While there is much in the report that might usefully concentrate the mind of anyone with responsibility for their employers' information security, discussion of Turnbull in the media has been minimal.
The Turnbull guidance is about adopting a risk-based approach to management, establishing a system of internal control and reviewing its effectiveness.
Even if it is not high on the list of management information systems priorities there is little doubt that risk management will figure increasingly largely in the life of IT management in the not-too-distant future.
Sooner or later, failure to comply with the Turnbull recommendations will lead to action on the part of disgruntled shareholders, business partners or customers because there's now no hiding place for companies that have become easy prey to computer crime because of their failure to manage risk.
Suppose, for example, you fire up your e-mail one morning and the first 15 messages are from irate customers and partners. It turns out that the company's systems have been compromised, and an attacker has posted sales forecasts, customer credit card numbers and several proprietary trade secrets on the Internet. The chances are that someone's going to claim for damages.
You might reasonably assume that, since your company passed a written insurability audit to obtain cover, your systems are well defended against such attacks. You're probably covered for any subsequent legal costs too - yes? Ha, ha. Just try to file a claim.
Your insurers will insist on conducting an extensive IT forensic analysis of the attack. They will then want to compare the results against your application to see if you actually implemented the security measures claimed. The process will drag on and on and on.
Finally, the insurance company will deny the claim because they will have discovered vulnerabilities that should have been known to the IT department and new holes that were introduced through software upgrades applied since the application was first submitted.
Since your firm probably never performed a test to determine what technical vulnerabilities existed before obtaining insurance, it has been paying for cover that will provide no help whatsoever when it is needed most.
This scenario may not apply to your company, of course, but our experience shows that it probably could. Technical testing is an easy way to prevent it but the number of companies testing for potential risks and taking action to prevent the most critical problems is relatively small. It is also rare for firms to continuously monitor their networks to ensure that the constant change of hardware and software doesn't introduce new vulnerabilities into previously secured environments.
Many organisations regard risk management for online information resources as relevant only to technology companies or e-commerce firms. In fact, any organisation that stores business-critical information on a network is at risk from external attack or internal misuse.
In addition to operating any business in a networked, global economy, regulations, legal and shareholder liability, merger and acquisition, and insurability issues drive this need, and the process is no different from a traditional, physical business.
For example, it's a relatively simple process to identify and value inventory in a warehouse. The most expensive stock is stored in a vault, lesser items sit on shelves. Burglar alarms and after-hours patrols safeguard against theft, smoke alarms and sprinklers against fire or arson.
The business owners use these reasonable and cost-effective measures to qualify for insurance, securing cover against financial loss or liability for situations that exceed the physical protections already in place.
Online asset protection should follow a nearly identical risk management process. In fact, online assets are currency in today's global economies. Trade secrets, customer profiles, sales forecasts and accounting information need significant protection. To a growing number of companies it's the opening up of their supply chains, inventory systems or shared digital market places, and they must be protected. To others it's their Web site, because their web presence is their company's face to the world.
There are three options for building a cost-effective information security risk management programme:
- Develop security policy, design/implement a security management system and monitor the security process in-house
Manage the process in-house, but use best-of-breed products and consulting services from prominent security suppliers
Outsource the security management process.
In general, only organisations operating in highly regulated environments or having similar compelling needs are willing to absorb the cost of an in-house solution. This expense must be incurred even though information security is rarely a core competence or revenue opportunity.
Experienced security staffs are expensive to recruit and retain, and in any case are unwilling to work outside normal business hours, but monitoring must be 24 hours a day, every day. That leaves little time for staff to keep up to date on breaking issues in security management.
These challenges collide directly with mainstream businesses' need to protect resources through the risk management process. One response has been the rise of managed security services - outsourced security management that offloads this non-core function.
In effect, managed services move the responsibility of assessing, monitoring and dealing with changing security threats squarely on the shoulders of the security provider.
Robin Dahlberg, managing director for the UK and Ireland, Internet Security Systems. firstname.lastname@example.org
This was first published in May 2001