David Lacey's IT Security Blog

Reading my colleague’s Stuart King’s blog posting on the financial impact of security incidents reminded me of the continuing obsession that many parts of industry and academia still seem to have for achieving the Holy Grail of perfect ROI measurement. Many of them miss the point. The problem we face is not proving that each investment in security has a positive NPV, but demonstrating that such spending is a sensible idea. In large organisations, it’s about making a business case that passes the investment appraisal criteria. In the case of small businesses or home users, it’s about putting together a convincing argument. You don’t have to, and you can’t always, present hard evidence that guarantees a payback within a particular time period. There are other criteria for justifying investments. Like regulatory compliance requirements for instance, or the fact that your business will collapse under viruses and spam if you don’t take preventative action. Many things in life are simply not knowable or not measurable, especially in the shadowy and fast-changing world of security.

I’ve long preached about the importance of visibility and metrics in security. Unless you have line of sight of the security threats, vulnerabilities and incidents that are actually impacting your organisation, you can’t possibly tackle them effectively. And unless you can measure how effective your interventions are, you won’t be able to build efficient processes. And you might not even be able to justify your own existence. As the legendary Donn B. Parker (of SRI International) advised me back in 1989 when I’d just joined the Royal Dutch/Shell Group, “David you need to set up your own intelligence service”. That was perhaps the most useful advice I ever received on how to manage security across a large, diverse organisation. And I’ve spent many years trying to achieve this using human-based intelligence networks and reporting systems. But traditional manual methods are not as reliable as we’d like. They're often based on no more than hearsay, tip-offs and anecdotal evidence. Fortunately that’s all changing. There are now some excellent discovery tools appearing in the marketplace. Practical tools that enable organisations to view and manage the security exposure of our organisations in real-time. That’s why I’m forecasting that over the next 18 months we will witness a revolution in the maturity of our security processes, driven by a new, unprecedented capability to view, filter, measure and archive just about everything that’s happening across our networks.

Of course none of these tools are any use to an organisation without first establishing the methodology needed to set targets, prioritise activities and process the results. Security metrics are the key to this. Metrics are fundamental to achieving the higher levels of process maturity (in the Carnegie Mellon sense). They can help formulate objectives, prioritise security actions and confirm success or failure. But just how should an organisation go about selecting the right metrics? How can it ensure that the selected measures are correctly aligned with business objectives and IT strategy? These are difficult questions with important consequences. Making the right choices of metric can have a tremendous impact on the future effectiveness of your security function. So think very carefully before presenting your new security targets to the Board. And if you need a helpful hand then you could do worse than read my recent white paper on this subject "Top 10 Tangible Measures for Effective Security Risk Management" published by nCircle, an innovative supplier of professional vulnerability and risk management tools and services.

My last blog posting kicked off a number of interesting discussions, including one on the subject of automated security risk management, raised by a friend from Brabeion, a compliance management specialist based in Washington DC. The issue raised was: Can we assess security risks directly from discovery tools? A good question, one more appropriate to my colleague Stuart King’s Risk Management Blog, but I thought I’d set out some thoughts on the subject before pushing it over to him.

Now I’m all for injecting as much objectivity and precision into risk assessment as possible, because subjective assessments are too often clouded by political, cultural and personal factors. However, it’s people who are responsible for decisions, so I’m not too sure we can entirely remove the human element. I’m reminded of an instructive session on risk management by a leading professor on this subject at a US Government computer security conference back in the early 80s. He presented an array of mathematical methods for calculating risks, taken from more mature fields, such as the nuclear industry. At the end of his session a man from the audience posed the obvious question “But how can you prevent people from adjusting the figures and weightings to suit a particular outcome?” His response was illuminating. “But that’s exactly how it works. You wouldn’t make decision based on such calculations. These methods are intended to support your decisions.”

We’re all familiar with the old adages about the Cobbler’s children having no shoes and the dustiest part of the house being the top of the Hoover. So it’s not surprising to find that some security companies don’t run a tight ship. A good recent example is Guidance Software, a top user vendor of digital investigation products. They’ve just settled a case brought by the FTC. It looks pretty damning. They failed to look after customer data to their advertised claims. And they’ve naturally and perhaps rightly attracted some mocking snipes from security pundits.

