NEWS

The essential guide to establishing a security policy

Security Handbook

BT Security Handbook 28 November 2006

contents

There exists a general feeling that firms are under unprecedented attack from armies of hackers. This may or may not be the case but when it comes to IT security it may well be worth remembering, and also taking heed from, Henry Kissingers famous dictum that just because youre paranoid doesnt mean that they are not out to get you. Whoever they are and wherever they are; both entities are definitely increasing. There are many threats to hinder the normal running of organisations, including flooding, fire and power failure, internal fraud, communications systems shutdown and, of course, being hit by a computer virus intrusion or hack. Research by Computer Weekly in association with BT shows that the latter three are regarded by IT management as the top three threats to their organisation. Not surprisingly the research shows also that they are the top three motivations for improving security within organisations. In order to mitigate the risks of being hit, companies need to monitor a whole host of things including system patches, intrusion detection, sensitive material leaving the organisation and intelligence on firewall activity. There are vital business reasons for doing so; being hit by a virus, worm or some other threat has a direct business-related effect, not some esoteric technological one. For example, systems and application availability may be diminished to the point where they are not adding to the business or compliance regulations may be breached, thus exposing the company to (personally and financially) expensive litigation. This guide aims to empower IT management with the knowledge to prevent such occurrences happening and simultaneously change perceptions of security being a cost rather than the profit centre that it can be. It will look at the general security threat landscape and examine the most significant security IT threats to the normal running of organisations and see how they can be combated. It will also examine the barriers to investment in network security and see how to turn security into something that drives profit and then assess the key factors that impact upon security policies that firms may deploy. Additionally, it will cover the legislative responsibilities that firms need to be aware of and show how compliance with such legislation can actually drive business benefits and realise true value to the organisation. In short, we hope to provide a guide for IT managers to make informed purchasing decisions about the IT security technology they need and suggest how they can reap the maximum return on their investment.

The security threat landscape 4 David Bicknell investigates the specific nature of the principal electronic threats to companies and assesses exactly why they are a threat to businesses. We also show where firms should be concentrating resources to combat these problems. How security drives business profit 8 How can firms improve IT security within the business so that it becomes a profit centre rather than a cost? Cath Everett reports. The key factors that impact upon security policy 10 As companies strive to protect their businesses from attack, having a robust security policy is essential. Brian McKenna checks out which factors firms should regularly monitor as part of their security policy. The barriers to investment in network security 12 Nearly nine in 10 companies believe that there are some discernable barriers to their plans to invest in IT security. Naturally, cost is one of the key considerations but what else is there to consider and plan around? By Janine Milne. Realising true value from an IT security investment 14 Cath Everett looks at how you justify your investment in IT security. How can you go about constructing an ROI and TCO path and is it possible to derive true value of ownership from a security investment? Legislative and responsibility issues 16 IT management in general is fully aware of a whole host of regulations that affects the business. Cath Everett looks at the key pieces of legislation and how they are regarded. The business benefits of compliance 18 Most IT managers would expect that adherence to compliance regulations reduces the exposure of firms to risk. Janine Milne finds that such adherence can lead to improved business practices and better utilisation of company assets.

Foreword
Todays fast changing business environment brings with it many opportunities to improve the way we work, make our businesses more efficient and share information. However, this new connected world also brings with it increased threats to security policies and systems, putting IT security high on the agenda for organisations. With decades of experience in building and managing secure global networks, BT is delighted to support this essential guide, which can help you establish a robust security policy. Our research in association with Computer Weekly gives a comprehensive view of the key topical issues within todays IT security. This handbook features interviews with the industrys leading security executives, including some of BTs own experts, who not only discuss why protecting their data is vital, but also how it can help achieve business goals and drive profits. In order to help you stay one step ahead, we identify the most significant IT security threats to the normal running of an organisation, and where firms should concentrate their technical resources. We also consider the key factors that firms should monitor as part of their IT security policy. At BT we realise that networks and IT infrastructure need to be more reliable, scalable, secure and cost effective. However, our research shows that barriers to investment in network security still exist, with cost often the main concern. Many IT directors also have difficulty convincing their board that investment in security is critical to the firms future success. We examine how poor perceptions of IT security can be overturned to make sure organisations are equipped to face future IT challenges. I hope you will find this guide useful and relevant in helping you make informed decisions about investment in IT security that will support the future success of your business. Ray Stanton, Global Head, Business Continuity, Security & Governance Practice, BT Security Handbook January 2007

Published by Reed Business Information Managing director: Robert Brighouse Editor: Joe OHalloran Art editor: Tim Parker Production editor: Louise Clissold Key account manager: Robin Phillips Printed in Great Britain for the proprietor Reed Business Information, Quadrant House, The Quadrant, Sutton, Surrey SM2 5AS Origination by JJs Typographics, Southend-on-Sea Printed by Polestar 2007 Reed Business Information Limited 3

security threat landscape

here is little doubt that the biggest fear for most organisations is being hit by an attack on their computer systems through a virus, intrusion or a hacking attempt that could wreak havoc on the businesss smooth running. Of all the possible threats computer or data-based; internal fraud; a natural disaster such as flooding; power failure or theft of intellectual property it is still the IT-based threat from an unknown attacker that organisations believe creates the biggest risk to their data, to their relationships with clients and to their reputation. In a Computer Weekly/BT Security Survey of 200 senior IT professionals, over a third considered a computerbased attack to be their biggest threat. Indeed, taking their second and third biggest fears into account, a computerbased attack was a concern for 73% of respondents, followed some way behind by a major IT and communications shutdown, and then internal fraud. It is the unknown element of a hacking or virus attack that is behind most IT and security managers fears, especially as the last few years have seen a steady realisation that an attack on the IT systems affects not just the IT, but the business itself. If the business cannot function effectively because of uncertainty over the veracity of its internal data, especially in a web-based world, then it risks losing customers, business, and even if its reputation is affected its independence. What is interesting about many of the significant threats to the normal running of the organisation detailed in the survey is how many are data-based, and reliant on secure and effective IT systems. Being hit by a computer virus or intrusion may be a threat in itself, but it can also be at the heart of an IT and communications shutdown. Indeed, inadequate data security can also be the root cause of potential internal fraud, theft of intellectual property, and breach of regulations and corporate governance. top three threats It is perhaps no surprise then, that the three biggest motivations for improving security within an organisation mirror the three most critical threats: a virus or hacking attack, a risk of IT shutdown, and a risk of internal fraud. Comparatively low down the list of motivational importance are improving relationships with other organisations or customers, reducing theft of intellectual property or data, improving regulatory compliance;
4 

A state of fear
creating a more mobile workforce, and building greater board and management confidence. What should worry IT managers and chief security officers, and perhaps even more, board-level executives, is the extent to which the threat to IT has changed markedly. It is no longer caused by teenage hackers out to make a name for themselves by getting into the corporate systems, where any damage, even defacing websites, could still be limited. Now, the advent of customerfacing systems on the web, and the critical nature of clients data plus the sheer sophistication of threats has made IT managers', IT directors' and chief security officers' jobs so much more difficult.

