Lets have an end to bicker, bitch and divide and move from rhetoric to action

I have just received my paper copy of Computer Weekly and see that the “My Take” column which I contributed has been juxtaposed with an “expert comment” from Mike Gillespie.  He appears to call for a holistic approach to security while dismissing the Information Security Awareness Forum which has brought together over twenty professional bodies and trade associations to take a rather more holistic approach than he is advocating. So too does the slew of government reports released yesterday – see my blog of yesterday. 

I was at the ISSA advisory board meeting, chaired by David Blunkett well before the HMRC incident, which led to the formation of the Forum. Last night I attended a meeting of PITCOM,  also attended by David Blunkett, at which Paul Murphy, chairman of the Cross Departmental Committee on IT and Information Security, described how everyone was in violent agreement about what should happen – but it didn’t.  It was not just a question of bringing physical and electronic security together it was a matter of organisational culture.
That set me thinking about the missing links. 
One is the almost uniform failure to design processes for “security by default” – i.e. making it harder to do it the insecure way and relying on natural human sloth to help police the system.
The other is the common absence of any chain of authoritative guidance, let alone responsibility, from the front line system designer or call centre operator to the board directors who carry ulitmate responsbility
And I never saw the importance of either mentioned in the massive text book that I once reviewed on how to implement BS7799/ISO27001. 
Holistic is in the eye of the beholder. 
The first product from the Information Security Awareness Forum, the  “Director’s Guides to Information Security”, on Organisation, People and Process, struck me as exactly the kind of holistic approach that is needed if we are to move from whinging rhetoric to constructive action.
What am I missing?

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

As driving analogies are often used in the InfoSec community, it struck me that whilst you can buy the "Highway Code" and read books about driving etc., you are not allowed to pass your test without having had some appropriately qualified instructor putting you through your paces. Seeking to implement ISO27001 is very similar - i.e. you can purchase the standard and read through it but the benefit of having assistance to guide you through the journey of it would have pointed out the road signs that clearly mark the need for a "chain of authoritative guidance" - it is embedded throughout it really. In every case, there is an indication that there should be a "formally documented" whatever it might be - policy, standard, procedure or guidance note. "formally" in standard context means signed off by senior management as the accepted way of doing things. The meeting at which that sign off should be achieved (or the mechanism for it) should be equally documente and controlled.

My concern would be that you either read the wrong text book or it needed better sign posting!

The importance of a holistic approach to security strategy is now becoming clear to a number of commentators. But what does this mean and how could it work in practise? Firstly there is a growing emphasis on Enterprise Risk in large corporations and depending on the organisation's culture this may lead to an effective relationship between physical and digital security. But as Deloitte's Global Security Survey (2006) indicated this is still rare (14%). A recent Honeywell survey of CS0s and CIS0s supports this perception but found that in the next two years the possibilty of converged real time monitoring of physical and digital systems led leaders to think that Corporate security will be managed jointly in the future (33 - 67%). This is a very positive sign and is reflected in the make up of the recently formed Information Security Awareness Forum. A number of member organisations, including ASIS International, UK Chapter 208 primarily focus on physical security risks in the protection of information and the individuals involved in accessing data. Hence the forum is concerned to develop relations between IT and physical security leaders. As Dave Tyson (Director of Information Security, eBay and board member of ASIS International) explains in his book, Security Convergence, 'often it is very difficult to determine whether a cyber crime should be investigated by a physical or IT security specialist'. He continues, 'the threats have converged and this means our investigation techniques need to converge as well'. It seems that in many ways the importance of security leaders from all areas working closer together is being recognised and valued. Whilst it is, in fact, really just starting, in practise the ISAF is a great example of the excellent relations which are being developed between physical and IT security organisations." James Willison, Convergence Lead, ASIS International, UK Chapter 208.