But does it mean that the products they sell are not secure? Not necessarily. And does it mean their operations are not secure now? Probably not, as they’ve had to make formal assurances to clean up their act. They’ve also taken on some very high profile non-executive directors who now have their reputations on the line, including George Tenet an ex-CIA Director. The interesting question is whether they are that much different from other security vendors. Were they unlucky to get caught? Hard to say. Will it happen to others? Absolutely. We can expect more of this type of case because there are a lot of insecurities out there and the compliance noose is tightening fast.

So there are some lessons here. Firstly, if your business is security then you need to maintain very high standards. Secondly, watch those assurances on your web site - they might come back to haunt you. Thirdly, if you’re a customer, don’t assume that just because you’re dealing with a security company or bank that everything will be completely secure. All of them are likely to have their weak spots. And fourthly, don’t write a company off because of one bad incident. Because - think about it – would you rather trust an organisation that had been found out and put its house in order, or one that you knew nothing about?

Last week’s $14.5 million settlement payment by Hewlett-Packard to California’s top prosecutor may have diffused a crisis. But it leaves many question marks about the ethics of big companies, the insecurity of personal information, and the methods used by security investigations. This case, which introduced the word “pretexting” to many vocabularies, demonstrated once again the shocking vulnerability of personal data to social engineering attacks. Too many organizations are willing to disclose sensitive information on the basis of a few, easy-to-obtain facts. But there are no excuses for security investigators to exploit these weaknesses by employing shady practices. We should all close ranks against any companies that think it’s acceptable to use impersonation techniques in the name of security, regardless of their legality. Security professionals should aim for the high ground, not sink to cheap tricks.

I’ve been pointing out for some time that professional Information Management has largely collapsed in most organizations. It’s to be expected of course, following the radical changes in communications that have accompanied the introduction of IT networks. But such a situation will never be permitted to last indefinitely. If the consequences of bad corporate practices don’t frighten companies into action, then the lawmakers and regulators certainly will.

And so we enter a new age of electronic discovery and document management with the introduction this month of new Federal Laws that require companies to store electronic data as soon as they become aware that it might be of interest in a potential Federal Court case. And who pays for the massive costs of retrieving all these documents for a Court case? The retriever does of course, which will make it attractive for small companies to make claims against bigger ones - though they had better make sure that they also have their own house in order. And claiming that the discs have failed - the modern equivalent of “the papers were lost in the fire” - won’t help you, because you will need to present solid, forensic evidence to support your claims.

So what should affected organisations do? The answer is to bite the bullet and get your house in order. Because if you don’t take appropriate steps to control, index and archive all of your emails, instant messages, documents and spreadsheets, then you could be exposed to expensive, future liabilities. Fortunately there are a host of brand new technologies designed to help you solve these problems. For example check out Chronicle Solutions for control and archiving of in-flight documents such as email, web access and instant messaging, and Mathon for all those Word documents and spreadsheets stored on company servers.

Last week I gave a presentation on the subject of “Managing the Human Dimension” to Iain Sutherland’s excellent Independent Information Security Group. It got me thinking about the balance between the human and technology aspects of IT Security and how it continues to change. I’m often asked for my opinion about the most important aspect of IT Security. And I have to admit that my opinion changes every year.

In the early days of IT Security there were many academics in the USA, including some leading lights such as Bruce Schneier and Dorothy Denning, who firmly believed that everything in security could be solved with technology alone. They eventually saw the light and quickly began to focus more on the softer aspects of security. In contrast, there were also a handful of maverick, crusading consultants, such as Donn Parker at SRI International and our own Martin Smith in the UK, who preferred to play to their strengths and promote the importance of the human dimension. But in practice most CISOs quickly discovered that the logical starting point was to focus on policy, processes and standards, because that was the easiest way forward and the most obvious way to engage the Executive Board and kick off a long range Enterprise programme.

