IT directors welcome Big Four's corporate security initiative

Plans by an industry consortium to develop a corporate checklist for assessing cyber threats could help IT directors justify...

Plans by an industry consortium to develop a corporate checklist for assessing cyber threats could help IT directors justify security spending and help protect companies against hackers, according to industry experts.

The consortium, which includes the Big Four accounting firms and insurance giant AIG international, aims to agree a cyber-risk model that can be used by companies in all industries.

Auditors and insurers could also use the "risk preparedness index" to help decide whether a company has adequate IT security arrangements.

Although details of the framework have yet to be finalised, security experts believe it will focus on an organisation's IT security safeguards, such as its firewalls and anti-virus software, and compare this against the security threats it faces. 

IT directors welcomed the initiative. 

"IT infrastructure risk management is of critical importance to the industry and Barclays broadly welcomes the principles behind this initiative," said Barclays group chief technology officer Kevin Lloyd.

"We will continue to monitor the development of this framework with interest and potentially inclusion in the shaping of the framework."

Nick Leake, director of operations and infrastructure at ITV, said, "I think the real value of this approach is in sorting out the companies with dreadful levels of non compliance/operation from those with high levels - it won't be much use in distinguishing the better of two already very compliant operations. And as with all these things, it will have to be kept up to date."

Industry experts said that an accepted model for measuring security risk would be a breakthrough if widely adopted and would also help IT departments justify security spending.

"The new security standard looks promising, although a lot of the devil will be in the detail," said Graham Titterington, principal analyst at Ovum. "It will make it easier for people to justify spending on IT security because of the backers of the standard are blue chip companies, which gives it credibility with the board."

Existing standards for information security, such as BS7799, do not primarily focus on assessing security risks to a business, added Titterington

Neil Barrett, technical director of security consultancy information risk management, said the proposed security standard would allow IT directors to measure their organisation's security arrangements against a benchmark.

The Big Four firms contacted by Computer Weekly declined to comment.

Read more on IT risk management