If there is one big corporate, IT-related issue that affects every member of staff, most customers and deeply troubles both IT and non-IT management, it is information security. No one wants to be part of, or to do business with, any organisation that cannot protect its information or transactions.
For years, security has been at or near the top of the list of management concerns. But is it worsening or improving? And where will the next big threat come from? Are there now accepted approaches and methods that are solving the problem? Is outsourcing the answer?
At its recent Enterprise Security 2005 conference, Information Age gathered together over 100 top managers, all with a remit for security, and posed some key questions about their security practices.
The resulting picture is both worrying and reassuring: their answers clearly indicate that there are a number of new threats emerging, and that the current storm is showing no sign of abating. But, at the same time, it is clear that information security is managed far more professionally than ever before, and that IT security professionals are largely well resourced, even if their problems are not always well understood or appreciated.
As many recent security incidents have shown, a breach can be trigger a damaging loss of trust in an organisation, and many are now attempted to bring effective security into their branding. For most of the delegates at Enterprise Security, this is working: only one in 10 said their organisation's staff or customers lack trust in its IT security; and none at all reported a complete absence of trust.
Indeed, such is the level of trust that some managers think it is misplaced. "Ignorance is bliss! Customers probably perceive it to be better than it is," said one manager. For many people the logic is, "we have a firewall, therefore we are secure," said another.
Nevertheless, there are clear signs this trust is earned. More than a third had carried out a risk assessment within the last month and another third within the last six months. Over a third carry out a complete security review at least every year, with most others conducting a review when new threats appear, or processes or technology change significantly.
There is clearly a lot of proactivity in security management, a practice helped by the freeing up of budgets that has resulted from the pressures organisations are under to ensure regulatory compliance. Penetration testing (the practice of inviting third parties to test out security measures), has been used by just over two thirds of the managers surveyed. Almost all (91%) found the exercise useful.
The merit of certification is one of the most debated issues in information security management. The key question for most delegates centres around whether it is worthwhile following, or aspiring to, the widely accepted standard, BS7799 (also known internationally as ISO 17799). This standard sets down strict rules and practices that must be rigorously followed if certification is to be achieved.
Managers are divided on the issue, with as many saying the standard is important to their organisations as saying it is irrelevant. In this, the research mirrored views expresses during the conference's panel debate, when many delegates reported that they followed the standard but did not apply for audited certification, partly because of the cost.
"We are aiming to comply rather than seek certification," said one delegate from a major financial services company, a sentiment that was directly echoed by others. This suggests that while BS7799 has had a powerful and positive impact on security practices, the notion of external auditing – even in sensitive industries – is not widely supported.
Perhaps the most surprising data from the research is that most businesses are extremely wary about outsourcing security management to trusted third parties – in spite of the fact that there are many well known companies offering such services. A full 20% said they will "never" use third parties to manage all or part of their security, and another 38% expressed similar, but not so trenchant, opinions.
Why do they feel so strongly? A range of opinions were given. "Security should always be managed internally," said one. Another said that "the use of third parties for IT security is looked at as a security problem [in itself]." Other managers said third parties tend to "scaremonger", and that it was important that organisations maintain the ability to learn from their own security incidents.
The delegates – among them some of the most informed security executives in the UK – were also asked about new threats. From a list that included voice-over-IP technology, denial of service attacks, instant messaging and spyware, the breach of security through wireless and mobile devices clearly emerged as the biggest concern. Almost all the managers identified this as a problem, with a large number – over 50% – identifying it as a very serious issue.
° Information Age polled over 100 attendees at its Enterprise Security 2005 conference, held in London on 24 May and sponsored by BT and BMC Software.