What are the most significant IT security threats to the normal running of an organisation and in what areas should firms concentrate their technical resources? David Bicknell reports
Indeed many organisations have simply not yet woken up to the risks from sophisticated attackers whose motivation is financial and driven by organised crime. Symantecs chairman and chief executive John Thompson spelt out recently how the threat has moved from attacks on computers to attacks on electronic transactions and the motivation is money. A few years ago, more people were focused on attacking the machine and the broad-based activities that were happening online; now, there has been a significant shift in both the type of attack and its motivation. The attacks are more targeted, silent, and their objective is to create true financial harm rather than visibility for the

Processes, procedures and permissions

The majority of organisations think they are most at risk from external attack, when they should be looking closer to home. Peter Wood, chief of operations at security company First Base Technologies, says many firms are spending too much time and resources securing themselves against external attacks, and ignoring the threat from insiders who can be tapped up by organised crime. Criminal groups are aware that the insider route can be the easier one to compromise systems, especially as many organisations have spent considerable resources to secure themselves against outside attacks, he explains. It could be through a cleaner placing a keylogger on a machine, or through an e-mail, or stealing an executives laptop and taking material off it. Combating that comes down to vetting staff to ensure they are who they say they are. Ive come across database administrators with no experience that learned the job on the job. No one checked their credentials at all. Wood has seen examples where IT staff working at home on company laptops have been compromised, because criminals were patient enough to use the most appropriate, covert social engineering techniques to access an IP address or get an e-mail address through which a vulnerability in the laptop was created. Now, because the overriding motive of criminals is financial, they are prepared to take their time to succeed, through botnets, keyloggers or other means. In addition, Wood believes too many organisations continue to be at risk, because they insist on having a silver bullet solution for security. All big product suppliers seem to support the idea of silver bullet security, when actually, good security is built on solid processes, procedures and standards. But some IT people dont like all that and it isnt an easy sell to the board. The real questions they should be asking January 2007 Security Handbook

security threat landscape

Many organisations have simply not yet woken up to the risks from sophisticated attackers whose motivation is financial and driven by organised crime

are: Whos managing what?, What are the processes?, How are they being reported? and What do you do about it? I like the advice that the SANS Institute gives. But too often I come across organisations where no-one is responsible for putting that advice into practice. And many organisations dont have a clue what to do about it when they have been attacked. If one of the oil companies has an incident, there is a plan in place to deal with the disaster, from whos available even if its 2.30am, down to who talks to the press. But when it comes to a security attack, Ive come across some IT people asking me what they should do. Those sorts of plans and processes should already be in place. Another critical area is database security. At the recent Black Hat conference, David Litchfield, managing director of UK security company NGS, Security Handbook January 2007

warned that IT departments must get on top of database security. In my opinion, database security is riddled with holes and its the biggest problem we face in IT today, says Litchfield. Database attacks offer the biggest potential for fraudulent activity and damage to companies reputations and customer confidence. Dr Steve Moyle, chief technology officer of specialist UK database company Secerno, agrees. Applications developers are just interested in adding features, and so security functions are set up to fulfil those needs, he says But over time both users and functionality are extended, together with permissions. So you get permission creep. Its better to keep on top of permissions: people will always let you know if [they are] too heavy, because theyll complain. In addition, applications are often not sufficiently well designed or well tested.

Everything the application asks from the database, the database supplies, because it trusts the application. You must worry about all applications that connect to the database, and insist that they only do things you want them to do. Moyle also insists that database administrators provide an independent audit that says they are doing the things they say they are doing. You need database administrators to be able to sign off for each other on logs, giving dual control ie, having someone look over their shoulder. John Madelin, head of the UK Security Practice at BT, says the sophistication of threats is counterbalanced by the simplicity of some social engineering practices. We came across one example where a number of USB devices were left strewn around office car parks, and the temptation for some is immediately to plug them into a PC. Conversely, a Trojan that appears in your p6
5 

security threat landscape

attackers, he said. Such a changing threat landscape means that businesses will not only have to make sure their data is secure, but also record which users are accessing and manipulating information stored in corporate databases. According to Symantec, there will be more targeted criminal activity, with business-to-consumer trade or transactions being intercepted and taken advantage of. And if youre a midsize company, without a familiar brand name, that doesnt mean youre safe. From a hackers perspective, suggests Symantec, it doesnt matter if they get credit card numbers from a large or small company; the potential value of the stolen credit card details is the same. Alan Paller, director of research for the SANS Institute a respected authority on IT security, which produces the Top 20 list of threats each year says hard data on the growth of crime suggests banks are reporting four to fivefold increases in losses due to cyber fraud in 2005. zombie attacks Paller suggests online trading companies are getting damaged badly, with the primary driver a surge in crime originating from Asian countries. One US company, eTrade, had to spend 9.5m compensating customers for losses caused by cyber fraud in the last quarter after overseas hackers broke into customer accounts. We are seeing tens of millions of people getting a zombie on their PC, which acts before the machine can be patched. And the attackers are already ahead of the game. Even the idea of an image-based login, which Bank of America uses, attackers can get around

by capturing everything on-screen, explains Paller. Theres less fuss about viruses and hacking attacks these days because the zombies are under cover, and mounting attacks by stealth. Some survey figures give the impression there are fewer attacks. But actually they are just more sophisticated and stealthy. More secure options, such as twofactor authentication, are good but faced with that, a zombie can even phone home for instructions. And its not just banks who are threatened, but companies too. By using spear phishing corporate e-mails sent from the boss looking for key information as a means of attack criminals can get access to corporate details. They exploit people within the company by providing just enough key information in the message for it to be timely, credible and appear legitimate. So now, companies dont just have to protect their external systems, but also protect their internal ones from insiders. In other words, the external guy is now within the company and inside the firewall. Another continued worry, again with the financial exploitation theme, is the threat of extortion against companies, with the FBI already seeing a number of ongoing cases. On the plus side, says Paller, there is encouraging collaborative work happening on the corporate procurement side to improve security. The best thing thats happening is

that 200 users of control systems have collaborated to decide what minimum security specifications should be put into systems. Thats certainly the way forward. However, until those specifications make a difference, IT and security managers can expect some difficult times ahead.

Protecting databases
Secerno offers the following tips for database security: Protect against external attacks. The most common form of external attack works by subverting applications that connect to databases. Typically, this is done using targeted SQL injection. One way to protect against this is to do a detailed code review, although this is time-consuming and may not provide sufficient guarantees. Know who is doing what in your company. Make sure that the software implemented to protect your databases can track who is accessing what data, and when. Use this information to enforce conformance to what is normal. Review your permissions. Over time, many users and systems have extra access granted. Implement a least privilege access scheme by comparing the levels of access actually used to the levels of access that have been granted Applications developers love adding features. Unfortunately, each new feature expands the vulnerability access. Remove access to the database from features that are no longer necessary Default installations of databases can result in a far too open DBMS with a large number of default user names and passwords easy to find on the internet. Audit the configuration and usage of databases and always aim for least privilege access.

