Is 27001 to blame for the LIBOR fiasco?

The ongoing LIBOR saga has two dimensions.

One is political – how much is the story really about banks responding to Government pressure to rig the rate, once they had discovered how easy it was to do so?  We should note that the systemic rigging came after the banks had supposedly said they wanted reform because it was open to abuse.

The other is how such a key market rate came to be based on subjective inputs in the first place. I have had some profoundly worrying e-mails since I blogged on how Libor broke the first rule of information governance. The gist of these is that the rigging of LIBOR may be only the first of a series of scandals that will emerge because of the way the FSA promoted “self-policing” by those who could be “trusted” because they adhered to 27001 or had similar processes which enabled boxes to be ticked.

Lloyds (whose Head of Security for Digital Banking is facing fraud charges) is among those which boasts that it processes are based on 27001.  I remember favourably reviewing one of the first text books on how and why to implement 27001. About two years ago I lost faith. I now wonder if it is part of the problem, not the solution.

That is partly because so few people in organisations that have been certified have actually read the processes they are supposed to adhere to. In some cases that may also include the supposed authors, who copied the sections from elsewhere.

But it is more because of way it can distract attention from the collation and prioritisation of risk, particularly the risks that arise from the way staff are motivated.

Many years ago, as a Public Corporations Sector Comptroller in ICL, I was the only member of the sector management team not on any of the bonus schemes. My staff ran the order taking, debt chasing, expenses and bonus systems and I reported to the Finance Director, although I hardly ever saw him. We also checked the profitability and I approved those discounts in my power (over and above those the salesmen could offer) or supported the case for more (alongside the sector manager).

Had I and my staff also been on bonus I suspect we would have reported rather more sales, paid more expenses and the company would have been paid but its customers rather more slowly and written off more bad debt: all without considering that we were being actively dishonest.  
I doubt that those dealers who rigged Libor in their own interests (or that of their counterparts in other banks as part of “easing” the market) are any more, or less, (dis)honest than the average computer salesman (wanting a better deal for his customer and an easier relationship for the upgrade) – or the man in the street.

Clive in the Daily Telegraph sums up the role of those policing compliance in a way with which many of those in large organisations would, unfortunately, sympathise. The following day he equally succinctly, summed up the current state of information governance in most large organisations, not just the banks but those central government departments with bonus schemes as well.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Blaming ISO/IEC 27001 for skulduggery surrounding LIBOR is rather like blaming my neat little plastic card for my driving ability. In much the same way that other neat little plastic cards were going to save us from international terrorism. The problem with standards is not that there are so many choose from (reference your comments sometime back mentioning the Matelot’s prayer) but rather the bipolar situation of the following of a standard’s clauses in the expectation that following instructions abrogates responsibility (I was only obeying orders) or that it removes the need for expertise in the matter at hand. As I said a few weeks ago ( when the IASME Consortium set out the information security standard for small businesses as a route map to get them towards ISO/IEC 27001, it was bound to feel a bit like 27001 itself ( The concepts they encompass so basic any good model of security is indistinguishable from the set of controls that we are all hoping we won't need. (In much the same way that Messrs Pratchett and Gaiman suggest that any tape left in a car for long enough will turn into Queen's greatest hits.) The inherent risk in risk management is that if we don't get the trust model right (Ahem! Lead me not into temptation…) then the risk treatment decisions fit a less than honest assessment. When I hear words such as ‘based on 27001’ I would reach for my gun if I had one. It is the word ‘culture’ that would ensure that I kept it holstered. It's never just a people problem but the culture of the organisation or the community tells all. The benevolent security standard is based on the logic that risks, threats, and vulnerabilities must be treated by controls. But ’logic... allows one to be wrong authority’ (Holmes). How much more so the logic is skewed by personal ambition and desire? You need both the spirit and the letter applied in the right balance of appetite and attitude to risk. In this sea of complexity, the standards and their checklists are still signposts to the right behaviours (see ‘The Checklist Manifesto’ by Atul Gawande). Please don't sully good work by those who misappropriate it to hide or justify their behaviour.

And while I'm at it, I feel duty bound to point out that although we may mourn the thickness of the standards catalogues (after all what is a standards body but a publishing house), if you approach the problem with the half-empty breakout box, you'll suffer the same fate as those who go it alone during risk discovery: missing the right tools for the job. So when we look at the risk management standard 27001, we must remember that it's a standard for information security and needs to be held aloft with (for example) ISO/IEC 38500 for IT Governance (splendid, short, neat, and truthful) and the wider philosophy of BS 31100 for Risk Management. They are all explicit codifications of knowledge which need to be released back into the sociotechnical and economic framework by the idiosyncrasies that make us prefer one organisation over another. Trust (Sasse et al.) is simply that positive expectation that our vulnerabilities will not be exploited. Let's divorce the bad behaviours from the guidance of standards and keep those standards up to date with what works.