The 2006 BCS President's Award turns the spotlight on
the need for effective investment in information
security
Every year the president of the British Computer Society looks
to introduce a new award that reflects the changing landscape of
the IT industry. The 2006 President's Award was for Investment in
Information Security, sponsored by security specialist McAfee.
"Despite being crucial to business operations, information
security can often be overlooked for investment with 'technologies
of the moment' being favoured. IT and security teams need to be
making investments based on measurable benefits to the business,
which is exactly what this year's President's Award recognises,"
said Greg Day, security analyst at McAfee.
This year's medallists in the final were Anite Public Sector,
Alliance & Leicester, Betfair and Liverpool Direct.
"Medalists faced some mind boggling threats but each and every
one rose to the challenge," said Brian Collins, chairman of the
awards judges. "Their dedication and out-of-the-box thinking is to
be commended."
Betfair faced a significant challenge in preventing organised
crime from disrupting its business operations, and sought to put in
place the necessary defences to protect the website, without
blocking legitimate traffic.
Criminal intervention was also the driver behind Alliance &
Leicester's project. To tackle consumer concerns relating to
phishing it put in place a two-factor, two-way authentication
system, making it the only bank in the UK to have taken steps to
identify its site to customers when they are logging on so that
they can be sure they are entering a genuine online banking
site.
Keeping out unwanted intruders while still being able to
leverage the benefits of new technology such as voice over IP was
Anite's challenge when implementing an IT system for the
Independent Police Complaints Commission.
As a high-profile public body, the Independent Police Complaints
Commission is a target for attacks, so Anite implemented a number
of security measures, such as role-based access to reduce the risk
to staff and assets.
However, there can only be one winner, and the BCS Award for
Information Security went to Liverpool Direct, a joint venture
between BT and Liverpool City Council.
Liverpool Direct, which provides the council's call centre, IT,
human resources, payroll and revenues and benefits services, was
formed in 2000 by combining several smaller IT departments. It
quickly became clear that previous security processes and
procedures were not going to suffice in the new larger
department.
In 2004, it was decided that drastic action needed to be taken
and, under the leadership of the ICT director, a security
management forum was created. The forum was tasked with taking
ownership of a two-year programme that would return security to a
managed, professional level.
The team faced significant challenges. For example, the
programme was taking place while the council was in the midst of
the e-government revolution. As internal processes were being
tightened, so external processes had to be designed to give
citizens access to online services.
However, perhaps the biggest challenge faced by the forum was
ensuring staff buy-in. Due to past sensitivities between senior
management and the union, new security measures were viewed with a
high level of scepticism and, when increased internet usage
monitoring was implemented, the front page of the union newspaper
ran an article entitled "Big Brother is watching you".
Key to solving the problem was the security team being viewed as
separate from the senior management team. This gave the security
team a dual purpose - to enforce policy compliance but also to act
as a conduit between staff who had concerns and the management
team. Staff have bought into this model and understand that they
too are stakeholders in the security process.
Overall, the project involved restructure, a raft of new
policies and the implementation of many security controls. It has
been an overwhelming success. A culture of security has been
created, with many staff now actively demanding that senior
management address security concerns, with no fear of escalating
issues through the appropriate channels. The environment has
changed from one of suspicion to one of trust.
Additionally, the deployment of such a comprehensive strategy
has meant that the frequency of major incidents has decreased from
one every 17 days, to just one so far during 2006.
"All of the entries were extremely impressive, but the judges
felt that Liverpool Direct showed great insight in turning a
preventative measure into an enabler," said Collins.
"They realised that their success relied on engaging with
stakeholders and navigating potentially tricky political situations
- something that they achieved with aplomb. The project has not
just positively impacted security it has exceeded all expectations
with its ramifications being constructively felt across the whole
organisation.
"This project has the hallmark of an excellent strategy with
long term impact."