It’s a relatively simple thing. It’s not that difficult. And it needs to be done by every organization. Yet few seem to have done it properly. So make it your New Year’s resolution. Build Security into your System Development Cycle. Make it mandatory for every project of any significance to carry out a security risk assessment, develop a security architecture, and implement a security testing schedule. Do not allow any exceptions. It’s the most important security intervention you can make.

Ed Gibson’s comment on my recent posting on processes hit the nail the head. One size doesn’t always fit all. In this particular case the debate was about the upside and downside of processes, and the consequences of attempting to liberate workers from the shackles of their processes. But the importance of tailoring solutions to the organisation is a key one for practitioners to grasp.

All organisations are different. They have different cultures, different governance systems and different ways of reaching decisions (or not in the case of some that I’ve worked for). You cannot simply transfer a security blueprint from one to another. I’ve built security management systems from scratch for three different organisations, and they were all quite different. One lasted for more than a decade. Another required constant adaptation to reflect major changes in the organisation’s strategy and organisation.

But organisations share common requirements, many of which do not vary over time. That was the key to the success of ISO 17799. When we drafted the original BSI Code of Practice, the DTI assembled a team of practitioners from seven different industries. We expected some differences between sectors and were pleasantly surprised to find that we could craft a standard that could work in all organisations. So yes, one size does not always fit all. But in some cases it can.

It was refreshing and reassuring to see the Home Office coming clean about the lessons learned from the failure last year if its Electronic Passport Application system. I can understand the argument for keeping gateway reviews confidential, i.e. that the reviewers might pull punches. But secrecy creates a climate of suspicion and leaves Government departments open to easy criticisms based on fear, uncertainty and doubt. So let’s hope we see more openness in future.

The lesson to be learned by all is that it’s false economy to skimp on testing. Because if the human factor is the soft underbelly of organisations then testing is certainly the Achille’s Heel. Yet few organisations get this. Too often sacrifices are made in the interest of hitting deadlines. But as I’ve said before, you can’t do it by luck and you certainly can’t by ignorance. It takes many times longer than the estimated life of the universe to test all permutations of program path or input and output space for even a relatively simple program. But the sooner errors are discovered then the less damage is done and the cheaper it is to correct them.

We need a lot more functional testing, security testing, usability testing, product testing, configuration testing and process testing. Yet I’ll wager that if you examine the IT policies and standards of any organisation the thinnest area will be testing. It’s quite remarkable that after half a century of professional business computing we still haven’t got the message.

It’s always interesting to see what’s currently on the CIO agenda, so I took a couple of days out this week to attend Information Age’s Effective IT Summit at the Vale Hotel in Cardiff.

Gaining alignment with the business and enabling innovation seemed to be the primary concerns. Not much new there. Though it was interesting to hear Paul Colby, CIO of British Airways, explain how he's actually managed to achieve this in practice. Now that's something.

But the big new issue this year is our impact on the environment, especially the need to reduce our energy consumption. Many organisations are developing initiatives and setting targets to reduce their carbon footprints. So what can Security do to help? Well quite a bit actually. We’ve already seen how anti-virus and spam filters can massively reduce incoming email. And many of us have discovered the hidden performance benefits of blocking and removing undesirable content. So let’s start making the business case for tackling this in a more comprehensive way.

We can free up servers, unblock networks, increase productivity keep ourselves out of jail and reduce our electricity costs by getting on top of all the spam, junk mail, viruses, worms, illegal content and unwanted downloads and communications.

This week it’s been put to me several times that the major problem for the Security function is gaining the attention and support of Management Boards. This surprises me because contemporary corporate governance expectations generally require that all organisations should operate an effective risk management process that should identify and address all major sources of risk.

So what is going wrong? If an organisation has such a process in place - and if not, why not - then there should be a perfectly good mechanism for articulating security risks to the Board and the Audit/Risk Committee in a form that they cannot possibly ignore without breaching compliance requirements.

Of course it might be that the risks have not been adequately assessed. Perhaps they’re out of date for example? This can easily be remedied. Or maybe the risks are not significant enough to engage Board attention? So the system is working, so what’s the beef? However, I’ve also noticed that this logical response of mine doesn’t quite hit the spot. So I suspect there is a deeper problem that I’m missing. Can someone put me right?

