May 2010 Archives

Choose your business partners with care

| No Comments
| More

I was staggered to read that authorities in a southern Indian state are planning to set up an outsourcing unit in a jail. They obviously think it's a good idea. But any customers that suffer a major data breach are likely to be heavily criticized for taking such a risk. Personnel security checks are a major component of information security standards.   

This development highlights the increasing importance of conducting due diligence on off shore arrangements. "Always remember the maxim: choose your business partners with care! " warns Alastair MacWillson warns in his Forward to my new book Managing Security in Outsourced and Off-shored Environments

Who cares about privacy?

| 1 Comment
| More

Ten years ago I forecast that the concept of privacy would not survive the growing interests in mining the growing bonanza of personal information for commercial, security or espionage benefits. I termed this scenario 'spy versus spy', reflecting the fact that it's not just Big Brother that wishes to exploit the vast amount of data that the Internet can generate.

Not everyone agreed. Some believed that the public would not stand by and watch their privacy disappear. So far they've been wrong. Nobody has been sufficiently motivated and empowered to halt the relentless march towards a surveillance state. Perhaps the new UK Government will intervene, though this would be against the global trend.

I'm disturbed though not surprised by the activities of companies such as Google, who boast that they aim to 'do no evil', yet seem to continuously ignore consumer privacy interests. The latest incident of 'mistaken' interception of wireless traffic might reflect a wider, modern enterprise culture that is focused on exploiting rather than satisfying customer relationships. The actions of individual staff speak louder than the gloss of media relations.

Where is it leading? The reality is that we have a super-abundance of data at our fingertips, and it's too compelling to ignore. Unless governments intervene with strict rules and limits, it will be commercial suicide for marketing staff to resist. Let's hope that Cameron and Clegg might harness the political will to shape a healthier digital environment. In the meantime I will continue to expect the worst but hope for the best. 

Time for a revolution in security management

| 1 Comment
| More
Information security management has reached a strategic inflection point: a time from which the effectiveness of traditional countermeasures will decline sharply. Our approach to security governance has not changed in the last two decade. Today's methods are rooted in an inward-focused, industrial age perspective. Yet the problem space has shifted dramatically. We need a new approach that is more dynamic and externalized.    

How should we respond? For my take on this issue, read my latest white paper: "Responding to the New Information Security Landscape: New Priorities, New Skills and New Technologies" just published by Qualys. It's time for no less than a revolution in our approach to information security management.

Security in outsourcing and offshoring

| 1 Comment
| More

his week sees the publication of my new book "Managing Security in Outsourced and Off-shored Environments: How to Safeguard Intellectual Assets in a Virtual Business World". It's published by BSI and is both highly informative and jolly good value. Don't sign a contract without reading this book!

The cover is attractive and interesting: a clown fish in a sea anemone. The clown fish is one of the very few fish that is not poisoned by this environment, so it represents a 'safe harbour', an important concept in outsourcing. I'm indebted to BSI for suggesting this delightful nature theme, as well as Geoff Harris, President of the ISSA-UK for educating me about this interesting fact. 

Physician, heal thyself

| No Comments
| More

It saddens me to see good security initiatives holed by sloppy security practice. My in-tray has been full of emails urging me to comment on reports about the lack of security in the web site for the UK Cyber Security Challenge, sponsored by leading security institutes such as the UK Government's Office of Cyber Security, SANS institute, the Institute of Information Security Professionals and QinetiQ.

Operational security is easily overlooked when dealing with educational or research initiatives. That's the learning point. Reputation can be equally damaged by an incident on a minor web site as on a mission critical one. All public sites need to be safeguarded whenever brand value or reputation is important. Security professionals in particular need to aim for higher standards in widely promoted initiatives. 

The response now demanded is for the sponsors and organisers to demonstrate their crisis management skills and turn this threat into an opportunity. It's not easy, but it can be done.

Global perspectives on information security

| 1 Comment
| More

Last week I was fortunate enough to be conducting keynote presentations in Hong Kong and Singapore. Amongst other things, it was fascinating to contrast the Asian perspective on information security with other geographic regions, each of which has their own particular set of interests and skills, though globalization is gradually diluting traditional stereotypes.  

US enterprises, for example, seem most keen on technology, though they have also woken up to the need for a greater focus on process. In the UK, process has always dominated, though the importance of the human factor has been gaining ground. In contrast, continental Europe and the Middle East have a better appreciation of people and politics.

So how does the Far East compare? Where does it excel? In my view, the answer is in their unique interest in both people and technology - arguably the more important future dimensions of the 'people-process-technology' triangle. Compliance might be the contemporary driver, but processes can be swiftly copied. In a modern commercial environment, it is essentially no more than an audit trail for the regulators. An interest in people, however, and a thirst for technology take much longer to cultivate.

Organisations concerned about information security need to take account of these differences. Whether or not you agree with me, the key learning point is to accept that different regions and cultures have varying skills and interests. A one-size-fits-all approach will  not work in a global business environment. 

Reflections on Infosecurity Europe

| 1 Comment
| More

Last week's Infosecurity Europe was an excellent opportunity to compare notes with practitioners from hundreds of customer and vendor organisations. This year is an interesting one for information security, as the sector is recovering rapidly from last year's recession, and the reality of externalisation is hitting home, with many enterprises placing much greater priority on securing the supply chain.

I haven't checked the official figures but my impression was that this year's show seemed bigger and better attended, with a wider variety of products. Customers also seemed more focused on what they were looking for, which is good news for vendors. As usual, the show was brilliantly organised with a good layout, a thoughtful programme and good audio visual support.

The Infosecurity education programme is generally one of the best, because the organisers go to enormous lengths to consult stakeholders, and they give preference to keynote addresses by non-vendors. It's a growing challenge of course to find top CISOs who have time and permission to speak, and who didn't present at last year's event. But the end result is a more varied and realistic programme, with less marketing hype, though perhaps lacking a strong, underlying theme.

There were certainly gaps in this year's programme: cloud computing, security awareness and supply chain security should have been more prominent. But there were also interesting new topics, such as convergence and integrity, and a timely opening address by the Information Commissioner's Office on the latest developments in data protection and privacy.

One pleasing trend is a greater focus on operational issues rather than just technology. Perhaps vendors are finally realising that the real issue is not whether you have a firewall, IDS or encryption facility, but how well it's set up and used. This will be a growing theme over the next few years as regulators and auditors get smarter.

It was also good to see more vendors offering open, cheaper or free services, which is good news for enterprises with limited budgets. Vendors today need to demonstrate thought leadership and support the community, rather than just sustain a commercial cash cow. In an increasingly fast-changing business environment, the vendors that are most successful will be those who are passionate about their products. Qualys are a good example of that. This year they also offered free beer on their stand.

Speaking of beer, we must not forget the 'extra mural' stands, such as the excellent Portcullis Arms which once again provided superb hospitality, company and entertainment to the great and the good. It's a great meeting place for CISOs, and another huge success for Clive T. Room, their brilliant marketing director. This year they also had a new rival in Integralis who took over the Kings Head. It was an excellent first effort, and hopefully the first of many more.

About Archives

This page contains links to all the archived content.

Find recent content on the main index.



-- Advertisement --