David Lacey's IT Security Blog

Reading my colleague’s Stuart King’s blog posting on the financial impact of security incidents reminded me of the continuing obsession that many parts of industry and academia still seem to have for achieving the Holy Grail of perfect ROI measurement. Many of them miss the point. The problem we face is not proving that each investment in security has a positive NPV, but demonstrating that such spending is a sensible idea. In large organisations, it’s about making a business case that passes the investment appraisal criteria. In the case of small businesses or home users, it’s about putting together a convincing argument. You don’t have to, and you can’t always, present hard evidence that guarantees a payback within a particular time period. There are other criteria for justifying investments. Like regulatory compliance requirements for instance, or the fact that your business will collapse under viruses and spam if you don’t take preventative action. Many things in life are simply not knowable or not measurable, especially in the shadowy and fast-changing world of security.

I’ve long preached about the importance of visibility and metrics in security. Unless you have line of sight of the security threats, vulnerabilities and incidents that are actually impacting your organisation, you can’t possibly tackle them effectively. And unless you can measure how effective your interventions are, you won’t be able to build efficient processes. And you might not even be able to justify your own existence. As the legendary Donn B. Parker (of SRI International) advised me back in 1989 when I’d just joined the Royal Dutch/Shell Group, “David you need to set up your own intelligence service”. That was perhaps the most useful advice I ever received on how to manage security across a large, diverse organisation. And I’ve spent many years trying to achieve this using human-based intelligence networks and reporting systems. But traditional manual methods are not as reliable as we’d like. They're often based on no more than hearsay, tip-offs and anecdotal evidence. Fortunately that’s all changing. There are now some excellent discovery tools appearing in the marketplace. Practical tools that enable organisations to view and manage the security exposure of our organisations in real-time. That’s why I’m forecasting that over the next 18 months we will witness a revolution in the maturity of our security processes, driven by a new, unprecedented capability to view, filter, measure and archive just about everything that’s happening across our networks.

Of course none of these tools are any use to an organisation without first establishing the methodology needed to set targets, prioritise activities and process the results. Security metrics are the key to this. Metrics are fundamental to achieving the higher levels of process maturity (in the Carnegie Mellon sense). They can help formulate objectives, prioritise security actions and confirm success or failure. But just how should an organisation go about selecting the right metrics? How can it ensure that the selected measures are correctly aligned with business objectives and IT strategy? These are difficult questions with important consequences. Making the right choices of metric can have a tremendous impact on the future effectiveness of your security function. So think very carefully before presenting your new security targets to the Board. And if you need a helpful hand then you could do worse than read my recent white paper on this subject "Top 10 Tangible Measures for Effective Security Risk Management" published by nCircle, an innovative supplier of professional vulnerability and risk management tools and services.

My last blog posting kicked off a number of interesting discussions, including one on the subject of automated security risk management, raised by a friend from Brabeion, a compliance management specialist based in Washington DC. The issue raised was: Can we assess security risks directly from discovery tools? A good question, one more appropriate to my colleague Stuart King’s Risk Management Blog, but I thought I’d set out some thoughts on the subject before pushing it over to him.

Now I’m all for injecting as much objectivity and precision into risk assessment as possible, because subjective assessments are too often clouded by political, cultural and personal factors. However, it’s people who are responsible for decisions, so I’m not too sure we can entirely remove the human element. I’m reminded of an instructive session on risk management by a leading professor on this subject at a US Government computer security conference back in the early 80s. He presented an array of mathematical methods for calculating risks, taken from more mature fields, such as the nuclear industry. At the end of his session a man from the audience posed the obvious question “But how can you prevent people from adjusting the figures and weightings to suit a particular outcome?” His response was illuminating. “But that’s exactly how it works. You wouldn’t make decision based on such calculations. These methods are intended to support your decisions.”

We’re all familiar with the old adages about the Cobbler’s children having no shoes and the dustiest part of the house being the top of the Hoover. So it’s not surprising to find that some security companies don’t run a tight ship. A good recent example is Guidance Software, a top user vendor of digital investigation products. They’ve just settled a case brought by the FTC. It looks pretty damning. They failed to look after customer data to their advertised claims. And they’ve naturally and perhaps rightly attracted some mocking snipes from security pundits.

But does it mean that the products they sell are not secure? Not necessarily. And does it mean their operations are not secure now? Probably not, as they’ve had to make formal assurances to clean up their act. They’ve also taken on some very high profile non-executive directors who now have their reputations on the line, including George Tenet an ex-CIA Director. The interesting question is whether they are that much different from other security vendors. Were they unlucky to get caught? Hard to say. Will it happen to others? Absolutely. We can expect more of this type of case because there are a lot of insecurities out there and the compliance noose is tightening fast.

So there are some lessons here. Firstly, if your business is security then you need to maintain very high standards. Secondly, watch those assurances on your web site - they might come back to haunt you. Thirdly, if you’re a customer, don’t assume that just because you’re dealing with a security company or bank that everything will be completely secure. All of them are likely to have their weak spots. And fourthly, don’t write a company off because of one bad incident. Because - think about it – would you rather trust an organisation that had been found out and put its house in order, or one that you knew nothing about?

Last week’s $14.5 million settlement payment by Hewlett-Packard to California’s top prosecutor may have diffused a crisis. But it leaves many question marks about the ethics of big companies, the insecurity of personal information, and the methods used by security investigations. This case, which introduced the word “pretexting” to many vocabularies, demonstrated once again the shocking vulnerability of personal data to social engineering attacks. Too many organizations are willing to disclose sensitive information on the basis of a few, easy-to-obtain facts. But there are no excuses for security investigators to exploit these weaknesses by employing shady practices. We should all close ranks against any companies that think it’s acceptable to use impersonation techniques in the name of security, regardless of their legality. Security professionals should aim for the high ground, not sink to cheap tricks.

I’ve been pointing out for some time that professional Information Management has largely collapsed in most organizations. It’s to be expected of course, following the radical changes in communications that have accompanied the introduction of IT networks. But such a situation will never be permitted to last indefinitely. If the consequences of bad corporate practices don’t frighten companies into action, then the lawmakers and regulators certainly will.

And so we enter a new age of electronic discovery and document management with the introduction this month of new Federal Laws that require companies to store electronic data as soon as they become aware that it might be of interest in a potential Federal Court case. And who pays for the massive costs of retrieving all these documents for a Court case? The retriever does of course, which will make it attractive for small companies to make claims against bigger ones - though they had better make sure that they also have their own house in order. And claiming that the discs have failed - the modern equivalent of “the papers were lost in the fire” - won’t help you, because you will need to present solid, forensic evidence to support your claims.

So what should affected organisations do? The answer is to bite the bullet and get your house in order. Because if you don’t take appropriate steps to control, index and archive all of your emails, instant messages, documents and spreadsheets, then you could be exposed to expensive, future liabilities. Fortunately there are a host of brand new technologies designed to help you solve these problems. For example check out Chronicle Solutions for control and archiving of in-flight documents such as email, web access and instant messaging, and Mathon for all those Word documents and spreadsheets stored on company servers.

Last week I gave a presentation on the subject of “Managing the Human Dimension” to Iain Sutherland’s excellent Independent Information Security Group. It got me thinking about the balance between the human and technology aspects of IT Security and how it continues to change. I’m often asked for my opinion about the most important aspect of IT Security. And I have to admit that my opinion changes every year.

In the early days of IT Security there were many academics in the USA, including some leading lights such as Bruce Schneier and Dorothy Denning, who firmly believed that everything in security could be solved with technology alone. They eventually saw the light and quickly began to focus more on the softer aspects of security. In contrast, there were also a handful of maverick, crusading consultants, such as Donn Parker at SRI International and our own Martin Smith in the UK, who preferred to play to their strengths and promote the importance of the human dimension. But in practice most CISOs quickly discovered that the logical starting point was to focus on policy, processes and standards, because that was the easiest way forward and the most obvious way to engage the Executive Board and kick off a long range Enterprise programme.

It’s a relatively simple thing. It’s not that difficult. And it needs to be done by every organization. Yet few seem to have done it properly. So make it your New Year’s resolution. Build Security into your System Development Cycle. Make it mandatory for every project of any significance to carry out a security risk assessment, develop a security architecture, and implement a security testing schedule. Do not allow any exceptions. It’s the most important security intervention you can make.

Ed Gibson’s comment on my recent posting on processes hit the nail the head. One size doesn’t always fit all. In this particular case the debate was about the upside and downside of processes, and the consequences of attempting to liberate workers from the shackles of their processes. But the importance of tailoring solutions to the organisation is a key one for practitioners to grasp.

All organisations are different. They have different cultures, different governance systems and different ways of reaching decisions (or not in the case of some that I’ve worked for). You cannot simply transfer a security blueprint from one to another. I’ve built security management systems from scratch for three different organisations, and they were all quite different. One lasted for more than a decade. Another required constant adaptation to reflect major changes in the organisation’s strategy and organisation.

But organisations share common requirements, many of which do not vary over time. That was the key to the success of ISO 17799. When we drafted the original BSI Code of Practice, the DTI assembled a team of practitioners from seven different industries. We expected some differences between sectors and were pleasantly surprised to find that we could craft a standard that could work in all organisations. So yes, one size does not always fit all. But in some cases it can.

It was refreshing and reassuring to see the Home Office coming clean about the lessons learned from the failure last year if its Electronic Passport Application system. I can understand the argument for keeping gateway reviews confidential, i.e. that the reviewers might pull punches. But secrecy creates a climate of suspicion and leaves Government departments open to easy criticisms based on fear, uncertainty and doubt. So let’s hope we see more openness in future.

The lesson to be learned by all is that it’s false economy to skimp on testing. Because if the human factor is the soft underbelly of organisations then testing is certainly the Achille’s Heel. Yet few organisations get this. Too often sacrifices are made in the interest of hitting deadlines. But as I’ve said before, you can’t do it by luck and you certainly can’t by ignorance. It takes many times longer than the estimated life of the universe to test all permutations of program path or input and output space for even a relatively simple program. But the sooner errors are discovered then the less damage is done and the cheaper it is to correct them.

We need a lot more functional testing, security testing, usability testing, product testing, configuration testing and process testing. Yet I’ll wager that if you examine the IT policies and standards of any organisation the thinnest area will be testing. It’s quite remarkable that after half a century of professional business computing we still haven’t got the message.

It’s always interesting to see what’s currently on the CIO agenda, so I took a couple of days out this week to attend Information Age’s Effective IT Summit at the Vale Hotel in Cardiff.

Gaining alignment with the business and enabling innovation seemed to be the primary concerns. Not much new there. Though it was interesting to hear Paul Colby, CIO of British Airways, explain how he's actually managed to achieve this in practice. Now that's something.

But the big new issue this year is our impact on the environment, especially the need to reduce our energy consumption. Many organisations are developing initiatives and setting targets to reduce their carbon footprints. So what can Security do to help? Well quite a bit actually. We’ve already seen how anti-virus and spam filters can massively reduce incoming email. And many of us have discovered the hidden performance benefits of blocking and removing undesirable content. So let’s start making the business case for tackling this in a more comprehensive way.

We can free up servers, unblock networks, increase productivity keep ourselves out of jail and reduce our electricity costs by getting on top of all the spam, junk mail, viruses, worms, illegal content and unwanted downloads and communications.

This week it’s been put to me several times that the major problem for the Security function is gaining the attention and support of Management Boards. This surprises me because contemporary corporate governance expectations generally require that all organisations should operate an effective risk management process that should identify and address all major sources of risk.

So what is going wrong? If an organisation has such a process in place - and if not, why not - then there should be a perfectly good mechanism for articulating security risks to the Board and the Audit/Risk Committee in a form that they cannot possibly ignore without breaching compliance requirements.

Of course it might be that the risks have not been adequately assessed. Perhaps they’re out of date for example? This can easily be remedied. Or maybe the risks are not significant enough to engage Board attention? So the system is working, so what’s the beef? However, I’ve also noticed that this logical response of mine doesn’t quite hit the spot. So I suspect there is a deeper problem that I’m missing. Can someone put me right?

