Many people in the UK still see security predominantly as an IT
problem. But it's not it's a business one, writes Mike
Gillespie is principal consultant at security services
providerAdvent
Information Management.
As if anyone needed reminding, there has been wave after wave of
highly publicised data loss incidents in recent months, kicked off
by the
debacle at HM Revenue and Customs last year.
And not one of those incidents was caused by an IT process.
Instead the data losses have been the result of inadequate business
processes and human error.
The upshot has been a flurry of government directives and the
creation of the Information Security Awareness Forum. Which is all
fine and dandy, but it doesn't really address the problem.
Take the forum. The members are all highly respected IT security
bodies of one type or another that between them have oodles of
experience in IT security matters. And there lies the rub: they are
all IT security groups getting together to try to fix what is
essentially a business problem.
Lack of integration
Where are the physical security guys in all this? Where are the
guys dealing with personnel-related risks? Where's the co-ordinated
response?
That is not to say IT security does not have its part to play.
It does. But what we need is to get all these disparate security
guardians sitting down around the table and sorting IT out
together.
And this one really does have to be tackled from the top down,
and senior management has to start taking responsibility.
It is not as if there isn't already a standard to help us out at
the individual company level.
The
ISO 27001 standard has been in development for over a decade
and is based on 11 key building blocks, which clearly indicate that
security is about appropriate policies and procedures, physical
security, HR, compliance, business continuity and so on.
Accountability
And although ISO 27001 implementation is on the rise, if
organisations really want to get it right they have to create an
overarching security function, although very few businesses do.
Larger organisations that can afford it could do worse than set
up an all-encompassing security forum comprising subject
specialists. The smaller ones with less resource could task an
individual with co-ordinating activity across the board.
But such an approach also needs to be reflected in the wider
industry. So my proposal is this: why not group all the currently
fragmented security monikers under the banner of protective
security for the industry as a whole?
Just imagine: a utopian world where security is dealt with in
that much fabled holistic fashion, where organisations do not have
to reinvent the wheel but have different protective security
functions living sustainably side by side and in perfect
harmony.
You may call me a dreamer, but am I really the only one?
Mike Gillespie is principal consultant at security services
providerAdvent
Information Management
CW Security
Handbook