Hard data on the growth of crime suggests banks are reporting four to fivefold increases in losses due to cyber fraud in 2005

Processes, procedures and permissions

p5 systems can launch a series of malware attacks, with layer upon layer of sophisticated threats or spyware launched by stealth. And there are lots of threats out there. We put up a honeypot up on the web to see what reaction it would get, and we had a Trojan sniffing around within 2 minutes 50 seconds. I think there has to be an understanding of the physical threats too, such as whos in the building. There are fewer insiders now, but more partners, consultants, joint ventures who all want permission to access systems. If someone runs to keep a door open from me, I ask to look at their security card. Thats because we have a security culture within BT that understands that people now expect to be asked for their credentials to access the building. This issue of whos working for the company,  and what permissions they have is critical. If I were to ask one question of a company, it would be How do you work together? Answering that question can give you significant insight into your security. In one example I came across, half the people working for a company werent on the payroll. Andy Jones, head of security technology research at BTs Security Research Centre, says many organisations have failed to realise theres a cultural change taking place, which can impact their security. Weve moved away from jobs for life to downsizing and missed the point, he says. Where we have staff liquidity, the likelihood of walking out with crown jewels is greater than it was. In addition, previously weve built our defences on perimeter security. But, given the increase we have in mobile workers, and the use of business partners, perimeter definition is now much different. Jones believes we all have to learn to do security better. Securitys always been reactive and one step behind the criminals. So, we have got to look for a shift in the way we do it. It all comes back to risk assessment. We cant lose all of the risk we have to face that fact but we can help ourselves. Encryption is a good example. One of my pet hates is why organisations dont encrypt their laptops as a matter of course. They know the risks, but still dont do anything about them. We also have to consider some key issues, such as how do we get computer crime cases through the courts and present them in a way that judges can understand. Maybe we need to put them in front of a panel that understands computer crime, like we do with fraud cases. January 2007 Security Handbook

security as a profit centre

nformation security tends to be seen as a necessary evil or at best an overhead, but is rarely considered a business enabler. As a result, it is unusual for organisations to attribute high value to the function as they are unable to see what that value is. Instead they simply tolerate it as a cost of doing business. But it shouldnt have to be like that. As Thomas Raschke, a research director at Forrester Research, points out, Security is generally seen as a techie thing that doesnt add to the companys bottom line per se at first glance. But thats a dangerous attitude because poor security prevents many organisations from achieving their business goals. He cites the example of two retail banks. One has a major security breach that ends up on the front pages of the newspapers, while the other markets itself as a safe bet after obtaining ISO 27001 information security management accreditation. So who, as a customer, would you choose in terms of trust and being the bank you want to deal with? Raschke asks. But he acknowledges that historically, information security professionals have focused mainly on technology-based protection against threats such as viruses. Its like in the Middle Ages, where people built castles to protect the city by building higher and stronger and

bigger walls. And likewise, the idea of protecting the network perimeter with products such as firewalls and intrusion detection is where most companies are spending their money, Raschke says. But John Pescatore, vice-president of internet security at Gartner, believes that to obtain true value from their investment, organisations need to change their attitudes to information security. Today, it is predominantly seen as an insurance against potential threats, which means that too much money is spent on handling routine security functions such as monitoring firewall activity. A more helpful way to look at it, however, is as both a differentiator and a business enabler. So, for example, if a business wants its suppliers to connect directly to a corporate database to undertake online rather than paperbased bill presentation and payment in order to save millions of pounds, it will find that, if people dont think its secure, theyll abandon it, which increases costs, Pescatore says. But having effective information security management in place can also enable organisations to compete against rivals more successfully by using it as a unique selling point. For example, it is possible to use certifications such as ISO 27001 which means being accredited for using best practice standards in relation to security management as a marketing tool.

profit from

Making a

security

How can a company turn security from a cost into a profit centre that actually provides a valuable contribution to the business? Cath Everett investigates
John Madelin, the head of BTs UK security practice, explains: The research shows that there are positive business efficiencies to be had from adopting best practice. The speed of reporting improves, theres better information sharing and access and it becomes easier to distil information from the huge sea of data out there. In fact, in some instances, not having such an accreditation in place can end up being a positive barrier to doing business. Many public sector tenders now stipulate it as a basic requirement, as do car manufacturers such as DaimlerChrysler, and this trend is only

7 

28 November 2006 BT SecurityHandbook Handbook January 2007 Security

security as a profit centre

set to continue. But managing information security proactively can also result in greater internal efficiency. Mike Gillespie, principal consultant at Advent Information Management, agrees that one of the benefits of having the right processes and procedures in place is that less time needs to be spent on attending to incidents and trying to fix problems. Its like having a car. You get a service done to ensure nothing goes wrong rather than waiting till it does, he says. Profit centre But that is not to say that the information security function works particularly well as a profit or even a charge-back centre. Pescatore explains, On the insurance side of the equation, its hard to make profits by stopping attacks. On the business enablement side, it can help to reduce costs, which increases profitability, but its not a direct revenue source. Weve seen the profit centre idea over recent years in IT too, but its not turned out too well. He cites a study undertaken by the Massachusetts Institute of Technology of hundreds of US IT organisations, which found that taking this approach was almost universally a failure because it generally resulted in less responsiveness to business requirements. Charge-back helped recover costs, but the business units often went outside and bought in things that cost them less, which resulted in everyone doing things differently and a lack of standards, Pescatore says. But although such an approach is much less common in information security rather than general IT terms, it is equally as unlikely to succeed. Take the area of authentication. Security might say, how do we know that whoever is logging on over the internet is an employee if theyre using a password? So they introduce password generators and charge the business unit $100 per year, Pescatore explains. But the business unit may feel this is too expensive and go back to using

passwords, even though the cost of an unauthorised person entering the system may cost the business dearly. But the business units only see the charge-back and dont see what it might be saving them, Pescatore adds. The rationale is that because the focus is on the budget rather than the business impact, judgements can end up being clouded. But another thorny issue is that, if the security function is doing its job well, very few people are likely to be aware of it. Tom Scholtz, a vice-president at Gartner, says, The problem with security is that if you do your job well, no-one realises and all that executives see is a line item on the budget. So they see that a lot of money is being spent, but there arent any problems and they neglect to make the connection that this is the reason why theyre investing. As a result, he recommends not just reporting problems to the business as they occur, but also letting it know when things go well. Its about positive enforcing [of] messages to demonstrate that security can be an enabler for the business. If you think about racing cars, the ones with the biggest brakes are most successful so the thinking is that if an organisation has a trustworthy and flexible security environment, it enables the business to be more agile in terms of how it uses new technology and provides delivery models, Scholtz says. But a key foundation stone to achieving effective information security is risk management, which is about identifying and anticipating risks and managing them at a level that is comfortable and acceptable to the business. Its about becoming more process-centric, less reactive and more proactive, and more related to the business rather than just doing something for technologys sake.