Last night’s BCS Security Forum Strategy Panel meeting included an interesting round table discussion on complexity. It’s a subject that’s been occupying my mind for three decades ever since I was first introduced to the fascinating world of cybernetics and control theory at Cass Business School in the late 70s. It’s also a current hot topic for many IT and Security professionals who are encountering major challenges getting to grips with the increased complexity of modern infrastructures and systems. Why is this happening? And what can we do to improve the situation?

I’ve just been checking out the new Symantec IT Risk Management Report. It’s the result of a year-long study based on interviews with IT executives and professionals around the world. Such surveys are mandatory reading for security managers as they can provide a valuable insight into trends and provide useful collateral evidence for business cases.

So what does this report tell us? Unfortunately, like too many of these surveys, there’s not much that’s of practical use to a CISO. Highlights include unsurprising findings such as the following.

“IT professionals rate themselves more effective in their deployments of technology than of process controls.”

“More-effective organizations – even though they often face higher risk levels – expect fewer incidents than less-effective organizations”.

“Best-in-class organizations perform with high effectiveness across most controls.”

“Differing internal viewpoints on IT Risk, and poor alignment between IT Risk Management programs and overall business objectives, may themselves create risk.”

Poor organizational support for IT Risk awareness and training is both a compelling example of poor alignment, and a major cause.”

“Best-in-class IT Risk management requires a disciplined approach…across people, process, and technology.”

As Basil Fawlty once put it: “Can’t we get you on Mastermind…specialist subject: stating the bleeding obvious…”

Research just out today from Symantec indicated that the UK's online economy is suffering from a serious lack of confidence. Two thirds of consumers believe that they at risk from online fraud, and 30% agree that Internet security concerns prevent them making online transactions. This is worrying but not surprising.

What's the answer? Two things: higher security standards and better assurance for consumers that the standards are being applied. But we already have this in the PCI (Payment Card Industry) Security Standard. And it's been around for a couple of years. So why is not being applied? Several reasons: it's tough, it's highly prescriptive, it's expensive, and it's not been strictly enforced so far.

Prescriptive approaches always generate pushback, but they do ensure that organisations pay more than lip service to security. Most prudent organisations are responding to the PCI Standard, but slowly and reluctantly. Things will speed up when we see heavy fines being imposed. That's not happening just yet. But PCI Security Compliance is unlikely to go away. So keeping your head in the sand is not a sensible approach. The real shame is that we have to rely on heavily enforced standards to fix the problem. Because customer security concerns should be high on the agenda for every online business.

My recent posting on the KTN Cyber Security Special Interest Group attracted a comment from my fellow CW blogger Stuart King, pointing out we need a plan of action rather than another white paper. He missed the point. The paper is intended to identify the barriers and make recommendations. It will be a plan of action.

The barriers to secure software development are numerous: ignorance, perceived cost, lack of standards and absence of methodologies (to mention just a few). All initiatives in this direction will help raise awareness. No one group has a monopoly on these issues. We all need to create a climate for change. Starting now.

I'm often asked what it is that characterizes a good security function. What separates the best from the rest?

If I'm forced to select one single thing I would say it was the ability to close the loop, i.e. to check that policies, standards and controls are actually being implemented. Failure to do so is in my view the most common reason for ineffective security programmes. And it's probably the root cause of the widespread security breaches referred to in my last posting.

Publishing policies and standards should be viewed as the start, not the end, of corporate governance. Requirements need to be translated into action by users. And that's increasingly difficult in today's fast-moving business environment. Managers and staff don't have spare time on their hands to implement new controls. You can spend as much time as you like drafting and communicating security requirements. But if you don't check that they're being implemented, you could be wasting your time.

That's why I believe ISO Security Certification should be the cornerstone of an enterprise security programme. It's straightforward, efficient and it works. Many people make the mistake of automatically assuming it will be very expensive and time-consuming. It need not be, though it will cost you a lot if you don't have any security controls in place. But if you have a mature security function, then it should be a straightforward, affordable process. It will highlight numerous shortcomings you didn't know about. But most items can generally be fixed with a reasonable amount of effort in time to gain or retain your certification.

Closing the loop today is a manual-intensive process, requiring documentation reviews, interviews and inspections. I often reflect on what it might look like in ten years time. Can we automate most of the process using new discovery technologies? Will it be like running automated diagnostic tests on a modern car? But whatever the future holds, one thing is certain. It will be even more important to check that all controls are in place and functioning correctly.

Last week's disclosure by TJ Maxx that hackers had stolen details of a staggering 45.7 million customer payment cards highlights several important points.

Firstly, retailers need to get their security act together. Sensitive customer data must be encrypted at all times and processed on secure platforms with effective intrusion prevention. Good key management is especially important. e-Business has transformed the retail sector, making security a major business requirement. But far too many retailers are laggards rather than leaders in this area.

Secondly, customers should be warned promptly about potential breaches if confidence is to be maintained. Despite all the complaints, Californian Law SB 1386 is proving to be both necessary and helpful for ensuring organizations come clean about security breaches.

Thirdly, the Payment Card Industry (PCI) Security Standard may have its faults but it's clearly necessary to ensure merchants and merchant acquirers raise their security game. PCI Security might be a little too broad in scope, over-prescriptive and expensive to implement. But we clearly need it.

This week's media has been full of claims from a YouGov survey that two thirds of the UK's Internet users waste a large amount of their time aimlessly chasing distractions or "wilfing" (What was I looking for?). But let's be honest. Wilfing is a much more widespread malaise that's infected many areas of IT and security. In particular, it's a curse on security architects. That's because architecture should be no more than a means to an end, but unfortunately that end frequently gets lost in translation.

In today's jargon-driven IT world, real business requirements, such as "what are the security requirements for this platform" are likely to be communicated as "we need a security architecture". Such a demand can spawn a new project or job function with a momentum and direction all of its own. Inexperienced architects will search high and low for examples of real security architectures, only to find that any instances they uncover are incompatible, having been produced at different times, for different purposes, by different individuals, with different levels of experience. On the other hand, the experienced architect will dust off one that was created earlier. But sadly it's unlikely to be fit for the new purpose.

Years can be spent pursuing the Holy Grail of the all-encompassing enterprise security architecture. Only to find that - as John Zachman discovered many years before - you need a collection of different models. You can then spend further time categorizing, normalizing and connecting all of the individual sub-models. Along the way, enthusiastic architects will discover or develop architectural principles for enabling greater flexibility. And clever ones will introduce additional dimensions, such as time. The scope and sophistication of the target architecture will continue to grow, much as work expands to fill the time available. But eventually hard decisions will be taken and an operational version will be delivered.

Unfortunately, in practice nobody will quite know what to do with this architecture, except perhaps to cover that ugly stain on the wall or to pad out their Powerpoint presentation. It will progressively become outdated and ignored. Until of course someone else comes along searching for an example of a real enterprise security architecture.

An interesting metric I've been tracking for some years is the annual score card on the security status of US Government departments published by the US House of Representatives Committee on Government Oversight. This process measures the compliance of departments against a set of standards laid down by the Federal Information Security Management Act (FISMA). The latest version released last week shows a marked improvement from a poor baseline. Homeland Security, for example, has raised its score from a miserable "F" to a mediocre "D". But this is a step in the right direction and should be applauded.

Not surprisingly, the measures used are controversial. Critics claim it's bureaucratic, placing far too much emphasis on documented plans and processes rather than on the actual vulnerability status of networks. Controls such as documented risk assessments and educational processes might not guarantee tight security. But they do make a big difference. In practice, I've noted a strong correlation between the levels of management controls implemented by service managers and the vulnerability of their platforms to technical attack. That's why I'm a supporter of control standards and certification processes. The FISMA standards used might need some refinement but the overall approach is correct.

Recently I've been advising a colleague in a large organization about the options for implementing applications requiring extensive access by multiple third parties, many of which are direct competitors. It's becoming a common business requirement.

Interestingly enough, in my view the biggest risks are associated with human error and process controls, rather than the strength of the technical solutions. These days you can buy security technology to authenticate and control user access for just about any situation. And even more solutions are in the pipeline. Cost considerations and legacy constraints are also less of a show-stopper than they used to be. But the one thing you can't easily fix is the impact of a human error, especially given the appalling track record of the less-than-watertight access administration that is to be found in many large organizations.

It's a tough problem. In my Shell days we were cautious about opening up the infrastructure to outsiders so we spent a lot of time fine-tuning the contractual and administration processes to minimize the risks associated with third party access. Regular site inspections and audits of access control lists were par for the course. But in a fast-changing business world with proliferating external access and multiple communication channels this bespoke approach is expensive to sustain. Some large organisations now have more third party users than employees. We have to run either faster or looser to avoid holding up business operations. So don't get hung about the technology. That's the easy part. Focus on the administration processes. Because that's where the real security risks and the operational improvements are to be found.

This week I'm speaking at Sapphire's excellent NISC8 Conference in St. Andrews on "The Art of Business Continuity Management". It's a subject close to my heart as I've been an active practitioner for the last two decades. I've also seen it change enormously. It used to be called Disaster Recovery Planning until business managers hijacked the subject. I recall that happening at the start of the nineties. Visiting an overseas Shell operating company, I explained to their Managing Director the importance of continuity planning for IT services. He told me to forget IT and focus on the oil and gas evacuation process. It was a much higher priority for him. So for the next ten years I had the pleasure of exploring the fascinating world of oil wells, pipelines and tankers.

I thought it was pretty challenging in those days to coordinate a single management response across a complex value chain in a large organization. But things are even tougher today. Everything is becoming virtualized. Global supply chains, storage area networks, grid computing, web services and extended-enterprise working have transformed the business operating environment. You can't draw a line around processes any more. And they're highly volatile. As much as you try to nail them down, they keep changing.

So what's the bst approach to modern Business Continuity Management? In my view the answer is simple, though far from straightforward. The trick is to apply the same transformation to the solution that we're experiencing in the problem space. We need to virtualize the management process, building virtual response team structures, virtual crisis rooms and flexible response processes.

An Australian friend of mine sent me this reference to a recent story of a sophisticated physical attack on point-of-sale terminals handling financial transactions. It's not the first nor is it the last incident of its kind. But it's not the type of attack we routinely encounter, because it requires a rare combination of knowledge, access and skills.

Of course one could argue that terminals handling sensitive data should always have the maximum degree of in-built, tamper-proof protection. But the best answer is to provide the right combination of physical and technical security protection. Which raises the question of how best to ensure an effective blend of IT and Physical Security. Should we consider integrating these very different functions? It's becoming fashionable in some quarters. A few leading UK banks have opted to combine IT Security with Fraud or Physical Security. And more recently the UK Government Centre for Protection of National Infrastructure (CPNI) has decided to merge its IT and Physical Security advisory functions. Are they right? Should we follow suit?

It's a thankless though often lucrative job being a top CIO. Many of the most promising candidates - the ones that really understand how to use technology to transform a business - don't survive the cut and thrust of Boardroom politics. Political survival is a necessary skill, though it tends to add value to the individual rather than the organisation. Ideally, we need visionaries who can grasp the potential of IT and translate it into compelling business language. But in practice most CIOs struggle to align IT imperatives with business interests, especially in a competitive business environment where IT professionals are treated with contempt by business managers.

So I'm always interested to see how CIOs perceive success and, in particular, how they rate their counterparts, many of whom are likely to be direct competitors for the next major headhunt. Silicon.com's recent poll of the UK's top 50 CIOs provides a fascinating insight. I wish I'd been able to place a bet on this poll because I would have picked up a few bob. Top of the list was no surprise: Paul Colby of British Airways. Paul is a clear leader in his field because he's highly successful and, unlike many of his peers, operates seamlessly across IT and Business. He's transformed BA's business model through smart use of e-Commerce. He's also beefed up their security considerably. On top of that he's a great presenter and a very nice guy. We need more like him.

This Wednesday I'm delivering a keynote address at a CIPFA/ISACA Conference in Birmingham on Emerging Compliance Requirements. The subject of my talk is "The Global Compliance Environment", a subject that's already engraved on many security practitioners' hearts as international events, initiatives and interests generate wave after wave of new legislative and regulatory compliance requirements. Can we expect to see an end to the mounting compliance burden? Not in my view. In fact it's more likely that the demands will get broader, deeper and tougher, as governments, regulators and large organizations follow suit in adopting and imposing standards and best practices across countries, industry sectors and supply chains.

