Guidelines should be simple but effective

ISACA, the Information Systems Audit and Control Association, has just launched a guide designed to provide IT security chiefs with an independent framework to help manage their information security more effectively. My heart generally sinks when I dip into an ISACA publication, as they’re often composed of hundreds of pages of control descriptions, neatly arranged in sparse tables. In fact, I was pleasantly surprised that the introductory guide, An Introduction to the Business Model for Information Security, is actually concise, simple and readable. We need more like this.  

But lurking beneath the surface of this simple business guide is a growing portfolio of more detailed documentation that attempts to build the basis of an all-encompassing framework for joining up enterprise governance, risk management and compliance. It’s a folly, however, to imagine that such a broad, nebulous spectrum of activity can be catalogued and codified into a single, digestible framework. The problem and solution spaces are too rich, complex and volatile to enable this to be done without dumbing down the subject areas, swamping the reader and stifling innovation.

It looks tempting of course when you compare existing standards. They all look surprisingly similar. But then most modern guidelines follow a similar structure, though they are often created as different means to diverse ends. Each source of guidance reflects its pedigree to some extent. ISO security standards were developed by security managers aiming to harmonise accepted practices. COBIT was designed by auditors seeking to catalogue controls. ITIL was created by central government advisers to promote a more professional approach to IT management. Such guidelines are generally best used for their original purpose.

Maturity frameworks are also increasingly fashionable. They were originally conceived by academics to help improve the quality of large-scale software developments. As such, they are often far too detailed to be used for more modest programmes, though the concept is compelling and helpful in structuring targets and actions.

Much contemporary security guidance tends to polarise into either an over-simplified set of golden rules that fail to explain the subject, or a detailed architectural framework that is unwieldy and impossible to maintain. The best answer lies somewhere in-between. We need concise but complete, tailored guidance on individual problem areas. Few guides are effective if they are less than five pages or more than a hundred. They need to be small enough to digest, but big enough to be significant.