Security Think Tank: Never mind Snowden, think best practice

How should the Edward Snowden revelations about the NSA and GCHQ be influencing future information security strategies in the UK?

The revelations of the mass surveillance programmes conducted by the National Security Agency (NSA) and GCHQ on organisations would not have come as a surprise to any informed information security professional. 

For years, intelligence organisations have been collecting information via a variety of channels, including emails and telephone networks. Perhaps the shock element is the extent and magnitude of the snooping being undertaken by these and other similar organisations.

Fundamentally, businesses should be deploying the best possible security measures in the organisation as a matter of routine. Take encryption for instance. While companies should be encrypting their data, there are indications that the NSA has circumvented encryption to gain access to data secured by either Secure Sockets Layer (SSL) or virtual private network (VPN). But this is not a reason not to encrypt data.

The impact of these revelations on the information security strategies of businesses will depend on what organisations believe to be the commercial sensitivities and IP-related risks, and therefore what level of security investments they want to make and for what return. 

Companies need to determine their appetite for risk and the corresponding investment they deem fit to undertake.

Perhaps the simplest analogy is securing a building. One can do the minimum by ensuring that all the entry points are locked; go a step further to install better quality locks, shatter-proof glass windows and an alarm system; or then make major structural changes to secure the building. At some point, the return on investment will diminish, making the additional investment irrational.

There is recognition that secure software has a major role to play in information security, and the jury is still out on whether open source software is the panacea for insecure proprietary software. 

But open source software is no better or worse than any other software – it just depends on how well security has been examined and embedded in it. Due diligence on the part of information security professionals when procuring products is one way of ensuring that security suppliers deliver effective solutions.

Often, suppliers are accused of bolting on security to their products as an after-thought, but information security professionals must take a proactive role in ensuring that suppliers properly embed and test security in their products. As experts in the field, they are well within their right to question and even identify the areas suppliers should focus on to cover all the bases of security. 

There are many aspects to security, and no single measure or approach can ensure it.

John Colley is European managing director for (ISC)2

Read more on Privacy and data protection