Can information security deliver business value?

Information security remains a perennial priority for IT leaders.

Information security remains a perennial priority for IT leaders.

Historically, security has been regarded as an insurance-type activity to keep the bad guys out, but this attitude is increasingly outdated, as forward-thinking organisations show how security can be an enabler and a means of gaining competitive advantage.

At a Computer Weekly roundtable, in association with Oracle, IT security leaders discussed the business value in information security and how best to deliver it.

Delegates discussed how the new government will change the security landscape, and focused on key security issues, such as the impact of new regulations, accreditation, a new era of openness, and what IT security professionals can learn from high-profile security failures.

Impact of the new government

The government has announced plans to roll back the database state, scrapping ID cards and the National Identity Register. But Toby Stevens, managing director of Enterprise Privacy Group (see box), said this risks creating "an identity vacuum" which will be filled with competing identity and authentication schemes.

The civil liberties agenda will change the way government and industry approaches information security. There will be a cap of £100m on government IT contracts and Stevens said splashing out on IT projects without thinking about security will end.

"Those organisations that were brave enough to say, 'If security is too expensive then maybe it's not a good project' will be held up as the champions and pioneers," he said.

Data handling failures by government have come under the spotlight since HM Revenue & Customs (HMRC) lost two CDs containing millions of child benefit records.

Historically, the Information Commissioner's Office (ICO) has not been able to do much to increase accountability, beyond censuring miscreants, said Stevens, but it now has new punitive powers to fine organisations up to £500,000 for serious breaches of the Data Protection Act.

However, Stevens questions the "value of fining a government department if it means taking away money so it can't deliver what it needs to deliver."

Instead, he thinks the ability to prosecute for repeated failures makes more sense and he believes this provision is likely to become law.

"The government was centralising and aggregating data in a way that private companies would shy away from doing," said Stevens.

A lack of accountability and security controls means we have seen "brand new systems bought with no attention to security," he added.

And as accountability increases in the wake of new regulations, there is an expectation that there will be greater rewards for information security and assurance professionals. "They will be paid better rates," said Stevens.


IT security chiefs agreed that ensuring systems are secure and information is managed securely is a priority for government and industry, although there is no magic wand.

Following the HMRC data-loss, the Hannigan Review of government data handling procedures called for security accreditation of new systems, but the word "new" was inserted eight hours before publication, said Stevens, who described this as a cop-out.

"We have a hugely interconnected environment. If one system is accredited and not others do you have any security?" he asked.

Stevens foresees a culture which will "force creeping accreditation across public services", with a mandate that accredited systems can only work with other accredited systems.

Organisations will have to look at their information assets and "assess what level of protection is required", said Stevens, who called for an end to a culture of accreditation "catching everyone by surprise" because it is added at the end of the procurement process.

Mike Trevett, deputy director for information security and legal services at the Office for National Statistics (ONS), questioned the financial implications of accreditation. "A chain is only as strong as the weakest link, but accreditation does not come cheap. How do you make that circle square?" he asked.

Des Powley, technical director for security and ID management at Oracle UK, said there is a risk associated with accreditation if organisations think they can do it once and forget about it, and suppliers are faced with the problem that security is not static.

"Accreditation can breed complacency because it happens at a point in time. A system changes, but is accreditation updated? The threat landscape is constantly changing and if you buy software with a gold standard of security to ensure it is accredited to the highest level at the point of sale, it only addresses the threat present at that current point in time," he said.


Stevens foresees the end of "security through obscurity". He described it as outmoded and said it has held back progress in government.

"So many organisations believe that they are a centre of security excellence, but they don't like sharing," he said.

A fundamental problem is that CESG [Communications-Electronics Security Group, which advises the government on IT security] has been holed up at GCHQ in Cheltenham and not provided enough direction to industry, said Stevens.

"People who should be talking and liaising should be moved to London with an open front door. There is nothing happening that should be under lock and key. This is not something that should be confidential," he said.

The language of security can be a hindrance to openness and clarity.

Callum Halliday, information security manager for the London 2010 Olympics, is focusing on providing clear communication about the importance of security to users.

"We are rolling out a security education awareness project with staff which will expand over the next months to improve the level of understanding about sensible user behaviour," he said.

Martyn Croft, CIO at The Salvation Army believes that making security open and easy for users to follow is advisable. "Make it incredibly easy for people to do the right thing and difficult for them to do the wrong thing," he said.

Suppliers also need to be more open about the cost of security. In the past they have been guilty of adding on security as a "forgot-to-do" to government IT projects because they "didn't want to increase their tender offer", said Stevens.

Learning from experience

The actual cost of two lost CDs holding 25 million child benefit records to HMRC amounted to about £2, but the cost in terms of reputation and co-operation with the public is unquantifiable.

Independent research consultant John Leach said the breach damaged HMRC's ability to do its job. "HMRC relies on the average taxpayer doing their tax returns properly. The problem for HMRC if they lose data is the public won't play ball. Their operational costs went up through the roof trying to rebuild the damage caused," he said.

However, Powley said that although HMRC went into paralysis in the wake of the data breach and the chief executive lost his job, there are always some organisations that take the attitude "it is cheaper to pay the fine than address the issues".

But more organisations are beginning to appreciate the business imperative of getting IT security right.

"A database is worthless if it is corrupted," said Marcus Alldrick, senior manager, information protection and continuity, at Lloyds of London.

Trevett said, "It's not the value of the data; it's the value of replacing it. There is the physical cost of replacing the data asset and the reputational cost."

The future of security and privacy

Toby Stevens, managing director of Enterprise Privacy Group, is an expert on privacy and identity and has advised the Conservative Party, whose plans to scrap the ID card scheme and the next generation of biometric passports were announced in the Queen's Speech in May.

Stevens believes the strong civil liberties agenda heralds a new security direction for industry and government, and the "emotional quality" of privacy will be more keenly felt.

"There is an intangible quality that comes with privacy that gets people riled and security managers have to take this on board," he said.

Emotional quality means, for example, companies with a family reputation such as Marks & Spencer or Boots risk getting badly hurt if there is a security lapse, said Stevens.

Data losses and failures in handling sensitive information will not be tolerated by the public or customers and Stevens believes that the lack of accountability for handling sensitive information that was symptomatic in the past will change.

"We have an environment where the penalties for individuals in organisations who fail to protect data are going up rapidly. I don't like to scaremonger, but IT security heads have to ensure that senior executives are aware that they must take responsibility. They can delegate responsibility, but they can't delegate accountability and they will carry the can," said Stevens.

Within government IT security, Stevens expects an "opening of doors" which will be beneficial for industry.

"Industry can't see anything coming out of government such as standards to follow," he said.

Secrecy coupled with a lack of leadership, where the chief information security officer role is fudged into the CIO agenda, means that "each department must re-invent the wheel" resulting in a "diverse duplication of effort", said Stevens.

He believes improved security and professional standards, and better recognition of information security and assurance professionals is necessary and will help to prevent projects being completed with security flaws and blowing money on outdated technology.

"I want to see security seen an asset rather than an obstacle," said Stevens, and he believes this is possible with a new culture of leadership and openness in industry and government.

Read more on IT risk management