Few organisations have had sufficient foresight, time and resource to adopt a strategic approach to compliance. But quick fixes to ad hoc demands are the most expensive solutions. Organisations need to spend time designing smarter compliance systems, to reduce the time and effort required to identify requirements, assign responsibilities, train staff, gather data, conduct audits, assess findings and track remedial work. Keeping your head in the sand might delay the pain in the short term but the cost of compliance will catch up with everyone in the end.

Today’s DTI Conference on “Ensuring privacy and consent in identity management infrastructures” was a significant step forward for identity management and privacy in the UK. Amongst other things, it demonstrated that Government stakeholders are open to new ideas and, more significantly, they’re prepared to fund them. They're also attempting to engage a broader audience of contributors from Industry, Government and Academia. I applaud that.

Some cynics would regard my views as optimistic, perhaps a little bit "on message”. That’s not correct. I’ve been a vocal critic of security in the National Identity Card programme, though I found little to fault in what I heard yesterday. I have high standards of expectation about both the level of security and the degree of consultation with the public. But I’m also realistic about the politics, the risks, the opportunities and the options. So I try to frame my criticism in the context of what's reasonable, affordable and, most importantly, do-able.

Not everyone agrees me. Casper Bowden of Microsoft, for example, questioned the lack of privacy technology professionals in the room, suggesting that the assembled audience might not have sufficient knowledge to shape public policy and research. I disagree. What we need is a blend of visionary technologists, down-to-earth commercial users, experienced social scientists, smart marketers and experienced practitioners. That’s how you solve those difficult, complex social and technical problems.

I believe the UK Government is trying to get that balance right. It’s taken a while to engage some of the key stakeholders. But let’s keep that dialogue going. We must not let important societel subjects be hijacked by the tiny elite of privacy anoraks. I’d rather hear more from the battle-scarred practitioners of real identity management projects, and the social scientists who’ve spent their time trying to understand the motivations of the Echo boomers. We need to draw on a wide range of skills and experience to solve the numerous social and business problems associated with federated enterprise identity management. Please don’t leave such decisions to the handful of enthusiasts, the politically-correct brigade or the (hopefully) shrinking army of neo-Luddites.

I was interested to read the results of a Secerno poll reported in today’s Computer Weekly. The poll reveals that 77% of IT Security professionals back a UK data breach disclosure law, and that around half of those who back such a law believe that companies should be forced to disclose a data breach immediately.

It’s reassuring that so many professionals are prepared to risk their careers in the interests of leveraging the business case for their security budgets. Because disclosure is a double-edged sword. It imposes a reporting burden on companies and it presents a threat to management. But it also helps protect customers and leverages business cases for security improvements. I’m a strong advocate for such reporting because it makes business units pay closer attention to security.

We all understand the importance of engaging business managers in security risk assessments. But in practice too many mangers interpret this as an excuse for not spending money. Risk appetite too often becomes correlated with the cost of security, rather than the business impact of breaches. Data disclosure helps brings home the consequences of incidents. And as any good psychologist will tell you, the key to achieving a behaviour change is to highlight consequences of peoples’ actions that are personal, immediate and certain.

As with any significant change, there will be casualties. We’ve already seen data leakage incidents this year that have cost companies millions - perhaps billions - of dollars. Let’s hope that other organisations will learn quickly from their pain. And let’s hope that Crown immunity won’t prevent Government ministries from disclosing their breaches. Of course the real answer to that one is to place sensitive citizen databases under the management of private sector specialists operating under strict Government regulation. Because Government is good at that.

I’ve written before on the challenges presented by the progressive erosion of the traditional boundary between business and personal lifestyles. It's all a consequence of the growth of digital networks, so it's a long-term, unstoppable trend. So far, most of the issues encountered have been concerns for the employer: problems such as the difficulty in enforcing complex acceptable use policies, or of balancing the human rights of employees against compliance demands for scrutiny of their communications.

Now we have a problem for employees, with a recent court ruling reported in The Register which suggests that employers might have grounds to demand ownership of their employees’ social networking information, if it has been prepared in the course of their employment. This particular ruling forced a UK journalist to hand over the contents of his contacts list to his employer after he had left the company. According to legal experts, the key determining factor is not where the data is stored but the set of circumstances under which it was created.

Given the rapid growth in social networking and the short-term nature of many work contracts, it’s clearly important for employees to separate and secure their personal and business interests. Because it might be just as easy for an employer to take over a departed employee’s contact lists as it is for the employee to walk off with his company’s customer information.

Just when I thought that most organisations would have learned the lessons from the recent spate of high profile data breaches, we hear that SAIC has admitted placing at risk the personal data of over half a million military service personnel.

It’s surprising as one would have expected military personnel records to warrant tighter security than the average personnel database. It’s even more extraordinary when one considers SAIC’s background in IT security, having founded the original Information Sharing and Analysis Centres (ISACs), and currently claiming a strong capability in physical and cyber security. To quote their Web site: “Our engineers are experts in safeguarding information, systems, and web sites. With our approach to security services, SAIC can help you effectively manage risk and protect your business-critical data.”

So what happened? Details are a little sketchy but SAIC have admitted storing personal data on a “non-secure server” and transmitting it over the Internet in unencrypted form. According to one US newspaper report, the company was notified by the US Air Forces in Europe that it had detected an unsecured transmission of the information. Of course there’s no reason to suspect that any of this data has been compromised, other than the fact that Defense systems do attract a fair amount of hacking and eavesdropping attacks.

It’s interesting to note the immediate actions and costs following such an incident. SAIC have retained Kroll to provide services to affected individuals, including an Incident Response Centre with extended hours, information resources and credit and identity restoration services for any identity theft victims. The cost of these services is estimated to be in the range of $7 million to $9 million for services, excluding credit restoration costs. That’s around $12 to $15 per individual record potentially compromised. With potentially more to come.

So what could have been done to prevent such breaches? Plenty, including ensuring that regular penetration tests and information security audits are carried out of all in-house and outsourced services. That’s why we developed the ISO 7799 standard and its associated certification schemes. Now that we have standards and mechanisms to certify services, there’s no excuse for not using them.

“'Tis but thy name that is my enemy” wrote Shakespeare. And the same might be said for many professionals operating in the Information Security field. Job titles are proliferating to the extent that it’s becoming difficult for managers and security vendors to figure just where to direct enquiries. I was mindful of this recently when a colleague in a large organisation asked me for advice on job titles for his growing security community.

The UK newspapers are full of more stories about the dreadful state of Heathrow Airport. But it’s not surprising. It's a sign of the times. And the fault lies with security. Because its objectives are outdated. They need to be refocused to reflect the new challenges of the Information Age.

In the past, security was primarily directed at safeguarding static assets, whether physical or intellectual. The introduction of networks has generated the need to move towards a more dynamic security model. In particular, the new focus needs to be on exploitation rather than ownership of assets. Because we now have a powerful international infrastructure to move information to where it can most profitably be used.

Alvin Toffler first pointed this out several decades ago. He wrote that “as time goes on the most important thing about a scientific and technological base may not be what information is in it at any given moment, but the speed with which it is continually renewed and the richness of communication carrying specialized know-how to those who need it and acquiring knowledge swiftly from all over the world. It is not the stocks but the flows that will matter”.

But Toffler missed a bigger picture. It’s not just flows of information but flows of people and products that generate business value. I’ve been preaching this message since the atrocities of 9/11 led to many business flows being stopped dead in their tracks in the name of security.

I’ve made this point many times to national security representatives. The response is always the same. “Yes we agree that security must be balanced against business needs.” Wrong. It should set out to keep business moving. The authorities just don't get it. And that’s one reason why Heathrow is in such a mess.

Today the House of Lords Scientific and Technology Committee published its long-awaited report on “Personal Internet Security”. It’s worth reading and quite a good introduction to the subject for a lay person. (Your CEO for example.)

The report makes many excellent and timely recommendations, including more research into alternative network architectures, higher security standards for Internet services, less immunity for ISPs, more liability for vendors and banks, introduction of a data security breach notification law, beefing up the Information Commissioner’s Office, establishing a national e-Crime unit supported by a network of forensic laboratories, and tougher sentencing guidelines.

This report demonstrates that the establishment has grasped the importance of the Internet and its security to society and industry. It’s a welcome sign of the times. And it provides a good blueprint for immediate Government action.

The recent three-day unprecedented outage of Skype services highlights some interesting characteristics of contemporary networks. Does it matter what really caused it? Probably not. Because the real issue is that we don’t fully understand modern digital networks. Whether or not you accept the Skype line that it was all triggered by “a massive restart of users’ computers across the globe within a very short timescale”. Or whether you prefer to believe the inevitable accusations of rivals that it was all down to fundamental flaws in their systems. The problem is that large digital networks are a law unto themselves. They are often unpredictable and they frequently exhibit behaviour that appears to be self-generated.

Hub-and-spoke networks are particularly hard to fathom, because they possess entirely different topological (and other) characteristics from traditional point-to-point organic networks. Important characteristics such as performance, security and failure rates can be very, very different in these so-called, scale-free networks. You need to be an expert in complexity theory to gain any insight into what’s really going on.

Customer behaviour can also generate strange effects. Users might, for example, generate a huge increase in transactions when response times are slow by constantly pressing the send key. Collaborative, simultaneous network effects are also possible. Put all this together and we can expect some interesting times as organisations move towards increasing dependency on large-scale, hub-and-spoke digital networks.

In my view we need a lot more research and much better education to understand the real consequences of managing modern digital networks. I’ve occasionally pointed out some of these problems to business managers responsible for implementing new hub-and-spoke networks. Their reaction? Rather like a frightened rabbit in headlights.

Just published on the Computer Weekly Website are a couple of videos of interviews I conducted recently with leading Heads of Security from interesting organisations. They’re worth watching.

The first interview is with Sandra Barton-Nicol, Head of Risk Investigations for Betfair, the largest online betting exchange in the World. It’s interesting to hear Sandra’s perspective on risk. As she succinctly points out, “our business is gambling but we don’t gamble on risk”. The second interview is with John Meakin, Group Head of Information Security for Standard Chartered, a bank with a long history and an impressive global network. John is a highly experienced and award-winning CISO, having previously led security functions in Reuters, RBS, Swiss Bank Corporation and Dresdner. It’s interesting to hear his perspective on the challenges of managing security across a changing business landscape.

But for me, the really interesting aspect of these videos is that it’s a breakthrough in training and awareness. Security practitioners and students across the world can now gain access to the views of leading professionals, and hear it straight from the horse’s mouth.

For the past few days I’ve been reading some strange reports coming out of a Gartner Security conference in London. Enough to make me wonder whether the speakers are on the same planet as the rest of us. I’d be highly interested to hear from anyone that attended this event. Surely it couldn’t have been as daft as the media coverage suggested?

The first story I spotted was a plea from John Pescatore, a Gartner analyst, for organisations to spend less on IT Security. I’m speechless. In my experience it’s extremely rare for an organisation to overspend on security. It can happen occasionally, for example following a major incident. It also used to happen in some arcane areas of Government many years ago. For example when millions of dollars were spent on unnecessary Tempest protection. But I have to say that these cases are exceptions and the general picture has been a widespread under-spend in most of the vital areas of security, including education, architecture, identity management, development, testing and certification audits.

The second story that caught my eye was a remarkable claim by Joanna Rutkowska, a security guru with several years experience, who thinks that “major software packages such as operating systems could be secured through code auditing and formal verification – but it may take as long as 50 years before this is possible”. A reassuring sentiment but as Keynes pointed out, in the long run we’re all dead. Yet there are many practical, sensible steps that can be taken today to secure systems by applying sensible principles and controls for architecture, coding, testing and maintenance. Formal verification is an interesting aspiration but a bit of a wild goose chase.

So ignore these claims. Spend more on security. And encourage your developers and vendors to develop secure systems. You shouldn't need a security guru to tell you that.

There are always plenty of businesses that have to be dragged kicking and screaming to the compliance killing floor. So it’s no surprise to read a survey by The Logic Group that suggests that only ten percent of organisations are fully compliant with the mandatory PCI security standard.

