Karen Worstell, former CISO at Microsoft and AT&T Wireless, recently joined the advisory board of Neupart A/S, a five-year-old European security risk management and awareness firm that just launched a North American office in the Seattle area. The company's specialty is promoting industry awareness of ISO 27001, a standard that defines the components of a security management plan to monitor, measure and control information security. As American businesses emerge from their Sarbanes-Oxley, HIPAA and Gramm-Leach-Bliley compliance projects, Neupart is hoping security pros are ready to take a fresh look at ISO 27001. In this Q&A, Worstell explains how ISO 27001 can be used to help companies comply with a variety of regulations and standards, and where her former employer, Microsoft, fits in.
You spent time as CISO at Microsoft. How are they doing on security today?
Karen Worstell: I have an outsider's view these days since I haven't been there for awhile. I know they have made substantial progress over the last six to seven years and I think the world sees that. If you look at things like the privacy rankings watchdog groups put in place, Microsoft is moving up and working hard on issues like identity theft. They have some of the most talented people in the business. They do have some work to do in breaking down some silos and working together across the company, and then they can really achieve incredible things in the security space. I have a lot of confidence in my colleagues who still work there.
Talk about how ISO 27001 could benefit IT pros in the U.S.
Worstell: The ISO 27001 standard is very successful because it is a holistic and integrated approach that breaks down silos that can be a barrier to security and quality. It's based on management systems and gets into how you build and operate things.
A lot of IT pros have been immersed in other regulations and standards and many have regulation fatigue at this point. Could that make Neupart's U.S. mission difficult?
Worstell: The complaint is that people are being regulated out of their profit margins. We have to deal with HIPAA, Sarbanes-Oxley, we have to deal with Safe Harbor if we deal with European companies, we have PCI DSS, and people say this is just onerous. They're right, but if you go about dealing with all this in silos, you will fail. You will never be truly compliant and be subject to legal liabilities down the road for representing controls that really aren't in place as being in place. ISO 27001 has a way of satisfying compliance requirements on all these various statures and regulations with just minor adjustments. It can help you comply with Safe Harbor, PCI DSS, SOX, and GLB. You build it once and comply many times and it can save millions of dollars and improve the security and control environment around your business. Art Coviello [president of EMC Corp.'s RSA Security division] said at the RSA conference a couple years ago that everyone thinks we put breaks on cars to go slow. But we put fancy breaks on really hot cars so they can go really fast. That's the control environment. To do business at the speed of light you need controls that let you know you are doing it safely and managing risk for the enterprise. The [controls outlined in ISO 27001] let you do things in a way that is streamlined and nimble.
Worstell: I like the idea that security isn't a bolt on, integration is good, but I want to be able to integrate with choice. We can write a one-size-fits-all checklist and think every company can follow it, and that's where we can run into trouble with the built-in approach. Every company is different. So I'd love to see an integrated framework for the easy plug and play of technologies that best fit a certain niche. The difficulty providers have is that we as consumers aren't good at explaining what we want and need. One thing ISO 27001 can do is force us to be clearer and say, 'I need these kinds of features and I need them to be a certain way.' I was disappointed with the rollout of Vista to see the challenges they had delivering on the promise of two-factor authentication integrated across the infrastructure.
Do you think the problem there is that Microsoft has its own silos that need to be broken down?
Worstell: To successfully integrate two-factor authentication across the infrastructure, it has to work across all Microsoft's components -- Windows, Office, Exchange -- and for that to work all the different groups with competing priorities will have to work together to get this done. I see no threat on the horizon of people being able to deliver on this successfully. Even companies with the ability to make it happen are having difficulty. But they're trying.
This was first published in July 2007