Security teams have to become less unilateral and autocratic about the way they set security policies and controls and work more with the business, Scholtz advises. But the business has to take responsibility too. The business has to understand that the ultimate accountability for information rests with its owners, not with the security team. Getting to a point where information owners understand and accept that accountability rests on their shoulders is a key tipping point in terms of programme maturity, he explains. Once such a shift in attitude has been achieved, it becomes possible to move to a more service oriented model of operation and even a profit-based model. built-in value But to derive more value from all of this, it is also necessary to embed information security into the organisational culture. This means that if, for example, the business wants to start a new project, such as building a new marketing website, it should not wait until the end before letting security know, at which stage it could be too late. In the financial services and high tech industry, its becoming more common to hire business security analysts. So when a business unit starts a new project, the analyst is assigned from the outset to understand the requirements and risk factors and to work with the project teams to build in standard security features, Pescatore says. This means that security and its cost ramifications are factored in from the start rather than being bolted on at the end, which both makes it more effective and less cost prohibitive. But in Gillespies view, the information security industry still has a lot to learn and is currently at a similar stage to that of quality assurance a decade ago. Then people were just waking up to its value. But now if youre in manufacturing, for example, you wouldnt last five minutes without having an effective programme in place that was run by professionals, he says. Likewise, companies are only now starting to appreciate that they need information assurance, that it requires dedicated resource and that it is something that has to be addressed by the whole business, Gillespie concludes.

Scholtz: "The problem with security is that if you do your job well, no-one realises and all that executives see is a line item on the budget."

BT Security Handbook January 28 November 2006 Security Handbook 2007

 

security policies

Establishing a security policy

Which factors should firms monitor as part of their security policy, and which business processes are most likely to impact upon that policy? Brian McKenna reports

orporate IT decision makers are keenly aware of the data theft, business continuity and compliance factors that increasingly shape their security policies. However, they still see being hit by a virus as the most significant threat to their organisations. This was one finding of a survey of Computer Weekly readers carried out on behalf of BT last autumn by Reed Business Insight. The survey suggests that senior IT staff with security responsibilities know they need to get more strategic, but are beset by a surfeit of firefighting. The research indicates a need and a trend towards separating network operations from strategic information risk management. Moreover, both disciplines are finding a higher significance as business continuity starts to occupy board-level attention alongside compliance. Factors and processes The research sought to discover what is agitating senior IT professionals in the market for security products and services. In particular it aimed to understand how IT executives are reading the evolving threat landscape when determining policy. What factors should firms prioritise when evolving their security policies so they are fit for purpose in terms of their business strategies? What business processes have the most impact on a firms security policy, and how should they be translated into the policy? Of the surveys respondents, 27% were security specialists and 36% were IT managers. The average size of organisation polled was just under 10,000 employees, with 14% having over 10,000, and 13% fewer than 500. The top three significant threats to the normal running of the organisation were: being hit by malware or a hack attack (34%); major IT shutdown (23%); and internal fraud (16%). Theft of intellectual property was rated as
9 

the number one threat by a mere 4% of respondents, and the same number cited breach of regulations as the main threat of significance. These results suggest that network hygiene is still the main concern for senior IT professionals. Moreover, 32% said minimising the risk of being hit by a virus was the greatest motivation for improving security within their organisations. Meanwhile, 6% cited the reduction of the leakage of intellectual property or data, and a further 6% the improvement of regulatory compliance as motivators for enhancing security. However, when asked to raise their sights to the level of the strategic, a different picture emerged. While 51% put patching as the number one factor to regularly monitor as part of their organisations security, 46% were alert to the need to monitor the leakage of sensitive material. When it came to the factors to assess when establishing policy, business continuity (38%), intellectual property protection (48%), and compliance (30%) figured strongly in the minds of the respondents. Malware was still up there, at 38%, but was balanced out by factors including identity theft (18%) and requirement to share information with business partners (13%). Legislation and regulation is having a massive impact: 75% of respondents cited Sarbanes-Oxley as a weighty factor, while 88% ticked the data protection box. By contrast, standards like Cobit and ITIL were cited by only 6% as having a great impact. Compliance emerged as a good thing: 31% said it reduced their exposure to business risk; but only 13% said it really helped reduce exposure to external security threats and 28% said its main impact was to drive up costs. realities in IT security The research suggests that while IT professionals are strongly aware of the threat imperatives that should be
28 November 2006 BT SecurityHandbook Handbook January 2007 Security

security policies

driving their security strategies and policies, they are still beleaguered by problems of network hygiene. A recent global survey of security specialists depicts a similar picture. The third annual Global Information Security Workforce Study, conducted by IDC on behalf of security education and certification body (ISC)2, found that hardware and software have been definitively ousted by management, awareness and HR issues in the minds of infosec professionals. Ed Zeitler, executive director of (ISC)2, says this is the first time that [the shift from technology to people and process] has been reflected in the survey. There has also been a big shift from the CIO to the CEO in terms of ultimate responsibility for information security. CISOs are now dealing less with the CIOs problems and more with the businesss problems. He also confirms that the consensus picture emerging from the IDC study, a recent joint (ISC)2/Information Security Forum study, and a recent SANS Institute survey is that senior information security professionals are moving up, while middle-level IT security pros are moving back into IT. Hugh Penri-Williams, chairman of the Information Security Forum, analyses the disciplines of network hygiene and security policy formation. In many companies IT security already consists of two distinct activities: infosec security strategy, policy and standards setting, investigations increasingly reporting outside the CIO organisation to the CSO; and opsec the application and infrastructure implementations, patching, firewall tuning, monitoring, upgrading. Hence, infosec professionals are slowly gaining the ear of senior management. Actual data assets Leo Cronin, senior director of security at LexisNexis, and head of security for Reed Elsevier, stresses the need for IT security professionals to focus on actual data assets. Although a lot of this has been driven by compliance, he says, data protection is really at the roots of where the data/information security profession started. During the late 1980s, and up until recent times, the IT industrial complex has made it very difficult to continue on a data-focused path with the advent of the PC, Lan and IP networks. The IT security profession has had to focus its energy (and spend) on the threats emerging from distributed computing and the internet. The ones and zeros located on distributed computers and removable and transportable data vaults (also known as iPods, thumb drives and our
BT Security Handbook January 28 November 2006 Security Handbook 2007

employees home datacentres) have been neglected for far too long. Cronin does see much of what we have known as IT security being operationalised so that security specialists can play a more strategic role in their businesses. I see this happening at many larger companies, he says. A strategic role means looking out for emerging threats to the business and educating business leadership on risk management and how security and safety can be factored in for competitive advantage This transition may be more difficult, however, in smaller organisations that lack the resources to commit to security. And there lies the rub for many UK IT managers working for those organisations where the bulk of the working population is employed. For a long time to come the two disciplines of network-centric security and datacentric security will converge and clash within the same harried IT departments, staffed by people who would like to be more strategic, but who still have fires to fight. Nevertheless, there is a clear need to weave the two disciplines into one overall strategy, and the discipline of writing and keeping alive a security policy can help with that. Mark Hughes, group security director at BT, says he would absolutely encourage taking a strategic view of risk, but you cannot neglect the firefighting side: there has to be an element of both... There is still a way to go in getting to a more integrated, holistic view in terms of security controls. Ultimately, it comes down to information security, whether network-related or general information. Along with Ray Stanton, from BTs business continuity, security and governance practice, Hughes encapsulates this position in a recent article entitled Winning security policy acceptance in the Elsevier newsletter Computer Fraud and Security (May 2006): Regardless of how much the policy is oriented towards the daily user experience, it will not succeed if it is drawn up in isolation from the wider security goals. As an essential element in the overall security programme, it needs to be aligned with the companys IT security aims the policy should be informed by the organisations plans to manage its operational risk and comply with legal, statutory, regulatory or contractual requirements, and support all efforts to achieve these goals. It needs to ensure security remains a business enabler by guaranteeing the confidentiality, integrity and availability of corporate data.
10