Closer analysis of the figures, however, shows that retailers are well on their way to compliance. According to the survey, awareness levels are up to 100% from 85% last year and 45% the pervious year. And eight out of ten merchants have assessed the impact of the PCI standard on their business. It’s clearly a slow process and understandably so, as PCI DSS is a highly prescriptive and potentially expensive standard to meet. I could never envisage any streetwise retailer diving in and implementing all those measures without a careful scrutiny of the financial and operational impact and a good look sideways at what everyone else is doing.

Compliance is not an overnight activity. It requires a gap analysis, impact assessment, business case and a rectification programme. You can’t conjure new budgets and the necessary resources out of thin air. According to the Logic Group survey, three quarters of companies are committed to achieving PC compliance over the next 18 months. And of these more than 40% are already in the remediation stage.

There are always laggards, so it’s not surprising to that 6% admitted to not having yet started the journey. What will happen to them? That’s the really interesting question. It will be interesting to see what fines and sanctions will be applied.

Earlier this week I attended a British Computer Society event “Public health - private data?” hosted jointly by the BCS Health Informatics Forum and the BCS Security Forum. This is not a new issue. Privacy advocates have long been banging the drum about this issue. The media has covered it extensively. And most British taxpayers are aware that the Government is investing billions of pounds in new infrastructure to enable their medical records to be more readily accessible. But I came away with the impression that we are only just commencing the much-needed debate on the ethics, requirements and solutions associated with safeguarding the privacy of patient records.

The first thing that struck me was that two BCS groups of professionals had decided to join forces to discuss these issues. (A third one, the Ethics forum, is also connected.) This is unprecedented in my experience. The second thing I noticed was the high degree of consensus amongst those present on many of the key issues. That's also unusual. But the most striking impression of all was the sheer difficulty of the problem space created by the change from storing unique copies of paper records in local cubby-holes to downloading electronic images from joined-up broadband networks. The problems generated are serious and hard to resolve. Given enough cash, we can solve the technical ones, though they do require a few well-overdue developments in identity managements. The real issue is developing and implementing an acceptable set of rules governing just who can see what, as well as under what circumstances they can be overridden.

It's the type of problem that some academics might classify as a “wicked problem”. Full of incomplete, contradictory and changing requirements. Such problems, like terrorism, are often found in areas associated with public policy. They don’t have clear-cut answers. What’s needed is an effective public debate. That’s not yet happened. But when I see healthcare, security and ethics professionals joining forces to discuss these issues, I feel a little bit more confident that we’re making some progress towards that goal.

Last weekend California Governor Arnold Schwarzenegger vetoed legislation to make merchants financially liable for costs due to retail data breaches. No doubt this was a huge relief to banks and retailers operating on the West Coast. But they shouldn’t allow themselves to be fooled into a false sense of security. Because the underpinning trend is for the compliance bandwagon to continue to gain strength.

When rejecting the AB 799 bill, Arnie is quoted as saying “it attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities”. That might well be the case but the track record has been that, in the absence of tough legislation, few organisations pay enough attention to the protection of customer data. And the legislation had plenty of political support, having been approved by the State Assembly and Senate with overwhelming majorities.

It’s in line with my forecast last year of a growing backlash to tougher compliance demands. Expect the occasional glitch, but the compliance bandwagon is relentless. And for those of you who think that California is a long way from your business operations, it’s worth noting that, since pioneered the controversial data security breach disclosure law, SB 1386, nearly 40 other states have followed suit. Tougher legislation is coming everyone's way.

Benjamin Wright’s comments on the ill-fated California AB 7799 Bill raise an important criticism about emerging compliance demands: they’re getting too prescriptive. This was a trend I pointed out last year. It’s because too many inexperienced standards-setters are now driving the agenda. The PCI Security Standard was an early indication of this trend. It's typical of a standard drafted by industry specialists, not experienced regulators or standards professionals.

Experienced regulators and seasoned standards writers tend to avoid solution-focused requirements. Regulators strive to maintain a level playing field, and you can’t do that if you prescribe a solution based on the practices of individual organisations. Standards professionals also recognise that prescriptive solutions restrict innovation and don't stand the test of time. Unfortunately these considerations are not widely appreciated. And we don't have training courses for standards writers. But the stakes are getting higher. We need more standards for standards. Physician heal thyself.

Yesterday I attended a Parliament and the Internet Conference at the House of Commons. It’s a great forum which brings together many leading UK stakeholders from Government, Parliament, Academia and Industry to debate key policy issues. Not surprisingly, the issues of cybercrime and governance were high on the agenda. I came away with three striking impressions.

Firstly I was impressed by the consensus view of the room that this is a complex, fast-changing set of issues that demands a collaborative and integrated approach. Neither a centralized or hands-off approach to governance will solve the problems. In particular, Industry, Government and Law Enforcement need to develop effective working relationships to tackle the issues.

Secondly I was pleased to see that Commander Sue Wilkinson is making excellent progress establishing a much-needed e-crime capability for the UK. I was disappointed by the loss of the National High Tech Crime Unit. It was a major setback. But now it looks like we’re back on track, and with a stronger mainstream focus.

Thirdly it was impossible not to be hugely impressed by Nicholas Negroponte, who flew in from the US to present his One Laptop per Child initiative. Nicholas and his brilliant colleagues at MIT Media Lab and TTI/Vanguard have kong been heavyweight thought-leaders and imaginative innovators. This initiative is the culmination of many years of experience in studying the impact of technology on education. The aim is to distribute low-cost laptops to children across the world. It’s a powerful initiative and a well designed product with many interesting features, including Alan Kay’s excellent Squeak programming language. It also has in-built security features, including a unique, high-profile appearance to deter theft. (That’s why US postal vehicles don’t get stolen.) This initiative will have a huge impact on the world, and on security. It deserves our full support.

It’s not easy to ensure your business meets all the relevant legal and regulatory compliance requirements. There are just too many of them for an average business manager to take in. It’s difficult enough to spot remote legislation such as Californian Law SB 1386 which requires companies to notify them of incidents affecting Californian citizens (who might be employees or customers). But a recent development now suggests the compliance net might be even wider than this.

Michael Geist, an Internet law professor, explains the problem in a disturbing story on the BBC Web site about the International Music Score Library Project, a Canadian Web site which had built up a collection of musical scores for which the copyright had expired in Canada. After two years of operation the site had become the largest public domain music score library on the Internet. But it was closed down a few weeks ago following a legal demand from an Austrian music publisher to block European users from adding new scores for which copyright had not expired in Europe (which has a longer copyright term than Canada). If this legal demand is correct, it means that the longest copyright term in the World automatically applies to all publishing sites. It has serious implications for online businesses, as it suggests they may have comply with the laws of every country that can access their sites, resulting in a possible showstopper for e-commerce and a bonanza for aging rock stars and intellectual property lawyers.

I’m often asked how best to keep up with the compliance bandwagon. It’s not easy. You can subscribe to the expensive IT research services offered by the likes of Gartner or Forrester, but much of the coverage can be rather selective, according to what happens to catch the analyst’s attention. And if you’re working in compliance you need more immediate, more comprehensive feeds that that.

So I’m always on the lookout for up-to-date, reasonably-priced sources of authoritative advice on compliance practices. Today I was fortunate to meet up with Ryan Rubin, an ex Jericho Forum enthusiast, now working for protiviti, a company that specialises in compliance. He pointed me towards their excellent knowledgeleader web site, which covers just about everything you want to know about the subject. And it can be accessed on a 30 day free trial, so you have nothing to lose by trying it out. It looks good and there’s a business interest in the follow-through, and hence an incentive to publish useful information at introductory prices. I have no commercial interest in the company, but I wish them well with their Web site. It fills a gap and it's very much the shape of things to come.

This week sees the second meeting, in Rio de Janeiro, of the Internet Governance Forum, an organisation established by the United Nations to debate public policy issues associated with the Internet. The obvious question is why we need any governance, other than the technical standards needed to enable everyone to communicate.

The answer to me seems clear. Outright anarchy is as undesirable as central UN control. Hopefully we can steer a course through these two extremes with a light but firm touch on the rudder, based on a solid foundation of consistent legislation, security and law enforcement. Public policy provides a vision but good security is the real enabler of electronic governance.

This week I’m in New York on a short visit but my attention has been grabbed by events in the UK HM Revenue and Customs, i.e. the announcement of a loss of discs containing personal data on 25 million citizens.

Following on from so many high profile data breaches earlier this year it seems quite incredible that such a breach could occur. But such mistakes will happen from time to time in any organisation that does not maintain an aggressive campaign of user education, mandatory controls and regular auditing.

This is unlikely to be an isolated incident. It's well understood in the safety world that behind every major incident, there are likely to be on average 29 minor incidents, three hundred near misses and perhaps thousands of bad practices. A similar pattern can be expected for security incidents.

Unfortunately UK Government has been slow off the mark at catching up with the better practices of industry. In particular they have for too long resisted proven measures such as accredited certification, which is the only effective way of “closing the loop”, i.e. checking that corporate policies and standards are actually implemented in practice.

So it’s understandable and not really surprising to hear about a breach of this kind. But given the well publicized citizen concerns and learning points from previous breaches, it’s not forgivable. Action must be taken urgently to raise the bar on security standards for the public sector.

Today’s newspapers are full of finger-pointing and spin about the HMRC data breach. And the blogisphere continues to churn out mixed commentary and advice, some sensible and some ill-advised. Of course it’s human nature to respond in an emotional or political way to a major incident affecting tens of millions of citizens. But what’s needed now is a calm, patient analysis of the root causes of the problem and a well-thought-through solution for the longer term.

There are clearly systemic failings in the governance of security in the public sector. Some are historic, a result of a long-standing focus on national security, rather than prevention of fraud and theft. The focus of the former is very narrow. The latter is pervasive, requiring a rapid scaling up of specialist advice across the entire government sector. That’s one reason why the public sector is behind industry in its implementation of contemporary security. It will take years to build the necessary knowledge, skills and awareness across central and local government organisations.

A further constraint is operating within a political governance system designed to minimise central interference, other than through policy, targets, finance and selection of senior staff. Security requires strong, central monitoring and intervention to maintain standards. In Industry you can draw on the authority of the Executive Board or CEO to get things done. You can’t play this card as effectively in the public sector.

We need solutions that encourage security standards to be more effectively deployed and business units more accountable. The former requires investment in central security agencies to develop stronger direction, support and monitoring. The latter can only be addressed through mandatory accredited certification. Just making a Board member responsible is not good enough. It helps but it doesn’t fully close the loop.

What’s certainly not needed is an ill-advised knee-jerk reaction, such as the bizarre call by Ross Anderson at Cambridge University to scrap CESG and replace it with a “civilian agency staffed by competent people” to give better advice to ministers. They already are a civilian organisation and, like the newly formed CPNI, they need boosting not shooting.

A Computer Weekly survey indicates that organisations are more concerned about the impact of social networking on employee productivity than on security or reputation damage. As usual they are missing the bigger picture, which is the potential for fraud, social engineering, data leakage and, more importantly, the progressive transfer of influence over policy and decision making from corporate centres to networked staff. You might think that’s power to the people but it’s really power to well-organised minority interest groups. Social networking is also fiendishly difficult to police. It represents a step change in the erosion of barriers between business and personal lifestyles. That's much, much harder to measure and manage than employee productivity.

I’ve been surprised by the number of people who believe that the root cause of breaches such as the recent HMRC data breach is culture. In my view these incidents are the result of a failure of governance. Policies and standards don’t implement themselves. You have to communicate them clearly and check that they’re being followed. If not (which is a given) then you have to lobby firmly to persuade managers to allocate the time, resource and money to close the gaps.

There are many reasons, other than culture, why people don’t implement corporate policies. In practice it’s very rare to find an employee that has taken the trouble to read them. And even rarer to find one that understands them. Published policies and guidance rarely achieve more than 20% penetration without an aggressive implementation programme. And they will progressively slip in any organisation that doesn’t maintain an ongoing education programme and a six-monthly review of the actual practices inside the organisation.

Visibility, testing, monitoring and audit are vital inputs to all security functions. They tell you what’s really happening on the ground. And they're straightforward processes, not difficult to implement. Corporate policy can be a powerful argument to persuade people to implement security. But if you don’t follow it up then it’s no more than a tick in the box for an Ivory Tower bureaucrat.

