It's been a long time since I last blogged. It's been due to excessive commitments. Freelance work has been thick and fast since the beginning of the year, reflecting an increasingly a robust market for security research and consultancy. I'm also reluctant to turn down new projects because you never know whether a downturn is around the corner.
One of the major factors behind the
growth in demand for security advice is the rapid take of information security practices
by small and medium size companies. This would be a fine thing if established standards
catered for smaller or immature enterprises. Unfortunately they don't. Instead the
market has evolved into a one-size-fits-all approach, coupled with a commodity
market in security training and services.
Companies new to information security
typically request penetration tests, policy & procedure manuals and ISO
27001 compliance. None of these is appropriate as the first steps in security
for an enterprise, for by themselves they do not reduce risks.
Other than the shock value from your
first penetration test (which admittedly can help with budgets) the outcome is generally
an incomprehensible document listing of hundreds of pages of vulnerabilities, which
now happen to be shared across a small community of consultants, staff and unencrypted
emails and laptops. Would it not be better to have devoted that time to
tightening up platforms and application? Yes, but that would be logical, rather
than "ethical".
Policy and procedure manuals are
quick and easy to implement but they rarely get opened. And ISO 27001 is particularly
unsuitable for smaller or newer enterprises, especially those operating in
regions or cultures where paper-based procedures are rarely followed. I've
blogged many times about the security challenges of the smaller enterprise. They're
different from the formal demands of larger organisations, which is why the
ISSA-UK has developed a special standard for small and medium sized enterprises.
A second problem however is that
there is no gradual path with recognised milestones to implementing ISO 27001.
And as anyone who has read my book "Managing the Human Factor in
Information Security" will have noted you can't implement a rich, complex framework
of controls overnight. It has to be done in stages if you want to carry people
with you.
So we have an unsatisfactory market
where people are trained to apply and demand skills and standards that bear
little resemblance to actual requirements. How much better it might be to start
with a blank sheet of paper and a good dose of common sense, and to draw up a
security programme that really reduces risks rather than ticks boxes. Getting back
to that sensible state would be a huge step forward, but it would require a
simultaneous behaviour change by regulators, security managers and
consultancies. And that's not likely to happen.
Subscribe to blog feed
Leave a comment