Last night’s BCS Security Forum Strategy Panel meeting included an interesting round table discussion on complexity. It’s a subject that’s been occupying my mind for three decades ever since I was first introduced to the fascinating world of cybernetics and control theory at Cass Business School in the late 70s. It’s also a current hot topic for many IT and Security professionals who are encountering major challenges getting to grips with the increased complexity of modern infrastructures and systems. Why is this happening? And what can we do to improve the situation?

I’ve just been checking out the new Symantec IT Risk Management Report. It’s the result of a year-long study based on interviews with IT executives and professionals around the world. Such surveys are mandatory reading for security managers as they can provide a valuable insight into trends and provide useful collateral evidence for business cases.

So what does this report tell us? Unfortunately, like too many of these surveys, there’s not much that’s of practical use to a CISO. Highlights include unsurprising findings such as the following.

“IT professionals rate themselves more effective in their deployments of technology than of process controls.”

“More-effective organizations – even though they often face higher risk levels – expect fewer incidents than less-effective organizations”.

“Best-in-class organizations perform with high effectiveness across most controls.”

“Differing internal viewpoints on IT Risk, and poor alignment between IT Risk Management programs and overall business objectives, may themselves create risk.”

Poor organizational support for IT Risk awareness and training is both a compelling example of poor alignment, and a major cause.”

“Best-in-class IT Risk management requires a disciplined approach…across people, process, and technology.”

As Basil Fawlty once put it: “Can’t we get you on Mastermind…specialist subject: stating the bleeding obvious…”

Research just out today from Symantec indicated that the UK's online economy is suffering from a serious lack of confidence. Two thirds of consumers believe that they at risk from online fraud, and 30% agree that Internet security concerns prevent them making online transactions. This is worrying but not surprising.

What's the answer? Two things: higher security standards and better assurance for consumers that the standards are being applied. But we already have this in the PCI (Payment Card Industry) Security Standard. And it's been around for a couple of years. So why is not being applied? Several reasons: it's tough, it's highly prescriptive, it's expensive, and it's not been strictly enforced so far.

Prescriptive approaches always generate pushback, but they do ensure that organisations pay more than lip service to security. Most prudent organisations are responding to the PCI Standard, but slowly and reluctantly. Things will speed up when we see heavy fines being imposed. That's not happening just yet. But PCI Security Compliance is unlikely to go away. So keeping your head in the sand is not a sensible approach. The real shame is that we have to rely on heavily enforced standards to fix the problem. Because customer security concerns should be high on the agenda for every online business.

My recent posting on the KTN Cyber Security Special Interest Group attracted a comment from my fellow CW blogger Stuart King, pointing out we need a plan of action rather than another white paper. He missed the point. The paper is intended to identify the barriers and make recommendations. It will be a plan of action.

The barriers to secure software development are numerous: ignorance, perceived cost, lack of standards and absence of methodologies (to mention just a few). All initiatives in this direction will help raise awareness. No one group has a monopoly on these issues. We all need to create a climate for change. Starting now.

I'm often asked what it is that characterizes a good security function. What separates the best from the rest?

If I'm forced to select one single thing I would say it was the ability to close the loop, i.e. to check that policies, standards and controls are actually being implemented. Failure to do so is in my view the most common reason for ineffective security programmes. And it's probably the root cause of the widespread security breaches referred to in my last posting.

Publishing policies and standards should be viewed as the start, not the end, of corporate governance. Requirements need to be translated into action by users. And that's increasingly difficult in today's fast-moving business environment. Managers and staff don't have spare time on their hands to implement new controls. You can spend as much time as you like drafting and communicating security requirements. But if you don't check that they're being implemented, you could be wasting your time.

That's why I believe ISO Security Certification should be the cornerstone of an enterprise security programme. It's straightforward, efficient and it works. Many people make the mistake of automatically assuming it will be very expensive and time-consuming. It need not be, though it will cost you a lot if you don't have any security controls in place. But if you have a mature security function, then it should be a straightforward, affordable process. It will highlight numerous shortcomings you didn't know about. But most items can generally be fixed with a reasonable amount of effort in time to gain or retain your certification.

