Security strategy research seeks to plug weaknesses

The Security Research Initiative will develop a template to reduce security gaps and improve security management.

A spin-off company from Leicester University is setting out to find what many people would think is the holy grail of information security – the perfect information security strategy.

At the moment, some companies don't have a strategy at all, and some have a strategy but don't follow it.
Martin Gill,
professorLeicester University

The three-year project is the brainchild of Professor Martin Gill, who says that the lack of an overall strategy is hampering progress in most organisations, and stops companies from getting the best from the security investments.

The Security Research Initiative has sponsorship from some big-name companies including Barclays, KPMG and Royal Mail, and will be conducted through Perpetuity Research and Consultancy, a spin-off company that is part-owned by Leicester University.

Gill said that some initial research done in the UK and overseas had uncovered a general feeling that the lack of an overarching strategy was a serious weakness in the way organisations managed their security.

"We found that many organisations' approach is not guided by a security strategy. This explains why security is often marginalized, is not seen to relate to corporate objectives or deliver value. That is because the organisation is not clear what it can get out of the security function," he said.

Despite the existence of standards such as ISO 27001 or Cobit, Gill said there is no model approach to how you develop a security strategy. "We want to develop that, as well as looking at the issues that might make it problematic to implement. We want to see how we can learn from other industries and sectors, etc."

The end product of the research, he said, would be a template for a strategy that is based on all the best practice they can garner from their research. "We are trying to provide something that is meaningful, practical and useful, but based on extensive research. So anyone in future who wants to develop a strategy can just go and download the template – that would be the idea," he said.

The research will start with an analysis of existing literature and will then aim to talk to different organisations to collect elements of best practice. Gill said he has a completely open mind about how the template might look."At the moment, some companies don't have a strategy at all, and some have a strategy but don't follow it. The knock-on effects can be quite severe," he said. "IT security is well developed in some areas where there are strict compliance requirements, such as nuclear, and to a lesser extent, financial services. But that is not the majority of organisations, of course."

The lack of a clear strategy makes it hard for companies to procure products and services in a co-ordinated way, said Gill. And if the security function is confined to protecting assets, rather than adding value or enabling business, then it is not fulfilling its potential.

The initial research report will be completed by next April, and given to the sponsoring companies before being published three months later. The report will determine the direction of the two subsequent years' work.

The project's sponsors are: Advance, Barclays, Carlisle Security, Case, CMP Information, Corps, Gratte Brothers, KPMG, MITIE, Nexen Petroleum, National Security Inspectorate, OCS Resolution, Reliance, Royal Mail, Perfectus, VSG, Wilson James.

Read more on IT risk management