Many people in the UK still see security predominantly as an IT problem. But it's not it's a business one, writes Mike Gillespie is principal consultant at security services provider Advent Information Management.
As if anyone needed reminding, there has been wave after wave of highly publicised data loss incidents in recent months, kicked off by the debacle at HM Revenue and Customs last year.
And not one of those incidents was caused by an IT process. Instead the data losses have been the result of inadequate business processes and human error.
The upshot has been a flurry of government directives and the creation of the Information Security Awareness Forum. Which is all fine and dandy, but it doesn't really address the problem.
Take the forum. The members are all highly respected IT security bodies of one type or another that between them have oodles of experience in IT security matters. And there lies the rub: they are all IT security groups getting together to try to fix what is essentially a business problem.
Lack of integration
Where are the physical security guys in all this? Where are the guys dealing with personnel-related risks? Where's the co-ordinated response?
That is not to say IT security does not have its part to play. It does. But what we need is to get all these disparate security guardians sitting down around the table and sorting IT out together.
And this one really does have to be tackled from the top down, and senior management has to start taking responsibility.
It is not as if there isn't already a standard to help us out at the individual company level.
The ISO 27001 standard has been in development for over a decade and is based on 11 key building blocks, which clearly indicate that security is about appropriate policies and procedures, physical security, HR, compliance, business continuity and so on.
And although ISO 27001 implementation is on the rise, if organisations really want to get it right they have to create an overarching security function, although very few businesses do.
Larger organisations that can afford it could do worse than set up an all-encompassing security forum comprising subject specialists. The smaller ones with less resource could task an individual with co-ordinating activity across the board.
But such an approach also needs to be reflected in the wider industry. So my proposal is this: why not group all the currently fragmented security monikers under the banner of protective security for the industry as a whole?
Just imagine: a utopian world where security is dealt with in that much fabled holistic fashion, where organisations do not have to reinvent the wheel but have different protective security functions living sustainably side by side and in perfect harmony.
You may call me a dreamer, but am I really the only one?
Mike Gillespie is principal consultant at security services provider Advent Information Management
This was first published in April 2008