investment barriers

The barriers to investment in network security

Inevitably cost is one of the key barriers to investment in IT security. However it isnt the only one, finds Janine Milne

owever much we fork out for house or car insurance, one thing is certain: its always going to seem too much. We know its essential, but we also resent paying for a service we may well never actually need. Companies of course recognise that protecting their data and their staff is something they cannot ignore. But its hard to shake off that niggling feeling that security is just a dull necessity rather than something that actually contributes to the corporate coffers. As Donal Casey, a security consultant at technology services company Morse, points out, We find companies tend to invest more in IT services and functions that will earn them money rather than save them money. They tend to focus on business systems and the latest versions and tend to have the belief that, as theyve got a firewall in place, everything must be alright. So, if nothing bad has happened, they will cross their fingers, hope their network doesnt die and continue to clutch the security purse strings tightly. No prizes for guessing then that by far the biggest barrier to investment in network security is cost, cited by 32% of the 200 IT professionals in the Computer Weekly/BT research carried out by Reed Business Insight. The main barriers are always cost and the fact that there is no discernable business value to implementing security, says Casey. There is no ROI apart from non-tangible returns. Security is all about preventing theft or network downtime, not creating
11 12

value or least thats how it can be perceived. Security is thought of as an afterthought, and then its seen as an inhibitor and a barrier to preventing the transformation to the business, says Mick Creane, head of managed security strategy at BT. Its up to IT and security professionals to prove the case for business value. But before they can do that, they need to gain the hearts and minds of the board, educating them about the importance of improving network security, as well as scaring them about the consequences of doing nothing. To do that effectively, they need to talk business-speak and leave the dirty talk of traffic bottlenecks, downtime and network optimisation outside the boardroom door. Its not about cost, its about articulating the value, points out Creane. And its got to be articulated in terms of business benefits. Clearly the best person for this job is the head of IT, but here again is another possible stumbling block to gaining investment. It is the function of the CIO or CTO to ensure that boards have bought into security, but a lot of companies leave it in the hands of the CFO, says Casey. And the natural inclination of the CFO is to spend as little as possible. shared worry IT and security professionals may also need to overturn some poor perceptions about IT to prise a finger or

two from those purse strings. Enterprises did do themselves a disservice by buying lots of gear in the past and had questionable ROI. Because of this, its harder now when they are looking to increase security if theres a little bit of poisoning in the well, says Craig Labovitz, director of network architecture at Arbor Networks. But there are signs things are changing. Market analyst IDC estimates there are 1.5 million security professionals across the globe today a rise of 8.1% from last year. And this growth rate looks set to continue, rising at an average of 7.8% until 2010, compared with an overall increase of 4.6% for IT employees in general. Its a mark of how far weve come that five years ago there was no such thing as a chief security officer security was simply a subset of IT. IDC also points out that responsibility for security is being shared among finance, legal, compliance and risk departments as well as the chief executive. Security isnt just keeping CIOs awake at night
28 November 2006 BT SecurityHandbook Handbook January 2007 Security

investment barriers

responding to immediate requirements without necessarily looking at the bigger picture, says Casey. Worse, this reaction carries throughout the company, as different parts of the business respond to their own requirements and problems. high budgets Managing a wide set of products for handling web and e-mail content, firewall and identity management creates a significant overhead. This money would be better spent creating a security strategy. Part of the reason its becoming hard to gain backing for security projects is the realisation at board level that security budget is too high and that it should be delivering business value. This fits in with the theory of Terry Greer-King, head of Netstores security division, who argues that companies are actually spending too much on security. Even though analyst firm Gartner recommends companies spend no more than 7% of their budgets on security, some IT organisations are spending as much as 10% to 50%. Its all very well buying best-of-breed point solutions to solve problems, but it would be better to have one coordinated approach. That doesnt mean ripping everything out and going for a singlesupplier solution though of course many suppliers would be delighted if you did just that. Instead it means creating a company-wide security policy. Taking a step back and looking at the overall security strategy, perhaps as part of compliance with the BS7799 security standard, will mean companies can finally put a value on security. It will mean they can map their business needs to security threats and target spending in the most business-vulnerable areas. So to stop wasting investment, companies need to understand whos using their network and how they behave. Once you have those two then you can develop policies and procedures and start making some informed thinking, says Labovitz. But that cant be achieved overnight. If they are trying to do an overarching strategy you have to find out what you have; which kit is redundant; which kit costs money, says Casey. This can also help tackle the second

it has become a shared worry. Partly this is due to the fact compliance has gained boardroom interest. Stung from all sides by legislation, companies are keen to solve the problem quickly. It also means that wily IT professionals can push through some security projects under the guise of being compliance-related. Regardless of compliance, network downtime costs money, time and worst of all it can cost dearly in lost reputation with customers or partners. And that needs some close attention. Compliance or best practice initiatives such as Cobit or ITIL can start to put some order and structure behind security initiatives. Hopefully, it will prevent companies thinking that buying a piece of kit will solve their compliance or security problems. Fed by a constant diet of fear and uncertainty, there has been an accelerated growth in buying point solutions to fix compliance or other security problems. Its a knee-jerk reaction. Firms are
BT Security Handbook January 28 November 2006 Security Handbook 2007

Managing a wide set of products for handling web and e-mail content, firewall and identity management creates a significant overhead. This money would be better spent creating a security strategy

biggest barrier to implementing network security a lack of trained staff, mentioned by 12% of the Computer Weekly/BT survey respondents. Investing in new kit means training up IT staff. Folk went out and bought intrusion detection systems (IDS), but they often failed because they didnt have the manpower to look at the data, says Labovitz. It was a similar story with Public Key Infrastructure (PKI). PKI was seen as a massive change agent in the security industry, but it didnt take off as expected, notes Creane. The technology was fine; the problem was how you manage it. The more complex a system, the worse this gets. Despite the fact that many new systems are built to open standards, there will still be an impact on staff recruitment and training. Companies may feel that its too complex and big a job to invest in network security, and particularly the associated costs of training personnel, both in the security department and the business users. In IT there tends to be a battle between capital expenditure and operational expenditure. Capital expenditure can be written off and you can get funding for a bit of kit, but training the people and streamlining the processes tends to be harder, says Casey. And often companies do not want to make that kind of investment. If its a specialist area, then one of the challenges is recruiting and retaining people, says Creane. People with those specialist skills will not only be hard to find in the first place, but will also be highly sought after by other companies. One way to reduce the staff burden is to centrally manage security. Many companies are also starting to hire managed service providers to look after some of the run-of-the mill (but vital nonetheless) security requirements such as spam or antivirus applications, leaving the internal staff to deal with data management and policies. So technology alone cannot solve security problems; its essential to educate staff too. Firms must talk to their users about acceptable usage policies and keep drumming into employees the rules about what they can and cannot do with data. After all, its no good having an antivirus application if there isnt a policy to ensure that it is updated. So although the biggest barrier to network security is clearly cost, it is very closely entwined with how IT and security is viewed in the whole company. 13
12

