It's been a long time since I last blogged. It's been due to excessive commitments. Freelance work has been thick and fast since the beginning of the year, reflecting an increasingly a robust market for security research and consultancy. I'm also reluctant to turn down new projects because you never know whether a downturn is around the corner.
One of the major factors behind the growth in demand for security advice is the rapid take of information security practices by small and medium size companies. This would be a fine thing if established standards catered for smaller or immature enterprises. Unfortunately they don't. Instead the market has evolved into a one-size-fits-all approach, coupled with a commodity market in security training and services.
Companies new to information security typically request penetration tests, policy & procedure manuals and ISO 27001 compliance. None of these is appropriate as the first steps in security for an enterprise, for by themselves they do not reduce risks.
Other than the shock value from your first penetration test (which admittedly can help with budgets) the outcome is generally an incomprehensible document listing of hundreds of pages of vulnerabilities, which now happen to be shared across a small community of consultants, staff and unencrypted emails and laptops. Would it not be better to have devoted that time to tightening up platforms and application? Yes, but that would be logical, rather than "ethical".
Policy and procedure manuals are quick and easy to implement but they rarely get opened. And ISO 27001 is particularly unsuitable for smaller or newer enterprises, especially those operating in regions or cultures where paper-based procedures are rarely followed. I've blogged many times about the security challenges of the smaller enterprise. They're different from the formal demands of larger organisations, which is why the ISSA-UK has developed a special standard for small and medium sized enterprises.
A second problem however is that there is no gradual path with recognised milestones to implementing ISO 27001. And as anyone who has read my book "Managing the Human Factor in Information Security" will have noted you can't implement a rich, complex framework of controls overnight. It has to be done in stages if you want to carry people with you.
So we have an unsatisfactory market where people are trained to apply and demand skills and standards that bear little resemblance to actual requirements. How much better it might be to start with a blank sheet of paper and a good dose of common sense, and to draw up a security programme that really reduces risks rather than ticks boxes. Getting back to that sensible state would be a huge step forward, but it would require a simultaneous behaviour change by regulators, security managers and consultancies. And that's not likely to happen.