When an issue becomes so grave that it threatens the
national way of life, a "tsar" is ushered in by the prime minister
to fix it. Something similar is happening in the corporate world,
where security bouncers are being appointed to ensure the company
infrastructure is protected from internal and external
attack.
The chief information security officer (CISO) goes under a
variety of titles, but they are the person who carries the can for
keeping businesses secure and the regulators happy. They are more
common in the US, where growing pressure to comply with corporate
governance legislation such as Sarbanes-Oxley has spawned a new
population of CISOs.
However, the UK is fast following suit and the progress of the
forthcoming Companies Bill will produce a fresh population of
security chiefs.
"Everyone is very concerned that customer files and corporate
accounting information is protected and that someone is
accountable," says Brian Collins, professor of information systems
at Cranfield University. "The UK is treating data ownership more
seriously, and security is becoming part of a risk management and
data ownership strategy."
The Companies Bill may be the stimulus for reviewing how
accounting data is treated. But strategies for managing security
have been evolving since the days when firewalls were seen as the
ultimate panacea. The role has certainly grown beyond the scope of
an individual, or even a team, whose purpose is to outwit external
attacks over IP networks.
Company directors are waking up to the fact that exposing
customer data to a security breach will not just harm the brand; it
could put them out of business.
Public services organisations are just getting a handle on the
implications of the Freedom of Information Act - when to keep
information and when to dispose of it. And a further challenge is
the increasing number of internal security breaches at UK
organisations, according to the Department of Trade &
Industry's 2004 Security Survey.
According to analyst firm Gartner, the bodies of technical
expertise set up in the 1990s to protect internet users are no
longer the appropriate stewards of security.
"By 1996, everything you wanted to have done on a firewall had
been done," says Gartner research vice-president Jay Heiser. "We
are done with that. Security expertise is becoming a lot more
tactical and is part of broader business risk."
According to Gartner, the maturation of technology makes it safe
to put security into the hands of a high-level risk manager who is
the intermediary between the business and IT. It predicts that by
2008, 65% of the Global 2000 companies will employ a CISO to
operate a centralised security programme.
"There is an arms race of security technology going on today.
Companies need [the CISO] to make educated choices because each
organisation has different needs that call for different
approaches," says Paul Proctor, research vice-president at
Gartner.
However, others question whether a risk assessor could take on
as complex an issue as security as another part their portfolio.
"Personally, I cannot see a business person or a professional
manager being able to sort this one out," says David Roberts, chief
executive of user group the Corporate IT Forum.
"There is a point at which the focus of security moves from
wires and bits and bytes to the words on pieces of paper," says
Roberts. "But the bottom line is that in order to assess risk and
formulate policy, one must understand the complexities of the
technology."
The argument for having a business manager in charge is also
flawed because it assumes security technology is mature, says
Collins. "There are lots of threats for which the CISO does not
have an instant set of tools," he says. "It is an overstatement to
say that technology is mature."
Technology for totally eliminating spam is not there, for
example, nor is there a single tool to monitor the configuring and
patching of all devices.
Although there is no consensus about who should be in charge,
there is agreement about the need for a change in mindset. The move
towards viewing IT security as an intrinsic part of the corporate
infrastructure has partly been a response to wider global
events.
"Y2K prompted people to think about the holistic impact of IT.
Also, after 9/11 the concept of the critical national
infrastructure started to mature," says Collins.
As a result of this holistic thinking, the emphasis on
evaluating risk, as well as being a technical hotshot, is filtering
into security roles in all kinds of organisations.
At the high-end, Zurich Financial Services has discovered this
approach can yield big savings. And the good news for smaller
companies is that they do not have to employ someone on an enormous
salary to be risk savvy.
This is demonstrated by the approach of Brian Shorten,
information risk manager at Cancer Research UK, who explains the
framework for security provision at the charity.
"As with all risk, you look at what the assets are, the threat
to them and the cost of something adversely affecting them," he
says.
