Rise of the data security tsar

When an issue becomes so grave that it threatens the national way of life, a "tsar" is ushered in by the prime minister to fix it. Something similar is happening in the corporate world, where security bouncers are being appointed to ensure the company infrastructure is protected from internal and external attack.


When an issue becomes so grave that it threatens the national way of life, a "tsar" is ushered in by the prime minister to fix it. Something similar is happening in the corporate world, where security bouncers are being appointed to ensure the company infrastructure is protected from internal and external attack.

The chief information security officer (CISO) goes under a variety of titles, but they are the person who carries the can for keeping businesses secure and the regulators happy. They are more common in the US, where growing pressure to comply with corporate governance legislation such as Sarbanes-Oxley has spawned a new population of CISOs.

However, the UK is fast following suit and the progress of the forthcoming Companies Bill will produce a fresh population of security chiefs.

"Everyone is very concerned that customer files and corporate accounting information is protected and that someone is accountable," says Brian Collins, professor of information systems at Cranfield University. "The UK is treating data ownership more seriously, and security is becoming part of a risk management and data ownership strategy."

The Companies Bill may be the stimulus for reviewing how accounting data is treated. But strategies for managing security have been evolving since the days when firewalls were seen as the ultimate panacea. The role has certainly grown beyond the scope of an individual, or even a team, whose purpose is to outwit external attacks over IP networks.

Company directors are waking up to the fact that exposing customer data to a security breach will not just harm the brand; it could put them out of business.

Public services organisations are just getting a handle on the implications of the Freedom of Information Act - when to keep information and when to dispose of it. And a further challenge is the increasing number of internal security breaches at UK organisations, according to the Department of Trade & Industry's 2004 Security Survey.

According to analyst firm Gartner, the bodies of technical expertise set up in the 1990s to protect internet users are no longer the appropriate stewards of security.

"By 1996, everything you wanted to have done on a firewall had been done," says Gartner research vice-president Jay Heiser. "We are done with that. Security expertise is becoming a lot more tactical and is part of broader business risk."

According to Gartner, the maturation of technology makes it safe to put security into the hands of a high-level risk manager who is the intermediary between the business and IT. It predicts that by 2008, 65% of the Global 2000 companies will employ a CISO to operate a centralised security programme.

"There is an arms race of security technology going on today. Companies need [the CISO] to make educated choices because each organisation has different needs that call for different approaches," says Paul Proctor, research vice-president at Gartner.

However, others question whether a risk assessor could take on as complex an issue as security as another part their portfolio. "Personally, I cannot see a business person or a professional manager being able to sort this one out," says David Roberts, chief executive of user group the Corporate IT Forum.

"There is a point at which the focus of security moves from wires and bits and bytes to the words on pieces of paper," says Roberts. "But the bottom line is that in order to assess risk and formulate policy, one must understand the complexities of the technology."

The argument for having a business manager in charge is also flawed because it assumes security technology is mature, says Collins. "There are lots of threats for which the CISO does not have an instant set of tools," he says. "It is an overstatement to say that technology is mature."

Technology for totally eliminating spam is not there, for example, nor is there a single tool to monitor the configuring and patching of all devices.

Although there is no consensus about who should be in charge, there is agreement about the need for a change in mindset. The move towards viewing IT security as an intrinsic part of the corporate infrastructure has partly been a response to wider global events.

"Y2K prompted people to think about the holistic impact of IT. Also, after 9/11 the concept of the critical national infrastructure started to mature," says Collins.

As a result of this holistic thinking, the emphasis on evaluating risk, as well as being a technical hotshot, is filtering into security roles in all kinds of organisations.

At the high-end, Zurich Financial Services has discovered this approach can yield big savings. And the good news for smaller companies is that they do not have to employ someone on an enormous salary to be risk savvy.

This is demonstrated by the approach of Brian Shorten, information risk manager at Cancer Research UK, who explains the framework for security provision at the charity.

