There is something strange going on in information security. Increasing amounts of time and money are being spent implementing controls to meet legislative requirements.
In a survey of Information Security Forum (ISF) members – representing some of the largest international organisations, more than half of those companies that gave a figure said they expect to spend more than £5.3m on information security controls for Sarbanes-Oxley alone.
You would think that all this investment in compliance would have an effect on the level of security incidents. Well it does. But it appears that the average number of reported security incidents is increasing, not decreasing.
The problem is that the controls needed to comply with the growing burden of global legislation are not necessarily the ones that address all of today’s changing and increasingly diverse threats. In particular, they do not take into account the changing nature of the end-user.
Today’s end-users are more mobile and have more technology for both business and personal use than ever before. And the boundaries are blurred.
We use e-mail and instant messaging for work and pleasure, voice over IP use is growing rapidly, and many of us carry laptops and Blackberries, along with personal storage devices. The ISF has a library of some 200 long and detailed reports – all of which would now fit easily onto an iPod.
How often do you sit on a train next to someone working away on a laptop and listening to people having business conversations on their mobile phones? In short, information security is as much about people, behaviour and culture as it is about technology.
This analysis is not new, of course, and many companies spend millions of pounds on awareness and training programmes and creating policy. But this alone does not solve the problem.
After all, we all know the dangers of smoking but some of us choose to ignore the risks anyway. And you cannot always rely on trust and loyalty.
For some staff, the person they trust the least is their own managing director or chief executive officer, and they may not care if the boss goes to prison or if the company loses money.
The answer is not to rely on policy alone, but to take away much of the control from the end-user. For example, make sure that anything stored on a memory stick gets encrypted automatically, or implement automatic end-point security to control access to applications and data.
It is also important to provide employees with company-managed equipment, rather than relying on their own laptops or home PCs. In the ISF survey, 43% of organisations said they used USB memory sticks for business as well as personal use, yet more than 50% were not implementing encryption.
The challenge is to change people’s behavioural processes, tools and technology. Some companies also choose to incentivise good practice or even “name and shame” bad practice.
There are real concerns that pressure to comply with the growing volume of legislation is leading to time and money being diverted from critical risk mitigation.
Identifying and interpreting the laws related to information security is complex. Some are IT security specific, while other legislation may also affect IT security, such as data privacy and protection, corporate governance and human rights.
What is important is that companies realise that information security is about real people, and that controls and policies must reflect today’s real world.
Jason Creasey is head of research at the ISF. The ISF is speaking in the keynote on Mitigating the Enemy Within and exhibiting at stand G921C at Infosecurity Europe