Security: a top level issue

IT directors should be wary of taking full responsibility for their corporate information

IT directors should be wary of taking full responsibility for their corporate information

During the war it was well recognised that national security was a national issue. "You never know who's listening" posters, showing Hitler eavesdropping on bus conversations, became ingrained on the popular imagination.

Similarly, corporate security is a corporate issue, especially when it comes to information - an asset to yourselves, a weapon in the wrong hands.

Although few organisations would fail to claim they had a corporate information security policy, how do they know if it is good enough? In this arena, as in so many others, there is a British Standard to guide the uncertain.

BS7799 was drawn up five years ago, and is currently going through the fast track process of becoming an international standard, ISO 7799, due by the end of the year.

The standard, which also covers developments in e-commerce, is a standard for information security, not IT security, emphasises Peter Restell, security expert at the British Standards Institution. "It covers all media," he points out.

Inevitably, the most predominant media are those associated with IT, from floppy discs to clickstreams, which is why, historically, the person most likely to be responsible for corporate information security is the IT director.

"They do get the main brunt of the work," acknowledges Restell. "Up to 80% of the implementation of the security standard is to do with IT, so if IT has to see to that, it might as well take on the whole of the information security responsibility."

The problem is that IT directors, not unnaturally, tend to focus on the T, not the I. This presents two dangers. The first, says Restell, is that non-IT media, such as good old paper, can be in danger of being forgotten about, especially in the Internet age with all the current focus on issues such as encryption and credit card security. Moreover, on a larger scale, information security is also dependent on physical factors.

"Can you protect your corporate information if the building burns down?" queries Restell.

The second problem is that a good security policy has to have a large "people" element in it, which may be overlooked by those in IT, or they may not know how to handle it.

"You get cultural issues creeping in," says Restell. "How many IT people know how to run a good staff-awareness programme?"

Just sending round a mass e-mail warning about not putting passwords on post-it notes, or putting a reminder on the corporate intranet that all staff should read the corporate security policy manual, is not an adequate response.

Security is a large, complex issue, and in large and complex organisations many people will be involved. They need to work together, early and often, urges Restell.

"I talked to one organisation that had 50 information security officers who were all told to implement BS7799," he recalls. "They all rushed off to do so in their own way."

Inevitably, there was inefficiency and duplication of effort. "There was no culture to do anything about facilitating a meeting in a regular forum to compare notes," says Restell.

Nevertheless, BS7799 need not be implemented big-bang fashion.

"You don't have to implement it in the whole organisation at one go," says Restell. "You can do it piece by piece and make gradual progress."

It makes sense to first focus on the areas of highest risk, where there is most likely to be a breach.

"You might start with a factory that handles very sensitive technical drawings - which you may be manufacturing from (but which belong to another company)," says Restell. "That would be the big win."

The key point to emphasise is that information security is part of corporate risk management, which is why it always has to be put into context, especially when it comes to deciding how much effort and money to put into the project.

As Restell comments, losing a million pounds might be a lot less damaging to a huge bank than it would be to a small business, so the effort to prevent that loss would be proportionately greater in the smaller organisation.

Which is why - however much of a mental turnoff security might be - responsibility for it ultimately has to rest at the very highest levels of corporate governance.

"It must be a policy signed by the highest individuals in the company," says Restell. "It's a complex subject and difficult to implement."

But the penalties of security breaches can be painfully public - and very costly, both in terms of credibility and cash.

Security in a nutshell

  • The cost of good security is the cost of insecurity - what price will your organisation pay if security is breached?

  • Internal staff are a far greater security risk than external intruders - electronic or physical

  • Security breaches in e-commerce can cause damage very fast - credit card fraudsters can spend a lot of other people's money in a very short time

  • False confidence is more dangerous than lack of confidence that you are adequately secure

  • Unlike physical property, it can be difficult to know when information has been stolen - it may have been copied without your knowledge

  • Information security policies must track developments in IT - an out of date policy is as good as no policy at all

  • Employee awareness of the importance of security is crucial, but staff buy into corporate policies best when it affects them personally, and they have an explicit responsibility to do so.

Read more on IT risk management