Security accounts for between 1% and 2% of Cancer Research UK's
IT budget, and the charity always favours pragmatism over technical
sophistication purely for the sake of it, says Shorten.
"If you need to check the identity of people entering an office
area, such as in one of Cancer Research UK's shops, there are
several solutions. One is to buy smartcards. The more effective and
cheaper alternative would be to install a reception desk and ask
everyone to sign in and out," he says.
Simon Janes, former Scotland Yard detective and consultant at
security specialist Ibas, says the job description for security
chiefs needs to get broader. Risk is just one of many aspects of
the job that they will need to master, he says. "The job
description is wider in scope than IT security. It has to include
legal domains and physical security too," he says.
He advises the next generation of security chiefs to install
procedures for incident handling, to cope with the surge of
internal, physical breaches of security that are occurring as
storage devices get smaller and more mobile. Managing physical
security tends to fall between the IT and human resources
departments and could be a weak link.
"You have to ensure that you comply with the law when you are
investigating an incident, otherwise evidence can be thrown out in
court," he says.
Janes also believes that success in the security realm is more
likely if the role is a dedicated one. "The police force knows this
and has dedicated teams for handling armed robbery and drugs," he
says.
Because of the interdependence of different functions, one of
the critical tasks of the CISO is to get conversations going across
different divisions. The most critical of these is the conversation
with the HR department.
"One of the roles of the security officer is to educate the HR
department about the dangers of IT abuse. The law is out of date
and it is not an easy function to get hold of. Defining what
employees can and cannot do needs discussion and this is something
that IT should lead," says Roberts.
Meanwhile, as firms are starting to evaluate risk more closely
before spending money on security investments, most of the budget
is spent after an incident, according to Collins.
"The budget is moving towards spend on the management of
incidents. Because of the negative impact on brand value, security
breaches can affect capitalisation of market value," he says.
Roberts says, "Whoever gets to be security tsar in the new era
will have to be a multi-dimensional person. They will need to talk
to HR, the business, IT and finance, and certainly the legal team.
But if they do not have the underlying understanding that will
enable them to spot the vulnerabilities, all the words in the world
will not make a difference."
Case study: Zurich Financial Services
Zurich Financial Services overhauled its security strategy as
part of a larger consolidation that saw two datacentres and 20
global chief information officers merge into one operation. The
cost of running IT was reduced from £2bn to about £1bn.
Security had previously consisted of a very small team that was
distributed worldwide among the regional IT departments. "There
were no synergies and no collaboration. It was virtually impossible
to agree on anything," says Stefan Vogt, head of IT risk at Zurich
Financial Services.
Post reorganisation, the firm decided to take an insurance
approach to its information security. "Our business is calculating
the risk of things going wrong and putting money on that risk,"
says Vogt. "What is different between that and making sure that a
relatively large IT infrastructure is secure? We are a classic IT
information shop that has grown into an information risk management
business."
This means that the configuration of firewalls or provisioning
the day-to-day management of secure clients is no longer the day
job. Instead, that revolves around reporting on risk and creating
policy. There are two components to this - the risk strategy and
risk management. The former is akin to the pilot boat. "We are like
a small boat ahead of the parent ship, spotting icebergs," says
Vogt.
The twin priorities for 2005 have been to achieve operational
efficiency and raise the awareness of information security.
To achieve operational efficiency, it was essential to find a
way of reporting risk. This had originally been done through a
traffic light system, but a dashboard approach offered the company
a more comprehensive way of flagging different risks.
The traffic light system works by periodicially assessing risks
and giving them either a green, amber or red light, depending on
the level of risk. The dashboard approach gives an overall view of
operational and security landscapes inside companies and allows
proactive monitoring.
A key aspect of the new risk management regime was to quantify
the risk. "I expressed this in dollars as a figure we could expect
to lose if a certain aspect of security were to fail," says
Vogt.
"People challenged these figures of course, but were usually
unable to come up with an alternative. And the figure promoted
discussion, which is healthy. It is better to have the discussion
than the old default of 'let's install another firewall'."