Alan Calder on IT Governance, information security & ISO 27001

More meat on the bones of worries about Instant Messaging. A recent survey found that 81% of IT managers reported a security incident due to Instant Messaging or other ‘greynets’, such as Skype. These incidents cost companies real money – nearly $130,000 annually to be precise. The survey also shows that more users are adopting greynet applications, yet little progress has been made toward combating greynet-related attacks.

This being the case it is all the more vital to tackle the human dimension. Companies that implement ISO 27001 will have clearly communicated policies in place to cover such applications, audit processes to check that rules are being followed and unambiguous penalties for individuals who go against their responsibilities to the company and their colleagues.

Spotted an interesting article at SC Magazine talking about concerns over the security of VoIP. If ever a story pointed, unwittingly, at the fact that good information security is a business-enabler, this is it! Technology helps businesses perform better, more efficiently, and more profitably.

New technology also creates opportunities for new attacks. Effective information security – a key leg of IT governance – enables this new technology to mostly bring benefits, rather than problems.

It would be useful if rather more executives focused on the critical role that information security and IT governance can play in helping their businesses advance to success.

I know it’s not news, but it winds me up that there’s a whole industry out here that depends on software faults and basic failings. The information security industry (including my books and company) wouldn’t exist if software manufacturers and others did their job properly – calling their failings ‘vulnerabilties’ is nice, but it doesn’t change the reality.

And new products are launched that just aren’t good enough – take Instant Messenger – or wireless – and now VoIP – and it even appears that VPNs aren’t up to scratch – “right first time” is a pretty hard concept, isn’t it? For instance, I thought I’d done an excellent job on the updae version of my book, but the copy editor came back with nearly 30 queries – and she hasn’t told me how many she just corrected without mentioning them.

Of course, I like it that there’s a business opportunity for us all, but I can’t help wondering how much better at fighting the bad guys we would be if we didn’t have to spend so much time filling the holes left by our own side.