Signing up to security standards such as BS7799 could ease pressure on SMEs
Multinational companies invest a lot of money in IT security and increasingly expect smaller partners and suppliers to demonstrate the same level of commitment.
IT security experts speaking at the RSA Security Conference last month predicted that large companies would in the future specify minimum security standards in contracts before doing business with their suppliers.
Many smaller businesses are generating much of their revenue from fewer large customers. Losing this business because sufficient IT security could not be demonstrated is not an option.
So what can IT directors do to balance the need for a demonstrated level of IT security while reducing the time spent on random security audits requested by potential business partners?
One mechanism to ease the pain is using standards such as BS7799 and ISO17799 (the international version of BS7799), which provide an internationally recognised best practice security model.
The standards cover 10 broad topics from how to prevent unauthorised access to information systems through to preventing loss, modification or misuse of user data. The topics are deliberately broad, specifying the best practice that needs to be achieved without dictating how. This allows IT directors to ensure they can meet the security requirements of larger partners and keep control of their own security.
However, to successfully comply with such standards, the IT director must accept the cost of certification - for example, the training it will require as part of their job role. They should be aware there will be audits every six months to confirm that business processes are aligned with the company's certification requirements.
Alternatively, companies can make up their own security best practices. However, the risk is that large partners may not be convinced these security methods are adequate, or companies may make mistakes which are costly to fix.
There can be a competitive advantages to implementing standards such as BS7799. This and many other Standards are based on the "plan, do, check, act" model, which can simplify business processes and demonstrate that the company takes security seriously.
IT directors must be wary of suggestions that their company could be standards-compliant rather than certified. Being compliant means following the standards but without regular audits and no official certificate.
Although this may seem easier in the short term, without certification many larger business partners would not be assured of the company security and may still demand ad hoc, independent security audits.
IT directors need to accept that audits are a fact of life and, considering the time pressures they are under, it is better to know that there will be regular audits which can be planned for, rather than being hit with an audit unexpectedly.
They should also ensure that they receive training on relevant security standards. Existing security can then be tweaked to fit best practice.
If IT directors do not support full certification, they may end up being responsible for the company losing business because they could not demonstrate company security practices - a pressure, no IT director wants.
Arthur Barnes is principal consultant at Diagonal Security
This was first published in March 2005