The information security industry is still in its infancy and effort is needed for it to gain acceptance as a vital business area, last month’s annual conference of the BCS Information Security Specialist Group heard.
“There is a long way to go to get acceptance and investment in our industry. We are not yet as relied upon as the internet and certainly not as invested in as the IT industry in general,” said Phil Cracknell, director of Capgemini’s security consulting practice.
To achieve acceptance, the security industry needs assistance from the rest of the IT profession. Information specialists have to promote best practice, raise awareness and occasionally scaremonger, the conference heard. However, those efforts alone will not convince businesses that information security is vital to their operations.
“It will become vital, of course, when legislation tells businesses that they have to do something. We have seen this manifest with Sarbanes-Oxley and, more specifically, how accurate system logging goes some way to helping an organisation achieve compliance,” Cracknell said.
“Good logging is something security professionals have been trying to convince businesses to implement for years. Accountability – linking all access back to a real person – is a basic security audit principle and yet only when something as powerful as the Sarbanes-Oxley Act appears do we see any real activity in this area.”
The Basel 2 Accord will have a similar impact on risk management processes in businesses regulated by the Financial Services Authority, and it is likely that this will spread to non-regulated suppliers of these businesses, delegates were told.
Public reporting of major security incidents has also been problematic for the UK IT security industry. Companies suffering a breach are reluctant to go public for fear of negative publicity damaging their business.
The damage suffered by Citibank in 1995, when funds were stolen electronically, was made worse by some customers closing accounts or withdrawing funds after hearing about it. However, publicity such as this can help the wider cause of IT security, the conference heard.
Delegates agreed that some corporates pay “lip service” to security, handing it the leftovers from the IT budget. Media reports of security breaches can be a wake-up call for boards.
Internally, risk management needs to be better aligned with security. Security measures should be driven by clearly identified and fully costed risks. In that way, any case for security technology is a simple and clear business decision with all the backing it requires, delegates concluded.