Information security must grow up, survey says

The results of an online survey have revealed that the realm of information security is immature, underfunded and often poorly...

The results of an online survey have revealed that the realm of information security is immature, underfunded and often poorly implemented.

More than 1,000 respondents filled out an online self-assessment tool developed by the Human Firewall Council, a nonprofit infosecurity organisation.

The council's "Security Management Index" (which, in spite of the broad name, refers only to information security) is an online questionnaire that allows organisations to grade their security efforts in 10 categories, based on the ISO 17799 guideline from the International Organization for Standardization. The results: Eight out of 10 respondents earned an overall grade of D or F.

The Human Firewall Council attributed the low scores to a mindset where each problem was solved by buying a product to solve that problem, rather than looking at the whole operation and devising an overall approach that includes education, policy and architecture.

The council said that this approach dominated the corporate mentality about the security field.

 "People approach infosecurity through products, but that only addresses the tactical side. It's much more of a business problem, and people are just starting to wake up to that," says Michael Rasmussen, an information protection analyst for Giga Information Group and one of the survey's principal authors.

"I can build an impenetrable fortress from an academic sense, but if the employee sitting behind the desk gives out that private information," then the fortress is all for naught.

The ISO standard presents a more holistic approach, covering categories such as policy, end user education and asset classification, in addition to more technical areas.

Practitioners said the survey instrument and results appeared generally reliable. "I think the survey is excellent, very useful," says Stephen Locke, chief information security officer of Northern Trust, a Fortune 500 financial services company.

Locke stressed the need to avoid sounding the klaxons unnecessarily in information security. "I'm more interested in instilling a business focus and not a paranoia focus," he says.

he admitted that full compliance is not necessarily realistic for everyone. His own company earneda B-minus--or about 80% -on the survey, which he attributes not to oversights but to rational evaluation of where the ISO recommendations are, and are not, appropriate for their particular business requirements.

ISO compliance is enormously time consuming. "We spend a lot of time with federal regulators and our own legal and compliance people, and it takes a lot of time for my staff to work through all this documentation," says Locke.

Another possible reason for lower scores of some other survey respondents is that other industries vary in their exposure to information security and may find certain categories in the index less critical than financial or healthcare organisations.

Finally, the assignment of letter grades in the survey has been perceived as quite subjective. For example, a company that checks "partially implemented" for a particular set of ISO best practices automatically receives a score of five out of 10 that maps to a failing grade for that category. "In my opinion, partial implementation might be more deserving of a C," admits Rasmussen.

Nevertheless, the index makes its point. "You can look at the methodology and say it's skewed one way or another," says Rasmussen, "but I would say the results are fairly accurate based on what I find in the field."

Read more on IT risk management