realising investment value

he average organisation spends between 5% and 7% of its IT budget on information security, although the figures can vary widely based on an individual companys appetite for risk and the maturity of its security programme. But if this average is extrapolated, indicates John Pescatore, vice-president of information security at Gartner, it is generally equivalent to about 0.2% of revenues, which is roughly equal to the amount of money paid out in insurance. Or to put it another way, says Thomas Raschke, a research director at Forrester Research, it is less than most organisations spend on coffee. As he also points out, however, Protection should be top of the agenda and most organisations realise that it should, but expenditure doesnt always reflect that. So theres a mismatch between what organisations should do and what they actually do. One of the challenges here though, is that information security is usually left up to the IT department, which means that the business tends not to take responsibility for it. This means that return on investment (ROI) may not be calculated. Mike Gillespie, principal consultant at Advent Information Management, explains. Security isnt an IT issue, but a business one. But its an issue that tends to be delegated from the board to the IT manager. By their very nature, however, members of IT departments are techies and tend to focus their spending on technology as a solution, whereas security should be separated out as a process issue. Gillespie adds, Theres a huge amount of money spent on technology to get quick wins. Its much easier to spend money on something that is tangible and to take management or the board into a computer room and show them a box with flashing lights. It is much more difficult, however, to justify expenditure relating to the soft benefits associated with people, processes and procedures, and so spending here tends to be woefully inadequate. To make matters worse, most security investment tends to be reactive and tactical rather than planned for and strategic. Few organisations try to forecast requirements in line with audit and risk management regimes, but instead have a knee-jerk response when problems arise. This leads to a concentration on fire fighting and generates duplication and repetition, which is wasteful both in terms of money and staff resources. As a result, most firms regard cost of implementation to be the main barrier to investment, even when only focusing 13

on network security. Raschke says: The focus has to shift from protecting the perimeter to improving the protection of assets, but its a key challenge that many organisations are not prepared to look at right now. They put out fires where they occur, but this results in a patchwork and poorly thought through strategy. It also adds layers of complexity, which means that everything quickly becomes unmanageable. purse string tightening Another problem is that in many cases, only those areas or technologies that have the greatest visibility tend to receive adequate protection. Phil Cracknell, director of Deloitte & Touches Technology Assurance and Advisory practice, explains. People tend to wait for incidents and known exploits to appear before deciding what the implications are, looking at the options and implementing them. But that means that different unrelated assets dont get enough air time as its the squeaky wheel that gets the oil, he says. This situation is not helped by the fact that items on the agenda are too often influenced by the people holding the purse strings, who jump on the latest hot thing after reading about it in the press. The IT director will be instructed to tackle the latest threat such as wireless fraud and to selectively look at problems based on the noise in the industry, but its all based on assumptions, Cracknell says. Its very rare that organisations go through the process of understanding their assets, and chains of dependency are ignored. But in an environment where theres a fairly limited budget, this selective addressing of security issues can spell disaster. On the other hand, focusing on risk aversion, a typical IT preoccupation, is just as counterproductive. You traditionally find that what people will do is undertake a risk assessment and try to get rid of all the risks. But its about managing risks appropriately or the danger is that youll spend your entire budget trying to mitigate every risk when theres simply no need, Gillespie explains. This means, for example, that if an organisation spends 10m to protect a given server, it may not work out as value for money if it only costs 1m to rebuild it should it fall over, it costs 2m in reputational damage and another 2m in loss of business. As a result, the focus has to shift away from risk aversion and onto risk management, which is about identifying

The path to ROI

How do firms justify their investment in IT security? How do you build an ROI path and can you derive true value of ownership from a security investment? Cath Everett reports
risks in advance and managing them at a level that is comfortable and acceptable to the business. But this requires a huge shift in how IT organisations justify information security expenditure to that business. Currently it is mainly a case of relying on hot potatoes such as compliance or adopting an insurance-based approach by pointing out how important it is for the enterprise to protect itself against potentially damaging threats. A far more effective way to justify information security investment, however, is to demonstrate and actively sell its value to the organisation in business rather than technical terms. This involves putting metrics in place and communicating the findings to different people in different ways. For example, security managers will want to know how many incidents have been prevented, business unit managers will benefit from knowing how vulnerable their department is, while senior
28 November 2006 BT SecurityHandbook Handbook January 2007 Security

realising investment value

derive and recognise value, he says. My advice is dont be scared to ask business people for advice about this theres no room for ego in trying to get this done. Stanton also recommends undertaking customer satisfaction surveys to understand the reality of users experiences on the ground. You might think youre doing the best job in the world, but if the perception is that youre not, then thats the reality. If you are doing a good job, however, youve got credit in the bank to burn with the company, but you have to be honest with yourself. justifying expenditure But the thing that underpins all of these approaches is risk management. Colin Dixon, head of risk at consultancy Information Risk Management, explains: If companies carry out strategic risk reviews, which include impact assessments and gap analyses, and focus on key areas of risk, it becomes much easier to justify expenditure. The problem is that organisations rarely do this because it is generally a two to three-year process that requires significant investment, whereas most security managers prefer to have quick wins unless theyre in it for the long haul. Nonetheless, undertaking a risk management exercise is crucial. Cracknell says, You can decide to accept the risk and carry on as normal, mitigate it, do things differently to reduce the impact or transfer the risk. A lot of businesses do the latter by outsourcing or using managed services, but looking at risk is the backbone of the whole issue to get you to a point where you can make an informed decision and apply appropriate treatment. Neil Hampton, head of managed security services at BT, agrees that taking a piecemeal approach to security makes it more difficult to justify expenditure, but if you put a framework around operational risk, its easier to explore and cost what the different options are to guard against a particular threat. Nevertheless, one of the worst ways to justify expenditure, Pescatore believes, is to use ROI arguments. You dont use ROI to justify insurance, he explains. People dont say we paid our premiums, but didnt get anything back so the investment is high and the return zero and we wont pay them any more. Its about due diligence, and organisations would be deemed deficient if they didnt have that level of risk mitigation in place, he concludes.
14 14

executives may be most interested in how compliant the organisation has become in regulatory terms. A useful tool here is an operational loss database, which can help to provide the business with an accurate indication of how much security events cost it. Factors such as total cost of ownership are important to consider in this context because they illustrate how much it costs to investigate incidents, how much they cost to put right, the cost of downtime and of maintenance. This is particularly important because, as Tom Scholtz, a vice-president at Gartner, points out, The problem with security is that if you do your job well, no one realises and all that executives see is a line item on the budget. So they see that a lot of money is being spent, but there arent any problems and they neglect to make the connection that this is the reason why theyre investing.
BT Security Handbook January 28 November 2006 Security Handbook 2007

