Lets have an end to bicker, bitch and divide and move from rhetoric to action

I have just received my paper copy of Computer Weekly and see that the “My Take” column which I contributed has been juxtaposed with an “expert comment” from Mike Gillespie.  He appears to call for a holistic approach to security while dismissing the Information Security Awareness Forum which has brought together over twenty professional bodies and trade associations to take a rather more holistic approach than he is advocating. So too does the slew of government reports released yesterday – see my blog of yesterday. 
 

I was at the ISSA advisory board meeting, chaired by David Blunkett well before the HMRC incident, which led to the formation of the Forum. Last night I attended a meeting of PITCOM,  also attended by David Blunkett, at which Paul Murphy, chairman of the Cross Departmental Committee on IT and Information Security, described how everyone was in violent agreement about what should happen – but it didn’t.  It was not just a question of bringing physical and electronic security together it was a matter of organisational culture.
 
That set me thinking about the missing links. 
 
One is the almost uniform failure to design processes for “security by default” – i.e. making it harder to do it the insecure way and relying on natural human sloth to help police the system.
 
The other is the common absence of any chain of authoritative guidance, let alone responsibility, from the front line system designer or call centre operator to the board directors who carry ulitmate responsbility
 
And I never saw the importance of either mentioned in the massive text book that I once reviewed on how to implement BS7799/ISO27001. 
 
Holistic is in the eye of the beholder. 
 
The first product from the Information Security Awareness Forum, the  “Director’s Guides to Information Security”, on Organisation, People and Process, struck me as exactly the kind of holistic approach that is needed if we are to move from whinging rhetoric to constructive action.
 
What am I missing?
SearchCIO
SearchSecurity
SearchNetworking
SearchDataCenter
SearchDataManagement
Close