Claims have been made that the IT security industry is suffering from a major lack of regulation.
Speaking recently to CRN, Etienne Greeff, professional services director for SecureData Europe, claimed that the ‘trust me, I'm a doctor' culture is no longer good enough for customers worried about handing over their data. He also said that the ISO 27001 accreditation, recently achieved by SecureData, has only been implemented by a few organisations.
Greeff said the "industry is totally under-regulated" as even in the physical security industry, there is a trade body that provides independent validation of an organisation's strengths and weaknesses; he said that while the payment card industry regulates itself with PCI-DSS, there is no standard on how to use information.
He said: “Effectively people are choosing to self-regulate by saying ‘trust me, I'll do it in the right way', but very few do it the same way. IT security is a matter of national interest and infrastructure and it is appropriate that IT systems are important to the national interest and that there are moves to do more and more.
“The next threat to the UK will be cyber so we need to work with GCHQ, but for the short term we need to start thinking about how organisations protect themselves and the best way to do that is to make security a base standard at a national level.
“It is not just for service providers, it is for all service organisations, and the standard is gaining momentum; customers have got to get to ISO 27001, it is a security standard that applies to businesses at all levels.”
Speaking to SC Magazine, security consultant Brian Honan from BH Consulting, which is also certified to ISO 27001, said there is a move by a lot of companies, especially those that provide services to others such as managed service providers and cloud providers, to achieve ISO 27001 so they can give their clients assurances on security.
He said: “A lot of vendors are moving towards ISO 27001 as a result of increasing demand from their customers. Either they have to respond to security questionnaires or audits for each customer, or the customer is requesting that suppliers are certified to the standard.
“For example, O2 in the UK requires that ‘The reference standard for O2's security policies is ISO 27001 and the suppliers shall comply with the principles of that standard at all times'.
“If you are a printing company and you want to print cheques or any other security type of documents for the financial sector in the UK, then APAC expects you to be certified to the ISO 27001 standard. A number of government agencies, again within the UK, are demanding that their suppliers be certified to the standard.
“Regulatory bodies are also demanding that companies ensure their systems and those of their suppliers are secure. The Irish Data Protection Commissioner in his annual report for 2010 says ‘Outsourcing requires not only a written contract but also active measures to ensure data is secure in the cloud. If a cloud provider has taken the trouble to certify to recognised security standards such as ISO 27001, this provides significant reassurance about data security'.”
Honan said that while this demonstrates a growing demand among customers to ensure those they are dealing with can prove they follow industry best practice such as ISO 27001, this demand should be taken up in the information security provider space too.
“However, I do think there is an attitude among a lot of suppliers that they are above needing to be certified to the standard and that by default because they work in security they are secure. If you are working in the security space then you should be leading by example and demonstrate to your management, your clients and indeed your competitors that you take information security seriously,” he said.
“But it is important that companies seek certification to the standard for the right reasons. If it is from a pure sales and marketing point of view, then the chances are the company will not have the appropriate levels of buy-in from the business to get and maintain the standard.
“Senior management buy-in and staff engagement by everyone is essential in making the standard work and to bring benefits to the business. Benefits I have seen include better defined processes and procedures, which lead to cost savings as business interruptions due to security issues are reduces, manual tasks are automated and better management oversight of issues leads to great efficiencies.”