After nine months of research, Demos, an influential “think tank” originally founded my journalists from Marxist Today, has delivered a report on the societal issues associated with personal identity information, called “FYI: The New Politics of Personal Information”. It’s a useful read as it comes from a research group with a track record of influencing public policy. It’s also a good, simple primer on the subject, perhaps useful as a “Janet and John” introduction to the subject for your senior management.

But don’t hold your breath in anticipation of groundbreaking, imaginative recommendations. That’s something that think tanks (an archaic concept from the 50s) rarely deliver. In fact there’s nothing new here. The report vaguely recommends (a month too late for potential victims of the HMRC data breach) that people should take measures to look after their personal data, that Government should develop a more coherent strategy, and that the rights of individuals should be strengthened. And of course that they should sponsor a lot more research by think tanks into the subject. All fairly obvious and safe conclusions. There is one interesting idea about banks offering some form of no claims insurance for customers who successfully protect their personal information, but this sounds like something that would be better left to the banks to decide.

Yet there is so much that can be done now, starting with, for example, mandatory encryption of personal information and ISO accredited security certification for any organisation that deals with large-scale personal identity information. And stiff penalties for any organisation that fails to achieve this. But perhaps that’s all a bit too straightforward for a public policy think tank.

Fellow blogger Philip Virgo mentioned to me today that he was developing a new security process model. It got me thinking about the principles of model development. Regardless of their purpose, the art of model development is a subject close to my heart. I’ve spent much of my career creating them for many various purposes. I’ve also studied the tips of the trade of master craftsmen, such as Matthew West, Shell’s brilliant information architect, and Richard Pawson, inventor of “expressive systems” a revolutionary technique for developing agile information systems. These skills don’t seem to be taught at universities or on IT training courses. Why not? That’s why so many operational models are clunky and sub-optimal if not downright inefficient.

So how do you design a good model? Well for me the first lesson is to accept that models are a means to an end, not an end. Focus on the objective and use, not the model itself. Each model represents an abstraction of reality, designed for a particular purpose and audience. They will not be as effective when applied in a different context. There are also distinct types of model. Process models are generally based on verbs, and data models on nouns. In practice you need both, especially if you’re designing an information system. But you have to be careful about how you mix them. Agile systems can be built on flexible user interfaces based on the “nouns first, verbs second rule” principle of object oriented system design.

Structure is crucial because it facilitates navigation and enables substitution of components, which might require revision at varying times. Fast-changing content needs to be isolated to endure longevity. Smart designers employ four dimensional principles, taking account of the known past and potential future possibilities for the evolution of an entity or process. But even the smartest designer can miss the political consequences of design decisions. In my experience, the top level representation of any model is dictated by political, cosmetic and navigation considerations (in that order). It doesn’t matter how purist the top level design is from a modeling perspective. Its effectiveness will be determined by the lower level content and structure. But success is determined by acceptance and use. Because, as for many things in life first impressions count for a lot.

Looking back over 2007, it strikes me that it’s been a significant year for raised security awareness. There can’t be a single executive director who has not been shaken by the media headlines and the surprising political and financial impact generated by the security lapses at TJ Maxx and HMRC. Such incidents could happen to anyone at anytime, because we simply don’t have the assurances in place to guarantee that personal customer data is fully protected throughout our business processes.

How should Management Boards respond to this problem? The natural reaction is to call in the auditors. They’ll advise you to budget for an expensive, end-to-end review of all customer-facing processes. And they won’t be wrong. There is no easy fix. The situation justifies a major overhaul of responsibilities, procedures and controls. The obvious response is to first establish an effective risk management process, to provide the logic and the supporting evidence to justify a selective response, which is easier, cheaper and more manageable.

The problem is that it places far many minor security vulnerabilities on the back burner, which might bite back with a vengeance in the future. Deep rooted security weaknesses are like a cancer. They won’t go away and, unchecked, will eventually undermine their host. The real solution is to take decisive action to identify and eliminate the deep-rooted causes of security weaknesses. We need transformation, not quick fixes.

Many of my friends and colleagues express disbelief at the continuing saga of Government data breaches. It’s because they expect professional organisations to be on the ball when it comes to protecting sensitive data. If only they knew the truth! The situation is much worse than the public realise.

Today the media reports that nine UK National Health Service trusts have admitted to losing patient records. It’s just the tip of the iceberg. The fact is that information security has been given insufficient attention for the last three decades. Breaches happen all the time. We only find out about them if they hit the press.

Few organisations have effective incident reporting systems, and many types of breach, such as espionage and information broking are secret and invisible. Statistics provide a crude indication of what’s really going on. If you’ve been hit by a large, publicised breach, it’s likely that there are dozens of minor breaches, hundreds of near misses and thousands of bad practices lurking behind the bad news.

You can only assess the true status of security controls by carrying out a comprehensive audit. We need more of these. Keeping your fingers crossed has been a good bet in the past because breaches haven’t been widely reported. But the World is changing. A networked society can quickly establish what’s really going on. As they say in the Good Book, seek and you will find.

Privacy International, a long-standing privacy advocacy group, has just released their 2007 International Privacy Ranking, including a rather black-looking map of the World indicating the state of privacy assessed for each nation. It’s a useful analysis for anyone interested in the subject.

The analysis indicates an overall worsening of privacy protection across the Globe, reflecting an increase in surveillance and a declining performance of privacy safeguards. This is no surprise given the mushrooming growth in the capture and accessibility of information of all types.

Greece, Romania and Canada come out quite well, with the US is rated as the worst in the democratic world, with the UK lowest in Europe, rated alongside Russia and Singapore. The survey also rates the UK as a world-leader in surveillance schemes. I guess we have to be good at something.

We’ve seen breaches committed by security companies in the past, so it’s disappointing but not surprising to read that Computer Associates has suffered a breach to its website, which redirected unsuspecting visitors to a Chinese domain that downloads malware to visitors’ PCs. It’s a major embarrassment for a company that specializes in advising enterprises on how to secure their infrastructures.

How did it happen? According to press reports, it happened in the press section of their Website, which is outsourced to a hosting company. This type of breach shouldn’t happen. One would hope that professional hosting companies would naturally maintain good security practice to safeguard their customers’ services. Unfortunately they don’t all do this. That’s why it’s vital for user organisations to ensure that their contractors and sub-contractors continue to maintain security standards, through contractual requirements and frequent vulnerability scanning.

Hopefully CA has learnt a lesson and will now take all necessary steps to secure their infrastructure. That’s the positive side of breaches. They encourage organisations to put their house in order.

The title of the IT Security function is a hot topic this year, as organisations contemplate possibilities for mergers to enable headcount reductions. With whom to merge, and what to call the new unit are questions at the forefront of many managers’ minds. Of course you could also try the opposite approach of embedding security activities in other functions. In fact that’s an ongoing trend, accelerated from time to time by the sweep of the pendulum swing between devolution and centralization of resources. But you always need a central coordination function, though the word coordination is to be strictly avoided as it’s a primary target of downsizing consultants.

CSO's web site has a blog posting about an alleged accidental data leakage via a misdirected email from a lawyer to a news reporter. Nothing exceptional about that. It's the sort of cock-up that happens from time to time. But what's particularly interesting about this story is that the journalist didn't report the content of the email.

Now there can be many reasons why reporters hold back information. The content might not be interesting enough. It might be counterproductive to compromise a potential useful source. But it might also be because the email disclaimer did its job. That last thought got me thinking about the value of email disclaimers.

The blog posting contains some useful comments from a lawyer. But the situation is never clear cut. And the legal position can vary from country to country. I'm not a legal expert but my understanding is that under English law a recipient of a communication is obliged not to disclose the content of an expressly marked confidential communication. (It would be interesting to some expert thoughts on this.)

With all the current concern about data leakage, it clearly makes sense to ensure that email disclaimers and corporate policies for business communications are as good as you can get them. They might be your last line of defence.

The recent case of Pakistan blocking access to YouTube underlines the need for better governance of the Internet. I’m not suggesting we should have heavy-handed, bureaucratic control. But the Internet is now critical to business and government services so we need a better international understanding of national responsibilities, especially for supporting services such as security and incident response. The UK concept of a “Third Way” suggested by the Rt Hon Alan Michael MP gets my support.

The British Computer Society have just published details of an interesting survey of UK citizen's views on e-Government services. You can guess the outcome. Not surprisingly there is high concern about public sector management of sensitive citizen data.

Is this a setback for e-Government? Yes, but it's not an unexpected one. In the face of increasing threats and growing impacts, it's always been necessary for all government service providers to keep raising their security game. However, in the absence of hard evidence of future trends, increases in budgets and resources are automatic. Instead we have to play a reactive game.

Fortunately, most reactions to major issues and incidents overstate the response. So the next step should – fingers crossed - be a welcome step change in security assurance.

We need to start with better leadership in presenting the facts. In fact we're already seeing this in Sir James Crosby's recent report on Identity Assurance. Then we must focus on measures to transform the culture and tighten the governance for guardianship of sensitive citizen data. That's the harder bit.

The BCS have recently set out the measures required to achieve prudent data guardianship. They demand attention to accountability, visibility, consent, access and stewardship of personal data. In my view they should place a little more emphasis on security. But it's a step in the right direction.

Building public confidence in e-Government is a major challenge. And it will be achieved. Because the pressure will continue to mount until we get there.

The US has appointed Rod A. Beckstrom, a technology entrepeneur and author to head up the new National Cyber Security Center. He's an interesting and imaginative choice. Rod has a successful track record as a technology entrepreneur and he’s co-authored an interesting book The Starfish and the Spider: the Unstoppable Power of Leaderless Organizations.

As Bruce Schneier points out, he knows nothing about cyber security. But does he have to? There are plenty of seasoned security professionals and technology experts around to advise him. What really counts is his ability to develop innovative strategies, lead fast-moving crisis teams and harness the power of network effects. He sounds like a promising choice.

Over the last few weeks there’s been a lot of controversy about Phorm, a new behaviour-based advertising service that matches advertisements to customer web habits. It’s reportedly being trialled by several UK ISPs including BT, Virgin and Talk Talk. My fellow blogger Stuart King commented on this service a few weeks ago.

Phorm seems to operate very close to the boundaries of what might be deemed illegal according to UK legislation. And today the BBC Web site reports a claim by Nicholas Bohm, of the Foundation for Information Policy Research, that BT tests carried out during 2006 and 2007 without the new knowledge of users were "an illegal intercept of users' data".

Regardless of the technicalities of whether or not this was illegal, it’s a disturbing development. ISPs are in a unique, privileged position to read the data of customers. They should aim to maintain the highest degree of trust with citizens. If we lose confidence in ISPs, it’s a major setback for our hopes of building a trustworthy information society.

A petition requesting the Prime Minister to investigate the Phorm technology has reached the Top Ten the 10 Downing Street web site, attracting 10,000 signatures in the first two days. In with a bullet as they say. It’s a remarkable show of support, which reflects the growing public concern about the privacy of personal information.

It’s not enough just to follow the letter of the law. Public opinion also counts. Retailers, ISPs and marketing companies should take note.

Computer Weekly has just published an article setting out some of my views on social networking in advance of next week’s Infosec Europe 2008 event in London, when I’ll be speaking on “Locking down social networking vulnerabilities”.

In fact the last thing you should aim to do is lock down social networks. Ban them perhaps. And certainly aim to manage the vulnerabilities. But don’t try to lock down networks. They don’t respond well to that. The future of security is about protecting flows, not blocking them.

Social networks will change the way we live, work and vote. We have to engage with them on their terms or we’ll be left behind.

After suffering five failures of brand new electrical goods this year, after very few in previous decades, I’m beginning to get the impression that there are serious flaws in the design and manufacturing processes of contemporary products.

Faster product cycles and growing complexity are obvious contributing factors. A further one might be the introduction of lead-free solder. But there is no excuse for not applying quality, durability and usability tests at the design and production stages.

And the same holds for software testing, but with the added need to eliminate security weaknesses in both the design and code. There’s no excuse other than ignorance because it’s not expensive to conduct tests at each stage. And it’s certainly a lot cheaper than applying post production changes.

One security testing product that caught my eye at Infosecurity last week was Veracode’s binary testing service which is fast, affordable and rapidly pinpoints security flaws. If it does half of what it says it does, it would seem to be a mandatory tool for application developers and their customers.