A far more effective way to justify information security investment, however, is to demonstrate and actively sell its value to the organisation in business rather than technical terms
As a result, he recommends not only reporting to the business when problems occur, but also when things go well for example, by illustrating that attacks have been prevented because they were anticipated and guarded against in advance. Ray Stanton, global head of the business continuity, security and governance practice in BT, agrees. Security people need to be able to translate the language of business into business continuity, security and governance terms and to translate the latter into the language of business so that everyone concerned can determine,

legislative responsibilities

Achieving security compliance

T
he importance of complying with legislative and corporate social responsibility edicts cannot be underestimated. Indeed, according to a recent Computer Weekly/BT security survey of 200 senior IT professionals, the issue rates among the top five factors to influence the shaping of organisations information security policies. As to what the biggest regulatory influencers are, 41% of those questioned believed that laws such as the Data Protection and Freedom of Information Act had the highest impact, while 16% were most affected by industry specific legislation. This is particularly marked in the financial services market, which is the most highly regulated, having to deal not only with European-wide laws, but also rules laid down by industry bodies such as the Financial Services Authority. Legislation here includes the Markets in Financial Instruments Directive (MiFID), which is intended to create a single European market for all financial instruments such as equities and derivatives, and the Basel II risk management accords, which are aimed specifically at banks. A further 12% of respondents, however, were most concerned by general business regulations such as Sarbanes-Oxley and corporate 15

The IT department must comply with a whole host of regulations that affect the business. Cath Everett finds the key issues
governance codes, whereas another 10% saw corporate social responsibility as key. But the legal situation is most complex for those organisations that trade internationally or have servers or outsourced services located offshore. This is because in an increasingly globalised and online world, historical national borders are progressively blurring and even local laws are taking on worldwide significance. A case in point is Californias SB 1386 law, which was enacted in August 2002. This stipulates that, if a customers personal data is compromised after an online transaction has taken place in the state, the organisation at fault has to notify all affected Californians about the situation. But, in effect, this means that enterprises are obliged to alert all of their clients to the breach, no matter where they are located, because it is not feasible in reputational terms to stand by a policy in which only certain people

are informed of security incidents but not others. As a result, the Californian legislation acts as a de facto global law. As Jay Heiser, vice-president and research director at Gartner Group, points out, however, most regulatory requirements boil down to the same basic issues. Its necessary to demonstrate that the organisation is being adequately transparent in its activities and the information coming out of this enables stakeholders to evaluate how well risk is being managed, he says. Unsurprisingly, therefore, just under a third of those surveyed believed that the most important impact of meeting compliance requirements was the ability to reduce exposure to just that business risk. A further 17%, however, believed that improvements in business practices were the most noticeable ramification, although, on the downside, 21% said the heaviest repercussions were felt in terms of increased capital expenditure. effective compliance But most experts agree that to tackle compliance issues effectively, enterprises have to embed a risk management culture into the organisation rather than try and comply with individual regulations on an ad hoc or siloed basis. As Heiser says, Ive
28 November 2006 BT SecurityHandbook Handbook January 2007 Security

legislative responsibilities

spoken to people that are trying to meet regulatory requirements as a standalone entity, but therein madness lies. The point is that taking a practical approach to compliance as part of regular business practice works better than simply trying to bolt it on as an afterthought or treating it as an overhead. This means that the old adage of process, people and technology in that order is valid in this instance too. Process is everything. It enables you to understand risk on an ongoing basis and manage it as necessary because you cant possibly anticipate all eventualities, Heiser explains. As a result, he recommends establishing a risk management framework to formalise such processes. This involves defining what risks the organisation faces and where, especially in terms of achieving or failing to achieve business goals. An important element of this entails planning how to mitigate and manage these risks and exploring whether existing control and monitoring functions are up to the job by undertaking a gap analysis. These findings are then fed back into planning. But, warns Heiser, IT directors should not attempt to tackle compliance alone, not least because it is not within their remit to determine the legal risks facing the business. This is the role of
BT Security Handbook January 28 November 2006 Security Handbook 2007

corporate or external lawyers. Instead, their role is to protect the information infrastructure to meet the business goals defined by someone else. Theres a lot of pressure on CIOs to deal with the legislative compliance issue, but some of that is a cop out. It shouldnt be up to them to decide what the business requirements are. Its up to them to say whats needed to meet those business requirements, says Heiser. This means that to ensure that compliance initiatives are successful, responsibility has to be taken by the people at the top of the organisation, not least to guarantee buy-in at an enterprise-wide level. Charlotte Walker-Osborn, an associate partner at law firm Eversheds, says, Corporate governance is a collective responsibility and the boards responsibility. Because people arent necessarily getting fined lots of money or ending up in prison at the moment, a lot of people think why should I, but the damage is often reputational, which can harm the business. A common way of enacting this collective responsibility ethos in large enterprises, however, is to create a corporate governance or risk management team, which is independent and controls its own budget. Any failure to allow such autonomy risks making the body toothless. This team should be headed by a dedicated compliance officer and staffed with representatives from key parts of the business, ranging from legal to HR and from finance to IT. In the case of smaller organisations, however, it is important to centralise responsibility in the hands of one high-ranking executive to ensure accountability and make certain that the issue is taken seriously. But their role in both instances is to create a suitable organisational framework for risk management and to act as a clearing-house for making decisions on relevant projects. This is because the ultimate goal is to ensure that compliance becomes a sustainable enterprise-wide process, which is equipped to cope with change as it arises. rigorous policies The role of the IT director, meanwhile, is to manage the risks defined by the business, which can be undertaken in two complementary ways. The first area relates to the processes that have been put in place by the business itself to control risk and prevent activities that may be potentially illegal or inappropriate. IT can help here by providing and looking after the tools including document management and business process management systems that the business

uses to enforce such processes. The second area of concern for IT directors involves what might be termed traditional information security. This entails putting rigorous and enforceable policies and procedures in place to maintain the integrity of the computing environment and to ensure that it is suitably protected. Useful technology in this sphere includes identity management and authentication software, content filtering programs and asset management applications, particularly if they include reporting capabilities that enable an audit trail to be established. As Danny Dresner, group standards manager at the National Computing Centre, points out, Security is a practical implementation requirement of all legislation. But he also indicates that there is no such thing as an end-to-end, out-of-thebox compliance system on the market, no matter what the suppliers may claim. While technology can help organisations comply with the spirit of legislation to a certain extent in certain areas, it can never be the be all and end all. Enterprises by default are diverse, operate in different vertical markets and have varying degrees of risk tolerance, which means that they can never adopt a one size-fits-all approach. At the very least, however, they need to adopt a cohesive, coherent approach to compliance at the IT infrastructure level rather than at a solutions level. But one possible means of covering their backs, according to John Madelin, the head of BTs UK security practice, is to make the most of standards such as the BS 7799 guidelines for information security risk management, ISO 17799, which provides good practice advice for information security management and ISO 27001, which defines a specification for information security management systems. As he points out, Many regulations cross-refer to best practice so keeping up to date and understanding it is a critical success factor. The application of business common sense is something that our research shows is part of a growing maturity in applying governance. Its about providing reasonable assurance and taking reasonable action, but its also about applying good business practice and common sense. But complying with standards is also a valuable tool in at least showing willing if legal action ensues. As Dresner concludes, If you implement best practice, you shouldnt come a cropper. If you do, it might not be a getout-of-jail-free card, but you can always argue that you were doing what the experts thought best.
16