"As with all risk, you look at what the assets are, the threat to them and the cost of something adversely affecting them," he says.

Security accounts for between 1% and 2% of Cancer Research UK's IT budget, and the charity always favours pragmatism over technical sophistication purely for the sake of it, says Shorten.

"If you need to check the identity of people entering an office area, such as in one of Cancer Research UK's shops, there are several solutions. One is to buy smartcards. The more effective and cheaper alternative would be to install a reception desk and ask everyone to sign in and out," he says.

Simon Janes, former Scotland Yard detective and consultant at security specialist Ibas, says the job description for security chiefs needs to get broader. Risk is just one of many aspects of the job that they will need to master, he says. "The job description is wider in scope than IT security. It has to include legal domains and physical security too," he says.

He advises the next generation of security chiefs to install procedures for incident handling, to cope with the surge of internal, physical breaches of security that are occurring as storage devices get smaller and more mobile. Managing physical security tends to fall between the IT and human resources departments and could be a weak link.

"You have to ensure that you comply with the law when you are investigating an incident, otherwise evidence can be thrown out in court," he says.

Janes also believes that success in the security realm is more likely if the role is a dedicated one. "The police force knows this and has dedicated teams for handling armed robbery and drugs," he says.

Because of the interdependence of different functions, one of the critical tasks of the CISO is to get conversations going across different divisions. The most critical of these is the conversation with the HR department.

"One of the roles of the security officer is to educate the HR department about the dangers of IT abuse. The law is out of date and it is not an easy function to get hold of. Defining what employees can and cannot do needs discussion and this is something that IT should lead," says Roberts.

Meanwhile, as firms are starting to evaluate risk more closely before spending money on security investments, most of the budget is spent after an incident, according to Collins.

"The budget is moving towards spend on the management of incidents. Because of the negative impact on brand value, security breaches can affect capitalisation of market value," he says.

Roberts says, "Whoever gets to be security tsar in the new era will have to be a multi-dimensional person. They will need to talk to HR, the business, IT and finance, and certainly the legal team. But if they do not have the underlying understanding that will enable them to spot the vulnerabilities, all the words in the world will not make a difference."

Case study: Zurich Financial Services

Zurich Financial Services overhauled its security strategy as part of a larger consolidation that saw two datacentres and 20 global chief information officers merge into one operation. The cost of running IT was reduced from £2bn to about £1bn.

Security had previously consisted of a very small team that was distributed worldwide among the regional IT departments. "There were no synergies and no collaboration. It was virtually impossible to agree on anything," says Stefan Vogt, head of IT risk at Zurich Financial Services.

Post reorganisation, the firm decided to take an insurance approach to its information security. "Our business is calculating the risk of things going wrong and putting money on that risk," says Vogt. "What is different between that and making sure that a relatively large IT infrastructure is secure? We are a classic IT information shop that has grown into an information risk management business."

This means that the configuration of firewalls or provisioning the day-to-day management of secure clients is no longer the day job. Instead, that revolves around reporting on risk and creating policy. There are two components to this - the risk strategy and risk management. The former is akin to the pilot boat. "We are like a small boat ahead of the parent ship, spotting icebergs," says Vogt.

The twin priorities for 2005 have been to achieve operational efficiency and raise the awareness of information security.

To achieve operational efficiency, it was essential to find a way of reporting risk. This had originally been done through a traffic light system, but a dashboard approach offered the company a more comprehensive way of flagging different risks.

The traffic light system works by periodicially assessing risks and giving them either a green, amber or red light, depending on the level of risk. The dashboard approach gives an overall view of operational and security landscapes inside companies and allows proactive monitoring.

A key aspect of the new risk management regime was to quantify the risk. "I expressed this in dollars as a figure we could expect to lose if a certain aspect of security were to fail," says Vogt.

"People challenged these figures of course, but were usually unable to come up with an alternative. And the figure promoted discussion, which is healthy. It is better to have the discussion than the old default of 'let's install another firewall'."


Read more on IT risk management