Closing the loop today is a manual-intensive process, requiring documentation reviews, interviews and inspections. I often reflect on what it might look like in ten years time. Can we automate most of the process using new discovery technologies? Will it be like running automated diagnostic tests on a modern car? But whatever the future holds, one thing is certain. It will be even more important to check that all controls are in place and functioning correctly.

Last week's disclosure by TJ Maxx that hackers had stolen details of a staggering 45.7 million customer payment cards highlights several important points.

Firstly, retailers need to get their security act together. Sensitive customer data must be encrypted at all times and processed on secure platforms with effective intrusion prevention. Good key management is especially important. e-Business has transformed the retail sector, making security a major business requirement. But far too many retailers are laggards rather than leaders in this area.

Secondly, customers should be warned promptly about potential breaches if confidence is to be maintained. Despite all the complaints, Californian Law SB 1386 is proving to be both necessary and helpful for ensuring organizations come clean about security breaches.

Thirdly, the Payment Card Industry (PCI) Security Standard may have its faults but it's clearly necessary to ensure merchants and merchant acquirers raise their security game. PCI Security might be a little too broad in scope, over-prescriptive and expensive to implement. But we clearly need it.

This week's media has been full of claims from a YouGov survey that two thirds of the UK's Internet users waste a large amount of their time aimlessly chasing distractions or "wilfing" (What was I looking for?). But let's be honest. Wilfing is a much more widespread malaise that's infected many areas of IT and security. In particular, it's a curse on security architects. That's because architecture should be no more than a means to an end, but unfortunately that end frequently gets lost in translation.

In today's jargon-driven IT world, real business requirements, such as "what are the security requirements for this platform" are likely to be communicated as "we need a security architecture". Such a demand can spawn a new project or job function with a momentum and direction all of its own. Inexperienced architects will search high and low for examples of real security architectures, only to find that any instances they uncover are incompatible, having been produced at different times, for different purposes, by different individuals, with different levels of experience. On the other hand, the experienced architect will dust off one that was created earlier. But sadly it's unlikely to be fit for the new purpose.

Years can be spent pursuing the Holy Grail of the all-encompassing enterprise security architecture. Only to find that - as John Zachman discovered many years before - you need a collection of different models. You can then spend further time categorizing, normalizing and connecting all of the individual sub-models. Along the way, enthusiastic architects will discover or develop architectural principles for enabling greater flexibility. And clever ones will introduce additional dimensions, such as time. The scope and sophistication of the target architecture will continue to grow, much as work expands to fill the time available. But eventually hard decisions will be taken and an operational version will be delivered.

Unfortunately, in practice nobody will quite know what to do with this architecture, except perhaps to cover that ugly stain on the wall or to pad out their Powerpoint presentation. It will progressively become outdated and ignored. Until of course someone else comes along searching for an example of a real enterprise security architecture.

An interesting metric I've been tracking for some years is the annual score card on the security status of US Government departments published by the US House of Representatives Committee on Government Oversight. This process measures the compliance of departments against a set of standards laid down by the Federal Information Security Management Act (FISMA). The latest version released last week shows a marked improvement from a poor baseline. Homeland Security, for example, has raised its score from a miserable "F" to a mediocre "D". But this is a step in the right direction and should be applauded.

Not surprisingly, the measures used are controversial. Critics claim it's bureaucratic, placing far too much emphasis on documented plans and processes rather than on the actual vulnerability status of networks. Controls such as documented risk assessments and educational processes might not guarantee tight security. But they do make a big difference. In practice, I've noted a strong correlation between the levels of management controls implemented by service managers and the vulnerability of their platforms to technical attack. That's why I'm a supporter of control standards and certification processes. The FISMA standards used might need some refinement but the overall approach is correct.

Recently I've been advising a colleague in a large organization about the options for implementing applications requiring extensive access by multiple third parties, many of which are direct competitors. It's becoming a common business requirement.