compliance benefits

uestion: Whats the chief business benefit of compliance? Answer: You dont go to jail. If thats the way your company views compliance, then its time you looked closer at this admittedly sometimes arduous process. Avoiding jail or a hefty fine is of course a strong motivator to invest in compliance. Its also a very negative response. If a company believes there are no other discernable benefits or business value associated with compliance, then it will clearly do the bare minimum required to meet legislation. Compliance will be seen as an irritation that sidetracks the firm from the more important business of making money. The attitude will be: Weve ticked the boxes and were compliant, says Floris van den Dool, European head at Accentures Security Practice. But even though the return on investment (ROI) of compliance may not be immediately obvious, organisations that put in the effort can bring home some tasty cuts of bacon. Companies need to see compliance not as the end goal, but an aid to reaching the wider target of managing risk. Tackling risk management will help companies become better informed about their business and where it is under-performing, ultimately leading to better decisionmaking. Reducing risk also means that companies will have increased capital expenditure to invest elsewhere in the business. And after all, as Alan Calder, chief executive of IT Governance and author on data security points out, Compliance is the legislative form of best practice. If a company follows best practice, then it is going to be able to react quickly not only to any painful probing by auditors, but also to market opportunities. Compliance will force that company to look at its business processes across department ghettos, driving out inefficiencies and improving performance. At the very least, it will make companies realise what assets they have and find out areas where they are over-paying licence fees, for example. Kosten Metreweli, vice-president of marketing at configuration management company Tideway Systems, says, Seventy to eighty per cent of systems downtime is caused by change processes not joining up so if you can begin to drive out the silo mentality, that is obviously a business benefit. The net result is that security will go up and costs will come down. An arresting combination. Before companies can begin to see
17 18

The business benefits of compliance

While most IT managers expect adherence to compliance to reduce the exposure of firms to risk, they might not know that such adherence can lead to improved business practices. Janine Milne reports
these kinds of benefits, they must slough off that negative attitude. Lots of companies spend the first 12 months to two years of compliance going Gosh, is this what we have to do? and bolt controls on. But that gets to be very expensive, Calder notes. If you approach compliance with bolt-on controls and get away with it, then the only ROI is around the negative impact. If you do it properly youll get ROI before requirement even hits. At some point companies realise that thinking more strategically and proactively embedding controls will be better for business than simply reacting to each new piece of legislation. Companies will thrive or dive on the quality of their data. It shouldnt take a piece of legislation to goad them to tackle this issue. And if this is what it takes to start a company sorting out its data, then that has to be to its advantage. Information about a person should be up to date and be available to the right people and be kept only as long as it should, says Calder. If you do that you start to see obvious benefits. Eradicating the duplication of information or customer details will save money on storage and having one view of the customer will help workers be more efficient and effective. Hopefully, that means the sometimes long-suffering customer should receive a better service. That of course means you begin to get not just simple cost savings but real business benefits of employees saying I like working here and customers saying This company is efficient, says Calder. For many large companies, that lightbulb moment comes when they realise that following best practice initiatives such as ISO 27001, ITIL or Cobit will go a long way to making them compliant with any legislation regulators may throw at them. By following ITIL, you tend to have already set up your global control to look at it from the right end of
28 November 2006 BT SecurityHandbook Handbook January 2007 Security

compliance benefits

Reducing risk means that companies have increased capital expenditure to invest elsewhere in the business
The key to unleashing these business benefits is to get understanding and backing right from the top. But that doesnt mean the board simply informs IT that they need to make systems compliant; IT security professionals need to be involved in the decisionmaking process from the start. All compliance activities should be led by someone in the business. Its amazing how often compliance is dropped on the head of IT, because for too long weve had boards who dont understand IT and dont want to, says Calder. Without this involvement, IT is likely to react badly to an edict from above and perceive it as a threat. IT will do what anyone will do in this situation protect its own backside, says Calder. Taken to its extreme, IT could decide that the best way to protect the company is to restrict links to the web to just one workstation or to put in so many controls that business users are hampered from doing their jobs properly. Its easier to throw hardware at the problem rather than sit down and take a close look at the business and processes. Technology changes without people changes wont solve the problem. Companies need to set up policies and procedures and educate staff about them and that takes toplevel involvement. If the board is open about compliance and involves IT, then security professionals can use or abuse compliance to their advantage. Asking for budget for a compliance project could prove far easier than fighting for funds for general IT. IT can also help companies force through change without the usual barrage of complaints. IT can sometimes be a little bit political, says Metreweli. People dont like change and they want to protect their own little empires. But if you go in and say its for compliance purposes, they cant complain. Mark OConor, a partner in the technology, media and communications group at law firm DLA Piper, says compliance can be a selling point in its own right. He recalls one air conditioning company that trumpeted the fact that it had tackled Y2K head on, which resulted in them selling an extra million units. With todays green obsession, companies that follow the

the telescope, says Steve Benton, a senior risk consultant in BTs business, security and governance practice. Not only will it force them to design processes and view everything with business benefits in mind as ISO 27001 does, it will make their business processes transparent. But these business benefits wont come overnight. We see some of our clients taking the first step towards creating a security architecture, bringing together data protection, HIPPA or SOX into one overall architecture to demonstrate compliance, says van den Dool. If you really are able to put in place a proper security architecture, you can optimise your processes and, if you start to optimise, it can lead to cost savings. Its the difference between implementing technology simply to tick the compliance box and genuinely seeking to improve longer-term value by improving security and sustainability. Accentures own research suggests that most security professionals are stuck in the former mindset. Even though 53% of survey respondents cited compliance as the biggest single driver of security investment, when asked about their security investment for 2006, compliance was way down the list.
BT Security Handbook January 28 November 2006 Security Handbook 2007

WEEE initiative could gain similar benefits. Its easier to engage in new business when youve got something to show something to prove you can be trusted, says van den Dool. Bill Rann, global head of the governance practice at BT, agrees that it can make a difference, and likens the current situation to the US car industry in the 1950s, when there was a huge debate about car seatbelts and safety. Despite the complaints from the car manufacturers at the time, today safety has become not just a regulatory necessity, but also a key selling feature for many suppliers. There may be similar opportunities today, if only companies can think and talk about compliance in another way. If youre going to invest what can be a huge amount of money, if youre not going to get something out of it, then youre not thinking about it in the right way, notes Rann. For one thing, the City will look favourably on companies with open and transparent compliance procedures and take some of the strain out of mergers and acquisitions. Compliance also encourages companies to think more widely about risk. Risk is about performance and opportunity, not just cost, says Rann. Organisations have many thousands of controls managed by different people and these are typically managed manually and reported on manually. Companies need to automate and integrate these controls. This will also help prevent the typical response to risk. If you look at how risk is managed, typically a risk is identified and people sit down and agree that something needs to done. The risk is signed off and it puts a lot of faith that everything in the action plan will happen, but you havent put anything in to manage that risk, says Benton. Even if the business benefits are not enough to tempt your interest in compliance, consider this alarming statistic from OConor: If you add up all the legislation to the year 2000 it wouldnt make as big a book as the legislation since 2000. Legislation is not going to go away, so you might as well tackle it properly. But of course, legislation shouldnt be necessary at all. It seems to me, that as the years pass the tendency in business is to do as little as possible and charge as much as possible and get away with as much as possible, says Calder. All legislation seeks to do is change that. And that has to be a good thing. If companies want to have less legislation, then they have to perform better, he says.
18 19