And of course if it was claims tested by the CESG CCTM scheme, then we’d know that it does what they claim. In fact all prudent organisations should mandate both security and claims testing. There’s no excuse not to.

One of the more pleasant highlights from last week’s Infosecurity was having an excellent dinner with the IOActive team, an interesting Seattle based security services company.

I was particularly impressed to find that Apple founder Steve Wozniak is on their advisory board. It just goes to show that at least some mainstream IT hackers (in the true sense of the word) have stayed close to their roots.

Steve Wozniak is famously connected with Blue Boxes, perhaps the earliest dedicated hacking tool. He probably understands security better than many CISOs. I wish them well.

I was interested last week to read in The Register about TippingPoint’s success in reverse engineering the executable behind the Kraken botnet, enabling to build a fake server that identified 25,000 infected machines. That left them with a dilemma: Should they fix the infected machines or not? They decided not to.

That was the right decision. Two wrongs don’t make a right. No matter how helpful it might have seemed to intervene, it would have been unethical, illegal and a potential liability. Untested changes always present a degree of risk. You can never be sure what might result. And it’s the thin end of the wedge. Where might such a precedent lead?

I was surprised to read reports that the UK retail sector has quietly set up a register, The National Staff Dismissal Register, of staff who’ve been dismissed or left employment while under investigation for acts of dishonesty.

One wonders how many records of innocent people, perhaps wrongly or falsely accused of fraud or theft, might be lurking on such a database. No doubt it will reduce crime. But it will also provide leverage for attempts at staff harassment.

I'm just back from a week of splendid isolation, fly-fishing in Scotland and free from mobile phone networks and Internet connections. Amazingly the weather was dry every day, highly unusual for May. Bright weather doesn't make for good fishing but personally I'd rather sacrifice the fishing for pleasant weather.  

My only link with business was reading a copy of the Economist from May 17 which happened to carry an interesting analysis of the recent financial meltdown from a risk management perspective.  

This article entitled "Professionally gloomy" makes a number of good points. Value-at-risk measures look backwards not forwards. So the longer things go smoothly, the better the situation looks. But we all know that a downturn becomes more likely. Risk models also create an illusion that we can quantify and regulate all risks, but it's simply not true. We can't anticipate the unexpected. And we have no historical data for new products.

It's also hard to see the big picture of aggregate risk. "We have all the leaves on the tree but not the tree" as one risk manager puts it. Put simply, risk management is highly immature. We have a long way to go to develop techniques and models that are truly fit for purpose.   

Excessive leverage means that misjudgements can be especially dangerous. Good risk management is therefore becoming more crucial to longer-term survival. The smarter banks detected the problem earlier and started to steer away from the problem in late 2006. That's probably one reason why executive search agencies report that good risk managers are currently in heavy demand.

It's encouraging to see the Cabinet Office publish a National Risk Register, which sets out the Government assessment of the likelihood and potential impact of a range of different risks that may directly affect the UK. It's primarily designed to increase awareness.

The problem with risk registers is that when you combine risks at such a high level, they become so generalised and vague that they fail to serve much of a useful purpose. Take the section on electronic attacks, for example. It states that:

"The risk and impact of electronic attacks on IT and communication systems varies greatly according to the particular sectors affected and the source of the threat... There is a known risk to commercially valuable and confidential information in some government and private sector systems from a range of well resourced and sophisticated attacks."

That's not much use to anyone. But the fault is not with the Cabinet Office. It's the flawed process of risk management, which takes elaborate views of threats and exposures and shoe-horns them into an oversimplified set of categories, losing all the richness of the original assessment. It's clearly a process that's designed to tick a compliance box, not deliver a business benefit.

For several months I've been researching the subject of security in outsourcing and off-shoring. I've read lots of books and papers, and interviewed experts from many related fields: procurement experts, legal advisers, programme directors and security managers. The one message that comes through consistently is the importance of the relationship. If you have a good relationship with your contractor you can overcome a bad contract. But the opposite is not true.

So I was impressed to hear Rachel Burnett, President of the BCS, confirm that point in an excellent presentation tonight at the Guildford BCS branch. Rachel is an expert on IT law and the author of an excellent book on outsourcing. We should heed her advice. Too often, contracts become zero sum games rather than the beautiful friendships that are needed to deliver secure, reliable services in a fast-changing business environment. As she correctly points out, IT contracts are not like construction contracts, where you can expect the specification to be implemented to everyone's satisfaction. In practice, they tend to be a lot messier and highly volatile. People and relationships are the key to successful outsourcing.

Last night's Computer Weekly 500 club meeting in London, on the subject of off-shoring and outsourcing, provided a fascinating insight into the latest trends, from the expert perspective of McKinsey Director Paul Willmott. Outsourcing has seen rapid growth over the past two decades, and it's still growing very fast.

What particularly impressed me was the evolving maturity of this practice. Customers are finally beginning to pay more attention to managing their supply chains properly. And vendors are now building true global capabilities, to the extent that it's becoming hard to differentiate the global capabilities of Western companies, such as IBM, from Eastern ones, such as Tata.

Unfortunately, too many deals still fail to deliver. But there are growing "marriage counselling" services available from McKinsey and other experts. And it's all about getting that relationship right. A bad one cannot deliver good services or security. Only the contractor has the necessary visibility and direct control needed to respond to new risks. We can't enforce that agility through legal demands. We have to align objectives and aim to build real partnerships.  

With a looming recession, many companies will be looking to review their business plans and their supply chain contracts and business relationships to extract that extra bit of efficiency. This is the right time to try to get security better aligned with objectives on both sides of each business partnership.

Last Thursday's Parliament and Internet conference provided reassurance that at last some of our politicians have a healthy perspective of the societal challenges presented by the Internet. Contrary to what many people might imagine, there is, in fact, a good deal of reasoned debate behind the development of public policy on Internet governance.

I mentioned earlier this month that smart observers such as Rob Carolina have already spotted that the cyberspace frontier is no longer as open as we thought. It has national boundaries, though social and commercial networks do have a sneaky habit of finding ways to circumvent political barriers. Most observers now accept that the Internet is unstoppable, but its development can certainly be slowed down. So it's important that we agree balanced international policies to guide its future development. Neither a heavy touch nor a complete free-for-all is desirable. We need to find ways of addressing issues such as e-crime, privacy and universal access, without impeding the progress and benefits that the Internet offers.

UK politicians are providing a healthy leadership in this space. They've adopted a global, multi-stakeholder approach to public policy development. But they could do with a lot more engagement and support from business stakeholders. In today's fast-changing, competitive business environment it's hard for company directors to find the time and justification to engage in slow-moving political developments. But the recent financial credit meltdown shows the importance of adopting a longer-term perspective. And the stakes are high. The future of global communications is far too important to be left in the hands of the politicians and regulators.

I've just installed the latest critical security patch from Microsoft. Fortunately, I was warned about its release by good friends in Seattle. In fact, it's unusual these days for Microsoft to release out-of-band updates. One would hope that most of these could safely await the regular 2nd Tuesday update cycle. That's an easy date for London based security managers to remember, as it's exactly a week after the regular City booze up.  

But clearly there's something urgent about this patch. Either it's really damaging, or there's an exploit already circulating. Whatever the reason, the implication is that, these days, you have to be on your guard 24 by 7 to maintain security. That means you have to establish really good intelligence feeds. I've long said that visibility and context are the cornerstones of good security. You must be equipped to see new threats, exposures and incidents. And you must be able to assess their significance in real time.

In fact, this is the basis of professional security. Regardless of what the textbooks tell you, the first thing you must do is set up an effective intelligence system: one that reports new threats, existing vulnerabilities and current incidents. And one that can assess the significance of everything reported. All of this is possible and achievable, within reasonable cost and budget, by sensibly exploiting today's technology and services. So, if you, or your staff, didn't immediately pick up and respond to this latest scare, then you should aim to raise your game right now.

I came away from the RSA conference with the impression that most practitioners actually believe that the current financial meltdown was a clear example of risk management failing the financial sector. This was even a major point made by Art Coviello, President of RSA, in his opening keynote. But it's an incorrect assumption, based on a flawed perspective of the true purpose of risk management.

The sub-prime crisis was a classic example of the spectacular success of financial risk management. As I have long emphasised, risk management is a decision-support device, not a decision-making one. If you have any business sense, you wouldn't possible make any decisions on the basis of a crude, oversimplified, uncertain and context-free calculation. You'd make it on a much richer set of facts that included important personal and political considerations, such as bonus targets and market expectations, as well as unwritten assumptions, such as the fact that many existing policies will be ignored in the event of a major crisis.

Risk decisions are the prerogative of the responsible business manager, not a spreadsheet or a piece of software or the assessment of a junior technician in the IT department. And the financial crisis clearly demonstrated the power and effectiveness of risk management methods to deliver a convincing assurance to auditors, regulators, shareholders and governments. It creates an illusion of control. That's what it's there for. And it's been spectacularly successful.   

At last week's excellent Cyber Security KTN Christmas lunch at Bletchley Park, I presented the findings of a recent KTN project to develop a guideline on the thorny subject of managing information security risk in outsourcing and off-shoring. You can view the slides on the KTN web site.

It's worth watching out for the guideline itself, which should be available shortly. I set out to interview many leading experts in law, programme management, security and procurement, in order to capture the learning points. I was particularly concerned with capturing the softer, management issues, rather than the factual legal requirements (which a good lawyer can tell you).

It was a challenge to cram in such a large number of issues into seven pages (the limit set by the KTN). But small is beautiful. In today's world you can't expect busy executives to find the time to read longer documents.

The Center for Strategic and International Studies in Washington DC has just published and interesting and timely report "Securing Cyberspace for the 44th Presidency".

There are some good arguments in this paper, though I feel it does need a clearer definition of the problem space. Threats such as espionage, war and sabotage are not confined to either physical or electronic media. And they don't necessarily share a common solution space.

Securing cyberspace is just one component of the broader challenge of safeguarding physical and intellectual assets in the information age. The focus of information security needs to extend beyond the supporting media.

One of the least researched, but most important subject areas for the future of business is the field of computer forensics. It's a huge area and a massive challenge for all organisations that rely on digital transactions.

In the past, long standing business partners would either trust each other, accept the facts of a printed audit trail, or simply succumb to the whims of a more important customer. Unfortunately, none of these options will work in the new business world of volatile business relationships with numerous, anonymous partners operating across complex supply chains.  

Modern business practice demands accurate, independent and assured verification of transactions. That means that executives at all levels in an organisation need to be streetwise about the validity, vulnerability and availability of audit trails and digital evidence. Given the current capability of hackers and fraudsters to deploy anti-forensic techniques, that's a very tough call.
 
The starting point is to educate all business executives in the fundamentals of the subject area. It's a difficult task but, fortunately, the briefing material is improving. I've been especially impressed with Peter Sommer's excellent "Directors' and Corporate Advisors' Guide to Digital Investigations and Evidence", produced for the UK Information Assurance Advisory Council", an Institute which many years ago I helped to found and direct.

Not many company directors will have the patience to read and digest this guideline. But they should. Evidence of transactions underpins all modern business. In fact, amongst other things, an understanding of the validity of digital transactions will increasingly separate the real business men from the young apprentice boys. 

Lately I've had some interesting email exchanges with colleagues in Australia about press reports of increasing levels of citizen surveillance in the UK. This steady erosion of personal privacy is disturbing. But it is a natural and inevitable consequence of the rapid growth in networking and information processing capability. And the threat to privacy is not just from intelligence collecting platforms and CCTV cameras installed by local authorities. It's also from citizens with camera phones and Internet access.

This year we'll see attempts by governments to implement the most ambitious schemes yet for monitoring of Internet communications. There will, hopefully, be increasing public debate about the need for such schemes. But, in general, most attempts to hold back the growing tide of electronic surveillance systems are doomed to failure. There are simply too many requirements, opportunities, capabilities and stakeholders. Neo-Luddites might win the odd battle, but they'll never win the overall war. 

That's not to say, of course, that we shouldn't challenge ill-conceived public policy, dangerous precedents and bad practices. A strong privacy lobby is essential to clip the wings of government excesses. But our main focus needs to shift more towards better information governance, because that's an area that has been widely neglected. Too many systems are designed without adequate controls, too many databases are full of incorrect data, and too many users lack the training and incentives to behave correctly. 

