The information security industry is still in its
infancy and effort is needed for it to gain acceptance as a vital
business area, last month’s annual conference of the BCS
Information Security Specialist Group heard.
“There is a long way to go to get acceptance and investment in
our industry. We are not yet as relied upon as the internet and
certainly not as invested in as the IT industry in general,” said
Phil Cracknell, director of Capgemini’s security consulting
practice.
To achieve acceptance, the security industry needs assistance
from the rest of the IT profession. Information specialists have to
promote best practice, raise awareness and occasionally
scaremonger, the conference heard. However, those efforts alone
will not convince businesses that information security is vital to
their operations.
“It will become vital, of course, when legislation tells
businesses that they have to do something. We have seen this
manifest with Sarbanes-Oxley and, more specifically, how accurate
system logging goes some way to helping an organisation achieve
compliance,” Cracknell said.
“Good logging is something security professionals have been
trying to convince businesses to implement for years.
Accountability – linking all access back to a real person – is a
basic security audit principle and yet only when something as
powerful as the Sarbanes-Oxley Act appears do we see any real
activity in this area.”
The Basel 2 Accord will have a similar impact on risk management
processes in businesses regulated by the Financial Services
Authority, and it is likely that this will spread to non-regulated
suppliers of these businesses, delegates were told.
Public reporting of major security incidents has also been
problematic for the UK IT security industry. Companies suffering a
breach are reluctant to go public for fear of negative publicity
damaging their business.
The damage suffered by Citibank in 1995, when funds were stolen
electronically, was made worse by some customers closing accounts
or withdrawing funds after hearing about it. However, publicity
such as this can help the wider cause of IT security, the
conference heard.
Delegates agreed that some corporates pay “lip service” to
security, handing it the leftovers from the IT budget. Media
reports of security breaches can be a wake-up call for boards.
Internally, risk management needs to be better aligned with
security. Security measures should be driven by clearly identified
and fully costed risks. In that way, any case for security
technology is a simple and clear business decision with all the
backing it requires, delegates concluded.