Interestingly enough, in my view the biggest risks are associated with human error and process controls, rather than the strength of the technical solutions. These days you can buy security technology to authenticate and control user access for just about any situation. And even more solutions are in the pipeline. Cost considerations and legacy constraints are also less of a show-stopper than they used to be. But the one thing you can't easily fix is the impact of a human error, especially given the appalling track record of the less-than-watertight access administration that is to be found in many large organizations.

It's a tough problem. In my Shell days we were cautious about opening up the infrastructure to outsiders so we spent a lot of time fine-tuning the contractual and administration processes to minimize the risks associated with third party access. Regular site inspections and audits of access control lists were par for the course. But in a fast-changing business world with proliferating external access and multiple communication channels this bespoke approach is expensive to sustain. Some large organisations now have more third party users than employees. We have to run either faster or looser to avoid holding up business operations. So don't get hung about the technology. That's the easy part. Focus on the administration processes. Because that's where the real security risks and the operational improvements are to be found.

This week I'm speaking at Sapphire's excellent NISC8 Conference in St. Andrews on "The Art of Business Continuity Management". It's a subject close to my heart as I've been an active practitioner for the last two decades. I've also seen it change enormously. It used to be called Disaster Recovery Planning until business managers hijacked the subject. I recall that happening at the start of the nineties. Visiting an overseas Shell operating company, I explained to their Managing Director the importance of continuity planning for IT services. He told me to forget IT and focus on the oil and gas evacuation process. It was a much higher priority for him. So for the next ten years I had the pleasure of exploring the fascinating world of oil wells, pipelines and tankers.

I thought it was pretty challenging in those days to coordinate a single management response across a complex value chain in a large organization. But things are even tougher today. Everything is becoming virtualized. Global supply chains, storage area networks, grid computing, web services and extended-enterprise working have transformed the business operating environment. You can't draw a line around processes any more. And they're highly volatile. As much as you try to nail them down, they keep changing.

So what's the bst approach to modern Business Continuity Management? In my view the answer is simple, though far from straightforward. The trick is to apply the same transformation to the solution that we're experiencing in the problem space. We need to virtualize the management process, building virtual response team structures, virtual crisis rooms and flexible response processes.

An Australian friend of mine sent me this reference to a recent story of a sophisticated physical attack on point-of-sale terminals handling financial transactions. It's not the first nor is it the last incident of its kind. But it's not the type of attack we routinely encounter, because it requires a rare combination of knowledge, access and skills.

Of course one could argue that terminals handling sensitive data should always have the maximum degree of in-built, tamper-proof protection. But the best answer is to provide the right combination of physical and technical security protection. Which raises the question of how best to ensure an effective blend of IT and Physical Security. Should we consider integrating these very different functions? It's becoming fashionable in some quarters. A few leading UK banks have opted to combine IT Security with Fraud or Physical Security. And more recently the UK Government Centre for Protection of National Infrastructure (CPNI) has decided to merge its IT and Physical Security advisory functions. Are they right? Should we follow suit?

It's a thankless though often lucrative job being a top CIO. Many of the most promising candidates - the ones that really understand how to use technology to transform a business - don't survive the cut and thrust of Boardroom politics. Political survival is a necessary skill, though it tends to add value to the individual rather than the organisation. Ideally, we need visionaries who can grasp the potential of IT and translate it into compelling business language. But in practice most CIOs struggle to align IT imperatives with business interests, especially in a competitive business environment where IT professionals are treated with contempt by business managers.

So I'm always interested to see how CIOs perceive success and, in particular, how they rate their counterparts, many of whom are likely to be direct competitors for the next major headhunt. Silicon.com's recent poll of the UK's top 50 CIOs provides a fascinating insight. I wish I'd been able to place a bet on this poll because I would have picked up a few bob. Top of the list was no surprise: Paul Colby of British Airways. Paul is a clear leader in his field because he's highly successful and, unlike many of his peers, operates seamlessly across IT and Business. He's transformed BA's business model through smart use of e-Commerce. He's also beefed up their security considerably. On top of that he's a great presenter and a very nice guy. We need more like him.