We all know that a good slice of the population is corrupt, misguided or just plain clumsy, so simply demanding perfect behaviour from systems adminstrators and users will never be enough. Instead, we need to establish much better controls, education and incentives. But, in practice, this is far from easy. There's a surprising lack of knowledge in how to go about it, as well as a growing shortage of professional skills. And the business case is not compelling, with most benefits being long-term, uncertain and unmeasurable.    

The solution is not to be found in ambitious visions, strategies or policies, which can be helpful, but by themselves achieve very little. Our objective, instead, should be to build the knowledge base, methods and technologies needed to achieve real results. There are far too many gaps in this area. My book "Managing the Human Factor in Information Security" which has just gone to print explains how we can tackle some of these challenges. But it's only the start in constructing the new body of knowledge we need to manage the transition from securing corporate infrastructure from outsiders to protecting personal information from insiders.

Many people tell me that the real problem they face in getting public or private sector organizations to address information security is the lack of understanding and interest at the top. That's important because the security culture of an organization is strongly influenced by the tone and direction set by the leadership.

But it's really just a matter of time. Information security continues to grow in importance and profile. Eventually most leaders will appreciate the subject and grasp the nettle.

And the situation can change faster than we expect. Take the US leadership for example. I was delighted to read that John Thompson, CEO of Symantec, is one of two shortlisted candidates to become the next US Commerce Secretary. It would be refreshing to have a security-aware politician in the President's cabinet, and to have a Commerce Secretary that appreciates the importance of security in the technology supply chain. John is a smart business man and a superb diplomat. He certainly gets my vote.

The Royal Society of Chemistry has recently published the top five solutions to the Italian Job challenge prize, which aimed to find a solution to the cliff-hanging ending of the film. More than two thousand entries were received, ranging from the simple to the sublime. Some were highly technical, based on computer-aided graphics, nuclear physics and chemistry. Others were highly imaginative, and a few were simple, practical solutions.

The learning point is that your can solve a difficult problem in many different ways with varying degrees of simplicity and practicality. Security designers should take note of that. Simple is always best. There is even a Jericho Forum principle based on that concept. Yet many of the protocols developed for networking security have been unnecessarily complex.

But designing simple solutions is not as straightforward as most people imagine. Management controls, for example, need to have the same number of states as the system they're aiming to control. One answer is to scale up the number of states using processors, networks and storage. The other approach is to restrict the number of states in the system you're aiming to control, through, limits, standards or classifications. Unless you do this the system you're managing will be out of control.

Simple controls can't control complex situations. But there's certainly a lot more that can be done to shave off redundant layers from over-complex solutions.

ISACA, the Information Systems Audit and Control Association, has just launched a guide designed to provide IT security chiefs with an independent framework to help manage their information security more effectively. My heart generally sinks when I dip into an ISACA publication, as they're often composed of hundreds of pages of control descriptions, neatly arranged in sparse tables. In fact, I was pleasantly surprised that the introductory guide, An Introduction to the Business Model for Information Security, is actually concise, simple and readable. We need more like this.  

But lurking beneath the surface of this simple business guide is a growing portfolio of more detailed documentation that attempts to build the basis of an all-encompassing framework for joining up enterprise governance, risk management and compliance. It's a folly, however, to imagine that such a broad, nebulous spectrum of activity can be catalogued and codified into a single, digestible framework. The problem and solution spaces are too rich, complex and volatile to enable this to be done without dumbing down the subject areas, swamping the reader and stifling innovation.

It looks tempting of course when you compare existing standards. They all look surprisingly similar. But then most modern guidelines follow a similar structure, though they are often created as different means to diverse ends. Each source of guidance reflects its pedigree to some extent. ISO security standards were developed by security managers aiming to harmonise accepted practices. COBIT was designed by auditors seeking to catalogue controls. ITIL was created by central government advisers to promote a more professional approach to IT management. Such guidelines are generally best used for their original purpose.

Maturity frameworks are also increasingly fashionable. They were originally conceived by academics to help improve the quality of large-scale software developments. As such, they are often far too detailed to be used for more modest programmes, though the concept is compelling and helpful in structuring targets and actions.

Much contemporary security guidance tends to polarise into either an over-simplified set of golden rules that fail to explain the subject, or a detailed architectural framework that is unwieldy and impossible to maintain. The best answer lies somewhere in-between. We need concise but complete, tailored guidance on individual problem areas. Few guides are effective if they are less than five pages or more than a hundred. They need to be small enough to digest, but big enough to be significant.

A recent posting on Bruce Schneier's blog drew my attention to a revealing confession by Los Alamos that they had failed to address cyber security issues regarding stolen laptops because such losses had been treated as a "property management issue". This might sound unforgivably careless, but they're certainly not alone.

A few years ago you would have had to look hard to find any organization that carried out a security assessment for a missing laptop. It's only in recent years that highly-publicized thefts have draw attention to the problem. And many enterprises still don't realize they have a major exposure.   

The root cause of this lies in the backward-looking nature of our control design process, as well as a widespread failure to check the actual implementation of security policy. Twenty years ago, when we were assembling the original base material for BS7799, mobile computing and helpdesks were in their infancy. We didn't address laptops or the need to build security into helpdesk processes for managing reports of lost assets. Two decades later, we're still not covering these areas as well as we should. Security standards rarely cater for current or emerging problems. 

Critics can slam Los Alamos for their failings, but it's not intuitively obvious for a call centre or asset manager to carry out a risk assessment for a lost or stolen asset. The need for this won't come to light until a security review highlights the issue or, more likely, a major incident occurs.

And, be warned, it takes time to plug this gap. New processes have to be designed. Call centre software has to be upgraded. The helpdesk operators have to be trained to ask the right questions. Security expertise must be available to guide the risk assessment. The process will also take a few iterations to reach an acceptable level of reliability.

Asset management itself is a far-from-perfect process in many organizations. So don't expect operational managers to implement appropriate controls without prompting. They're busy enough struggling to stay abreast of a sprawling IT estate in a constantly changing environment. 

Last week I contributed to an ISSA-UK expert panel reviewing a recent UK Government report on plans for "Digital Britain", the digital knowledge economy that will form the heart of our future economic development. It's an important report which justifies a considered response. The next generation of digital networks will enable lightning fast transfers of information, presenting an unprecedented opportunity for large scale data theft and other types of cyber crime. Clearly, we need to ensure that the infrastructure and services contains appropriate safeguards but without introducing undue restrictions and expense.

Many interesting ideas were discussed on key areas such as education, children's safety, rights management, cybercrime and incident response. I took away three main conclusions. Firstly, that we should aim to build in suitable management controls from the outset. Secondly, that where we need security standards, a "tiered" system (as used for the PCCI data security standard) is probably the best approach. And, thirdly, Get Safe Online seems to be the best focal point for consumer security advice, but needs to be considerably augmented with much more content and real-time support.            

As ever, the best analogy is with motoring. Just as motorways demand driving protocols, speed limits and traffic police, and fast cars need high performance brakes, so responsible use of very high speed digital services requires appropriate protocols, permissions and policing. The trick is to get the balance right to enable the fastest traffic flows with the minimum accidents.

By the way, anyone who's interested in joining the ISSA UK Chapter, which I'd certainly recommend, should join now and take advantage of the current 90 day free membership. It's an offer no security professional can refuse.

One of the things that characterise a maturing business practice is the proliferation of architectures, models and frameworks that begin to proliferate. This phenomenon has clearly caught up with information security. It's hard to sit through a presentation these days without seeing increasingly complicated pictures of tables, pyramids, cubes or clouds. Most are undecipherable to a lay person. And many are an expensive drain on valuable, problem-solving time and resources.  Yet few offer any value over simple, textual descriptions of security requirements. 

My book "Managing the Human Factor in Information Security" is pretty damning on enterprise security architectures. That's not only because most of them turn out to be an expensive distraction in practice. It's also because the theory behind them is often flawed. Models are a means to an end, not an end in themselves. Unfortunately, too often we get carried away by the challenge of designing a perfectly-formed construct, losing sight of the original goal, which needs to have a clear purpose and a defined audience.

Seen from that point of view, security architectures are very different from business or data architectures. The latter aim to provide a single, complete and consistent view across the enterprise, enabling systems to be built that will operate in harmony. In contrast, security architectures aim to provide guidance on security requirements and controls, some of which are incomplete, perhaps awaiting new products, and much of which needs to be tailored for individual stakeholders who have quite different perspectives.   

We need families of security architectures, developed on a bottom-up basis, around selected, individual systems or assets, rather than on a top-down basis around business or governance processes. That means accepting a more fragmented and incomplete perspective of enterprise security. As I've often said, good, modern security architectures are ragged around the edges, full of holes and exist largely in the minds of practitioners. That's the nature of real-world models, designed to help people carry out specific tasks rather than to impress other security practitioners.

Yesterday's IT Governance Watch event in London, organized by the UK Cyber Security KTN and The National Computing Centre, was an interesting attempt to address the seemingly paradoxical concept of how security standards can inspire innovation and good practice. You might think that this would be an oxymoron. But there are authoritative claims by senior level government reviews that standards do in fact promote such innovation.

On a more practical level, some people now believe that it's time to set the scene for an "observatory" of security standards. There are so many of them out there that some users are calling for assistance in navigating the proliferating standards landscape. You might of course see this suggestion as yet another "jobs for the boys" initiative. But to be fair, it's high time we addressed the standards space. Standards can be immensely powerful vehicles, as anyone who's had to address PCI DSS will appreciate. They're simply too important to be left in the hands of a standards community, hungry for more business. 

The main problem with standards is that, like architectures, they're a means to an end, not an end in themselves (unless you happen to work for a standards organisation). Security standards are also very different from other technology standards in that they're generally designed to solve historical problems rather than to present a common platform for future developments. And no two standards are the same. They can be general or specific. They can be flexible or prescriptive. And they can be designed to raise a standard of practice, or just to standardardise it. Some standards demand an innovative response when others stifle it. A few, such as PCI DSS are badly drafted (at least from a standards perspective). But others, such as BS7799, are no less than minor works of art. Some standards are also based on the consensus of hundreds of contributors, while others are based on the views of a mere handful of self-appointed experts. And it's important to also bear in mind that information security is an immature practice. Many current practices are far from good ones. When it comes to subjects such as risk management, for example, the cupboard looks bare and we could do with some fresh thinking. 

These are all good reasons to place a brake on the standards process. But that would dilute our potential to tackle an increasingly complex security landscape and, in particular, to develop agreed solutions for collaborative working. The answer, in my view, is to raise our game: to ensure that the number and range of standards is appropriate to meet emerging business needs; that they're developed by a sufficient pool of knowledgeable subject matter experts who understand the nuances of what makes a good standard; and that they're both realistic and maintainable. In short, we don't need an observatory to help people navigate a landscape of inappropriate standards. But we do need a much better filter to sort out the wheat from the chaff.

Ethical hacking (see my last post) is not the only security term I dislike. In fact I'm against the use of any labels that confuse ordinary people, especially when they supersede existing ones that are perfectly sound. Information assurance, for example, struck me as a particularly poor replacement term for information security in the public sector. It's a bland term that no uninitiated person could possibly be expected to guess what it means. It brings to mind life assurance. It could pass for a quality or audit requirement. But you'd never imagine it was a euphemism for security. And it's far from compelling, sounding more like an optional checking process of some kind, rather than an essential countermeasure. 

New labels spring up regularly. Many disappear without trace. Information guardianship, for example, seemed quite fashionable last year. It failed to take off. But sometimes a new term works, however. Privacy is a good example. Data protection never really caught the imagination of ordinary managers. It doesn't resonate, nor does it sound compelling. In fact, from a compliance perspective, there's not a lot of difference between the two terms. But in terms of perception, there's a whole world of difference. 

This year's hot term is information governance. It's not new. It's been used in healthcare circles for more than a decade. But it's a term whose time has come. Propelled by the fear of large-scale security breaches, organizations with large databases of sensitive citizen information must be seen to be raising their game. Security is not enough. It also demands better information management, stricter data quality, tougher compliance processes and a more appropriate security culture.

