BCS Awards: Unlocking security benefits

The 2006 BCS President's Award turns the spotlight on the need for effective investment in information security

Every year the president of the British Computer Society looks to introduce a new award that reflects the changing landscape of the IT industry. The 2006 President's Award was for Investment in Information Security, sponsored by security specialist McAfee.

"Despite being crucial to business operations, information security can often be overlooked for investment with 'technologies of the moment' being favoured. IT and security teams need to be making investments based on measurable benefits to the business, which is exactly what this year's President's Award recognises," said Greg Day, security analyst at McAfee.

This year's medallists in the final were Anite Public Sector, Alliance & Leicester, Betfair and Liverpool Direct.

"Medalists faced some mind boggling threats but each and every one rose to the challenge," said Brian Collins, chairman of the awards judges. "Their dedication and out-of-the-box thinking is to be commended."

Betfair faced a significant challenge in preventing organised crime from disrupting its business operations, and sought to put in place the necessary defences to protect the website, without blocking legitimate traffic.

Criminal intervention was also the driver behind Alliance & Leicester's project. To tackle consumer concerns relating to phishing it put in place a two-factor, two-way authentication system, making it the only bank in the UK to have taken steps to identify its site to customers when they are logging on so that they can be sure they are entering a genuine online banking site.

Keeping out unwanted intruders while still being able to leverage the benefits of new technology such as voice over IP was Anite's challenge when implementing an IT system for the Independent Police Complaints Commission.

As a high-profile public body, the Independent Police Complaints Commission is a target for attacks, so Anite implemented a number of security measures, such as role-based access to reduce the risk to staff and assets.

However, there can only be one winner, and the BCS Award for Information Security went to Liverpool Direct, a joint venture between BT and Liverpool City Council.

Liverpool Direct, which provides the council's call centre, IT, human resources, payroll and revenues and benefits services, was formed in 2000 by combining several smaller IT departments. It quickly became clear that previous security processes and procedures were not going to suffice in the new larger department.

In 2004, it was decided that drastic action needed to be taken and, under the leadership of the ICT director, a security management forum was created. The forum was tasked with taking ownership of a two-year programme that would return security to a managed, professional level.

The team faced significant challenges. For example, the programme was taking place while the council was in the midst of the e-government revolution. As internal processes were being tightened, so external processes had to be designed to give citizens access to online services.

However, perhaps the biggest challenge faced by the forum was ensuring staff buy-in. Due to past sensitivities between senior management and the union, new security measures were viewed with a high level of scepticism and, when increased internet usage monitoring was implemented, the front page of the union newspaper ran an article entitled "Big Brother is watching you".

Key to solving the problem was the security team being viewed as separate from the senior management team. This gave the security team a dual purpose - to enforce policy compliance but also to act as a conduit between staff who had concerns and the management team. Staff have bought into this model and understand that they too are stakeholders in the security process.

Overall, the project involved restructure, a raft of new policies and the implementation of many security controls. It has been an overwhelming success. A culture of security has been created, with many staff now actively demanding that senior management address security concerns, with no fear of escalating issues through the appropriate channels. The environment has changed from one of suspicion to one of trust.

Additionally, the deployment of such a comprehensive strategy has meant that the frequency of major incidents has decreased from one every 17 days, to just one so far during 2006.

"All of the entries were extremely impressive, but the judges felt that Liverpool Direct showed great insight in turning a preventative measure into an enabler," said Collins.

"They realised that their success relied on engaging with stakeholders and navigating potentially tricky political situations - something that they achieved with aplomb. The project has not just positively impacted security it has exceeded all expectations with its ramifications being constructively felt across the whole organisation.

"This project has the hallmark of an excellent strategy with long term impact."