This Wednesday I'm delivering a keynote address at a CIPFA/ISACA Conference in Birmingham on Emerging Compliance Requirements. The subject of my talk is "The Global Compliance Environment", a subject that's already engraved on many security practitioners' hearts as international events, initiatives and interests generate wave after wave of new legislative and regulatory compliance requirements. Can we expect to see an end to the mounting compliance burden? Not in my view. In fact it's more likely that the demands will get broader, deeper and tougher, as governments, regulators and large organizations follow suit in adopting and imposing standards and best practices across countries, industry sectors and supply chains.

Few organisations have had sufficient foresight, time and resource to adopt a strategic approach to compliance. But quick fixes to ad hoc demands are the most expensive solutions. Organisations need to spend time designing smarter compliance systems, to reduce the time and effort required to identify requirements, assign responsibilities, train staff, gather data, conduct audits, assess findings and track remedial work. Keeping your head in the sand might delay the pain in the short term but the cost of compliance will catch up with everyone in the end.

Today’s DTI Conference on “Ensuring privacy and consent in identity management infrastructures” was a significant step forward for identity management and privacy in the UK. Amongst other things, it demonstrated that Government stakeholders are open to new ideas and, more significantly, they’re prepared to fund them. They're also attempting to engage a broader audience of contributors from Industry, Government and Academia. I applaud that.

Some cynics would regard my views as optimistic, perhaps a little bit "on message”. That’s not correct. I’ve been a vocal critic of security in the National Identity Card programme, though I found little to fault in what I heard yesterday. I have high standards of expectation about both the level of security and the degree of consultation with the public. But I’m also realistic about the politics, the risks, the opportunities and the options. So I try to frame my criticism in the context of what's reasonable, affordable and, most importantly, do-able.

Not everyone agrees me. Casper Bowden of Microsoft, for example, questioned the lack of privacy technology professionals in the room, suggesting that the assembled audience might not have sufficient knowledge to shape public policy and research. I disagree. What we need is a blend of visionary technologists, down-to-earth commercial users, experienced social scientists, smart marketers and experienced practitioners. That’s how you solve those difficult, complex social and technical problems.

I believe the UK Government is trying to get that balance right. It’s taken a while to engage some of the key stakeholders. But let’s keep that dialogue going. We must not let important societel subjects be hijacked by the tiny elite of privacy anoraks. I’d rather hear more from the battle-scarred practitioners of real identity management projects, and the social scientists who’ve spent their time trying to understand the motivations of the Echo boomers. We need to draw on a wide range of skills and experience to solve the numerous social and business problems associated with federated enterprise identity management. Please don’t leave such decisions to the handful of enthusiasts, the politically-correct brigade or the (hopefully) shrinking army of neo-Luddites.

I was interested to read the results of a Secerno poll reported in today’s Computer Weekly. The poll reveals that 77% of IT Security professionals back a UK data breach disclosure law, and that around half of those who back such a law believe that companies should be forced to disclose a data breach immediately.

It’s reassuring that so many professionals are prepared to risk their careers in the interests of leveraging the business case for their security budgets. Because disclosure is a double-edged sword. It imposes a reporting burden on companies and it presents a threat to management. But it also helps protect customers and leverages business cases for security improvements. I’m a strong advocate for such reporting because it makes business units pay closer attention to security.

We all understand the importance of engaging business managers in security risk assessments. But in practice too many mangers interpret this as an excuse for not spending money. Risk appetite too often becomes correlated with the cost of security, rather than the business impact of breaches. Data disclosure helps brings home the consequences of incidents. And as any good psychologist will tell you, the key to achieving a behaviour change is to highlight consequences of peoples’ actions that are personal, immediate and certain.

As with any significant change, there will be casualties. We’ve already seen data leakage incidents this year that have cost companies millions - perhaps billions - of dollars. Let’s hope that other organisations will learn quickly from their pain. And let’s hope that Crown immunity won’t prevent Government ministries from disclosing their breaches. Of course the real answer to that one is to place sensitive citizen databases under the management of private sector specialists operating under strict Government regulation. Because Government is good at that.