Information governance is an easily-grasped term that demands high-level leadership. It's also a banner that has the potential to unite our management of the long-isolated silos of security and data management. The UK parliamentary-industry group Eurim is currently working hard to develop the foundations of this important subject area, though no less than five work streams, mapping out the subject. Their recommendations could form a compelling bandwagon for a revolution in how both government and industry view the management and security of information. Expect to hear a lot more about information governance.

Regular readers will have noticed the radio silence this week. I haven't been able to publish a blog posting this past week due to persistent outages of my broadband service just at the times when I've had a break between projects. It's one of the drawbacks of living in the sticks, though there are other compensations in being away from the treadmill of London life. It's much easier to think clearly and strategically, for example. That's one reason, amongst others, why I like to attend conferences in out-of the-way locations.

Earlier this week, I was pleasantly isolated with a great bunch of security professionals in the leafy surroundings of La Hulpe in Belgium, speaking at EnterSecurity 2009, a conference arranged by Endeavour Events. Also speaking was former rogue trader Nick Lesson, whose role in bringing down Barings Bank should have been a wake-up call for investment banks and regulators. Clearly it wasn't, as recent history has demonstrated. What should we have learned from his escapades?

Nick Leeson is clear about the causes of Baring's collapse, as well as the solution that we should have implemented. Unlike a typical fraudster, Nick craved success rather than money. He got into a situation that got progressively worse. And the longer it went on, the greater the sense of failure. But arrogance can be just as dangerous a motive for fraud. And it's one that's encouraged by employers.

Managing a team of empowered traders demands three things. Firstly, a thorough understanding by management of current business practices. Secondly, close monitoring of day-to-day activities. And thirdly, an authoritative audit process that's able to challenge suspicious or dangerous practices. These things were lacking at Barings in the nineties. And most of them still are, more than a decade later.

What's the answer? There is, in fact, only one really effective measure. Banks must recruit former traders for compliance monitoring. And that means paying them as much as traders in order to attract the best staff. It's a necessary solution. But, unfortunately, like many desirable things in life, it's unlikely to happen. 

Can you remember what you were doing sixteen years ago? I certainly can. I was burning the midnight oil churning out on drafts of the BSI document "A Code of Practice for Information Security".

On the eve of Infosecurity Europe I thought it would be interesting to look back and publish a few photographs from the 30th September 1993 press conference, launching the first version of the document that evolved as BS 7799 and subsequently ISO 27000.

The press conference was held at Shell Centre with representatives from Shell, BOC Group, BT, Marks & Spencer, Midland Bank, Nationwide, and of course DTI and BSI. Each company fielded a managing director. Unilever could not attend but provided a press statement.

This first photograph shows the top table of managing directors fielding questions from the press.

The second photograph shows the team who wrote the report, with a young looking David Lacey at the front. Can you identify any of the other characters?

Formal pledges of support were also given at the press conference by BP, British Aerospace, British Steel, Bull, Cadbury Schweppes, Cameron Markby Hewitt, Chelsea Building Society, Ciba Geigy, Digital Equipment Corporation, Reuters and TSB Bank.

Interestingly, I think Shell might have been the only company out of the group that actually went to implement the full standard and subsequent accreditation process.

If Kit Cameron can come up with a set of laws of identity when arguably there aren't any, then the least I can do is have a stab at setting out some principles of good security architecture. If nothing else, it might stimulate some much-needed debate on how to best exploit a double-edged sword that's equally capable of adding value or creating confusion. Here are my suggestions.

1.  Set clear, defined objectives:  A model is a means to an end, not an end in itself. Start by defining why you need it and who will use it. Only then can you determine the scope, size, content and presentation. Drivers and benefits can vary widely. They can help organize work, standardize activities, demonstrate compliance, act as a sales device for a vendor, or simply serve as a therapeutic exercise for the compiler. Never lose sight of the original purpose and audience. Otherwise it will not be fit for purpose.

2.  Small is beautiful:  Whatever you're using it for, the whole point of using a model is to define and communicate a set of selected, relevant facts to a specific group of users. Unnecessary detail should be filtered out or hidden from the sight of the user. The information conveyed should be as brief and simple as possible to meet the objectives of the model.   

3.  One size does not fit all:  Modern security management requires a range of different models, each serving a different purpose. They can be used to communicate or assess controls, responsibilities, activities, services, project tasks or specifications. Different models can be linked or combined but the contents will not map together neatly. A model designed for one particular purpose or audience might not be appropriate for another, though there are always exceptions.

4.  Call it anything you like:  It doesn't matter much whether you use the term "model", "framework", "architecture", "method" or anything else, though some terms are stickier than others. Architecture, for example, sounds grandiose and suggests a blueprint for building something. But it's mainly just a matter of taste. What really counts is how it is perceived by users and other stakeholders.

5.  There is no set format:  I've designed, commissioned and used many different types of security framework. They have taken the form of word documents, glossy publications, wall charts, slide packs, databases, software, hypertext and pseudocode. Each approach offers different benefits. What works best for one audience might not translate to another.

6.  Incompleteness is good:  Security frameworks are more fragmented in their coverage than business, data and IT architectures. It's because the security solution space is sparse, volatile and lags behind a problem space that's largely hidden and unpredictable. If you end up with a complete, balanced, filled-in matrix, then you've either excluded a good number of unsolved issues or incorporated a large degree of worthless padding. 

7.  Steal with caution:  Copying or adapting other people's ideas and material is a useful shortcut if the material is sufficiently general and designed for a similar audience. But be warned: organizations vary widely in their tastes, risk profile and governance style. What works in one enterprise for one particular purpose at one particular time, might not translate to other situations. 

8.  Security is event driven:  Security requirements are primarily driven by events, exposures and compliance demands, rather than business needs. Business goals and risk appetites will of course shape all decisions on countermeasures and priorities. But controls and requirements cannot be directly derived from business, data or technology models.  

9.  Cosmetics and politics matter:  The top-level presentation of any model is not critical to the content and is best determined by cosmetic and political considerations. Ease of navigation by the intended user is also an important consideration. Essentially, if it doesn't look appealing or reflect the politics of organization it won't be accepted. And if it's difficult to navigate it won't get used. 

10.  Design with the future in mind:  The sell-by dates of models or their underlying content can vary widely. Some are highly volatile, others more enduring. Some content can be rendered obsolescent by unanticipated organizational or technological changes. For ease of maintenance, separate fast-changing detail from long-lasting content. And consider the impact of longer-term changes on structures and metadata.

I could of course go on longer, but I think ten suggestions represents about the limit for a memorable set of principles. Any observations?

US President Barack Obama's speech on plans to secure American cyber infrastructure is an encouraging start for developing the long-overdue capabilities that the West needs to safeguard its essential services. But it only scratches the surface of the emerging information security problem space.

Operational services and infrastructure are the tip of an information age iceberg of intellectual assets that need to be safeguarded from increasingly sophisticated security threats. As time goes by, we will place a higher value on the knowledge and relationships that create our longer-term, national wealth. Visibility of the solution space always starts with issues of availability, followed by confidentiality, and lastly integrity. But the most serious long-term issues are those associated with the subtle manipulation of intangible, intellectual assets, such as trust, reputation and influence.

As we've recently seen in the UK, loss of trust in an institution can cause more serious impact than an outage of services. It's a much harder set of risks to manage. But that's the bigger challenge that governments need to recognise and address.

I had high hopes for the work of the UK parliamentary-industry group EURIM in developing the foundations of Information Governance. With no less than five work streams attended by leading, experienced practitioners, I expected some quality deliverables. So I was a little disappointed with this animated storyboard on the subject, which strikes me as abstract, content-free and dumbed-down. We can do better than this. 

One of the tricks for impressing your customers is to under-promise and over-deliver, thereby ensuring you will exceed their expectations. It doesn't work well in competitive markets where promises are the key to business. But it's fine in monopoly situations. That probably explains why I was relatively pleased with the long awaited Digital Britain report. It's far from perfect and promises few concrete actions, but, from a security perspective it's a major improvement on the interim report, on which I submitted comments on behalf of the ISSA UK.

It looks like the Digital Britain team has responded to some of the points the ISSA raised. But I'd like to have seen it go much further on security. For me, the key points are that the report clearly recognises the importance of security, especially the need for consumer support and advice, and it endorses initiatives such as the Internet Governance Forum and Get Safe Online. The missing actions are the need for tougher, mandated security standards for critical infrastructure, and the urgent need for a big injection of resources to beef up security education and investigation.

Security is primarily driven by events, so I guess we'll have to experience a few big incidents before the government bites the bullet and invests in better security. But at least the Digital Britain report is a step in the right direction.   

By the way, Computer Weekly has a useful page that brings together a wide range of comments on the Digital Britain report.  

The UK Government has just unveiled a new cyber strategy. It's a step in the right direction but it needs to be much tougher if it's to correct the weakeness in critical infrastructure. Tests by IO Active on new US smart grid sensors are reported to have revealed alarming flaws. Mandatory standards are the only way forward.

This week's Economist includes an interesting feature on the failure of economics. It addresses three main critiques: that macro and financial economists helped cause the credit crisis, that they failed to spot it, and that they have no idea how to fix it. These are damning accusations for such a long established profession.

But one day we might say the same about information security professionals. The promotion of risk management (as an alternative to minimum standards) has allowed many business managers to avoid investment in essential security controls. The lack of comprehensive incident reporting and certification audits has meant that many bad practices go unnoticed. And the lack of emphasis on crisis management means that many security functions are not adequately equipped to respond to a crisis.

For the past three decades information security academics have focused on subjects of marginal value, such as formal methods, cryptography and risk assessment. The latest fashion is "the economics of security". But we don't need a better mousetrap. We just need basic management systems that ensure that managers, staff and customers implement a simple set of controls. That's something that's been within everyone's reach since the publication of BS 7799. Unfortunately our best efforts have failed to achieve that simple goal.

The Wall Street Journal reports that Melissa Hathaway has resigned from her role as acting US National Cyber Adviser. This is a role that calls for broad subject matter experience, first class diplomatic skills and a high standing with both the public and private sectors.

There's only one candidate that possesses all of those qualities in sufficient depth and that's former White House IT security advisor Howard Schmidt. He would be both a logical and a popular choice amongst cyber security professionals.

I'm often asked for advice on organising security functions. One increasingly common question is should information and physical security be merged. I have lots of observations on that, having served my apprenticeship switching many times between the two functions.

I've just posted a brief analysis of some of issues associated with merging information and physical security on my Infosecurity Europe blog. It's essential reading for anyone contemplating (or aiming to resist) such a merger.

Whatever your views about the current status and future prospects for public policy on cyber security, one thing is clear: we're heavily dependent on the mood at the top of US Government.

Us officials might not have had that much impact in the past, but in today's challenging business and technological environment, the White House view will be key to setting direction for both citizen confidence and future research and investment in security technology.

Howard Schmidt, who is in the running for US cyber security czar, has just been interviewed by govinfosecurity. It's a clunky write-up, but Howard reveals a balanced and reassuring perspective. Let's keep out fingers crossed for his prospects. 

Not a week goes by without a news item about yet another breach of personal data. The latest one is a compromise of data on the Guardian newspaper's jobs website. I think we all agree that there's a pressing need for a step change in the standards we apply to the protection of personal information. That's certainly what was agreed by a group of experienced practitioners at a recent ISSA UK debate. The findings from that debate were written up and published in a white paper, supported by former Home Secretary, The Right Honourable  David Blunkett MP. It's essential reading for anyone working on systems handling sensitive citizen information.

I've long argued that security should take note of lessons from the safety field, and there are a lot of important learning points set out in the Nimrod review. Many of these repeat the points made two decades ago by Richard Feynman following the Space Shuttle Challenger disaster. Unfortunately, it seems that either our memories are short or the learning points were not widely disseminated.

It's disturbing that we continue to make serious mistakes decades after we have discovered how to prevent them. Perhaps that's an inevitable human weakness. But what counts is that we fix these flaws when they come to our attention, and that we educate others in how to prevent future incidents.

All of these lessons apply equally to security. We can learn much from the model of safety culture spelled out in the report. As the report correctly points out, safety depends on leadership, culture and priorities. It is delivered by people, not paper, and it takes a whole community to ensure that we achieve it.