provides real IT leadership inside the organization.

Organizations that deploy “IT governance and management solutions” without having first created a board-led IT governance framework and environment will rue the day they allowed it to happen.

I know that, in England, the townies have got together and banned the gentle country folk from hunting foxes. Just as many foxes will die, but that’s apparently all right – the poor things will be less terrified if they’re hunted by mistake and then shot than if they’re just hunted and then torn to pieces. I still don’t see how the outcome is different for the fox, but that’s probably just me.

I guess it’s just as important not to go hunting firefoxes – after all, the Mozilla Website says this of their wonderful browser: “built with your security in mind, Firefox keeps your computer safe”. Mozilla,of course, is telling the truth – so I really can’t work out why there are multiple vulnerabilities in Firefox (and Thunderbird and Mozilla). Of course, those vulnerabilities are all cured by upgrading to the latest version, but in what way is that different from what we get with Bill Gates’ product?

Does the fact that the Mozilla foundation has a page for its security advisories indicate that they know that the statement on their home page is not absolutely true, or do I just have a different idea of what my computer safety might look like (using a browser that doesn’t have vulnerabilities would be it) than the Mozilla foundation appears to have?

I think we should be told.

The US CERT web site started the year showing, on its summary of the most frequent, high-impact security incidents, eight exploits that are not all completely new. MyDoom, Bagle and Sasser are all names that are recognizable from 2004, Zafi and Sober have been around for a bit, and only the Santy worm is a recent addition.

While the names are all recognizable, these are not the original exploits – they are variants. Virus writers continue to tweak these things to bypass the protection that organizations install and to exploit new software vulnerabilities. This threat becomes more serious when one realises that virus writers, hackers and spammers are increasingly co-operating to create networks of zombie computers (‘botnets’) and bypass computer defences.

The answer to every single one of the exploits identified by CERT is a combination of installing anti-virus software, keeping it updated and applying software patches as and when Microsoft release them. I guess the fact that these exploits are still so prevalent is clear and damning evidence that there are still too many organizations – and private individuals – who are still not current on either.

Isn’t it about time we started treating unpatched, unprotected computer users the same way that we treat drunk drivers?

It is clear, from market activity and recent surveys, that the two highest profile threats driving boards to pay real attention to information security today are punitive regulatory action for non-compliance and terrorist activity. If boards were to do effective risk assessments, however, they might find that these threats both fall into the ‘high impact, low probability’ category. Yes, it’s good news that the Director General of MI5 is encouraging business to ‘broaden [its] thinking about security issues.’ It’s good news that product vendors are getting senior management attention with slogans such as “Pay lip service to compliance and kiss your job goodbye”.

However, it’s the more boring, mundane threats that are really costing businesses – both financially and reputationally. While there is no standard methodology for estimating the cost of an information security incident, survey after survey reports businesses admitting to their occurrence and, in the case of the authoritative CSI/FBI survey (carried out amongst the CSI’s supposedly security conscious member firms), admitting to an average cost per incident of nearly $2 million – and this excluding the cost of any reputational damage.

This, to any business, is real money – and the cost of avoiding these losses is usually less than the cost of the losses themselves. Boards would be better advised – and shareholders better served – if they implemented comprehensive risk assessment methodologies that if they simply responded to high profile newspaper and government scare mongering.

There is an argument that IT security departments are so hard at work dealing with yesterday’s threats that they’re deeply incapable of reacting effectively to the developing threats and vulnerabilities that are inevitable as businesses push the frontiers of digital working and communication.
Certainly, IT departments and boards of directors don’t really understand one another and IT (and especially IT security) is all too often seen as a barrier rather than as a business enabler. The huge efforts and investment going into compliance computing (around both privacy and financial/operational reporting) can only increase the extent to which IT is seen as a barrier to the deployment of a cost-effective, flexible, business-centric IT infrastructure.
We need to develop a different approach – one which deals with risks and vulnerabilities – but which enables the organisation to compete flexibly and fast – we might call it real-world security.