I’ve written before on the challenges presented by the progressive erosion of the traditional boundary between business and personal lifestyles. It's all a consequence of the growth of digital networks, so it's a long-term, unstoppable trend. So far, most of the issues encountered have been concerns for the employer: problems such as the difficulty in enforcing complex acceptable use policies, or of balancing the human rights of employees against compliance demands for scrutiny of their communications.

Now we have a problem for employees, with a recent court ruling reported in The Register which suggests that employers might have grounds to demand ownership of their employees’ social networking information, if it has been prepared in the course of their employment. This particular ruling forced a UK journalist to hand over the contents of his contacts list to his employer after he had left the company. According to legal experts, the key determining factor is not where the data is stored but the set of circumstances under which it was created.

Given the rapid growth in social networking and the short-term nature of many work contracts, it’s clearly important for employees to separate and secure their personal and business interests. Because it might be just as easy for an employer to take over a departed employee’s contact lists as it is for the employee to walk off with his company’s customer information.

Just when I thought that most organisations would have learned the lessons from the recent spate of high profile data breaches, we hear that SAIC has admitted placing at risk the personal data of over half a million military service personnel.

It’s surprising as one would have expected military personnel records to warrant tighter security than the average personnel database. It’s even more extraordinary when one considers SAIC’s background in IT security, having founded the original Information Sharing and Analysis Centres (ISACs), and currently claiming a strong capability in physical and cyber security. To quote their Web site: “Our engineers are experts in safeguarding information, systems, and web sites. With our approach to security services, SAIC can help you effectively manage risk and protect your business-critical data.”

So what happened? Details are a little sketchy but SAIC have admitted storing personal data on a “non-secure server” and transmitting it over the Internet in unencrypted form. According to one US newspaper report, the company was notified by the US Air Forces in Europe that it had detected an unsecured transmission of the information. Of course there’s no reason to suspect that any of this data has been compromised, other than the fact that Defense systems do attract a fair amount of hacking and eavesdropping attacks.

It’s interesting to note the immediate actions and costs following such an incident. SAIC have retained Kroll to provide services to affected individuals, including an Incident Response Centre with extended hours, information resources and credit and identity restoration services for any identity theft victims. The cost of these services is estimated to be in the range of $7 million to $9 million for services, excluding credit restoration costs. That’s around $12 to $15 per individual record potentially compromised. With potentially more to come.

So what could have been done to prevent such breaches? Plenty, including ensuring that regular penetration tests and information security audits are carried out of all in-house and outsourced services. That’s why we developed the ISO 7799 standard and its associated certification schemes. Now that we have standards and mechanisms to certify services, there’s no excuse for not using them.

“'Tis but thy name that is my enemy” wrote Shakespeare. And the same might be said for many professionals operating in the Information Security field. Job titles are proliferating to the extent that it’s becoming difficult for managers and security vendors to figure just where to direct enquiries. I was mindful of this recently when a colleague in a large organisation asked me for advice on job titles for his growing security community.

The UK newspapers are full of more stories about the dreadful state of Heathrow Airport. But it’s not surprising. It's a sign of the times. And the fault lies with security. Because its objectives are outdated. They need to be refocused to reflect the new challenges of the Information Age.

In the past, security was primarily directed at safeguarding static assets, whether physical or intellectual. The introduction of networks has generated the need to move towards a more dynamic security model. In particular, the new focus needs to be on exploitation rather than ownership of assets. Because we now have a powerful international infrastructure to move information to where it can most profitably be used.

Alvin Toffler first pointed this out several decades ago. He wrote that “as time goes on the most important thing about a scientific and technological base may not be what information is in it at any given moment, but the speed with which it is continually renewed and the richness of communication carrying specialized know-how to those who need it and acquiring knowledge swiftly from all over the world. It is not the stocks but the flows that will matter”.

But Toffler missed a bigger picture. It’s not just flows of information but flows of people and products that generate business value. I’ve been preaching this message since the atrocities of 9/11 led to many business flows being stopped dead in their tracks in the name of security.

I’ve made this point many times to national security representatives. The response is always the same. “Yes we agree that security must be balanced against business needs.” Wrong. It should set out to keep business moving. The authorities just don't get it. And that’s one reason why Heathrow is in such a mess.