What do the country's top consultants think you should be concerned about and how do you find one that will help you? Mark Mayne reports.
Businesses often see consultancies as a necessary evil, alongside accountancy audits and fire safety checks. They're frequently expensive and, in some cases mandated and unavoidable, which helps to explain why consultancies can be perceived as impersonal and entirely formulaic specialists in box-ticking. However, an external view of your organisation provides an invaluable insight. Besides, keeping track of technology, regulation and the ever-present threats to your business all at once can be an almost impossible task.
So what do some of the UK's top consultancies see as the key issues now and in the future? How is the business world coping with the challenges of information security and information risk?
Floris van den Dool, head of security for EMEA and Latin America at Accenture, thinks that many companies have a very negative view of the processes involved. "There is an increasing use of risk assessment as a tool to determine information security strategy and using the growing requirements of compliance to assess risk," he says. "But all too often we see compliance spawning a checklist approach, leaving chief information security officers concerned that crucial issues haven't been addressed.
"Another problem we frequently come across is a very fragmented approach to security, with issues historically being dealt with on a project-by-project basis, rarely with an overall, end-to-end strategy in mind," van den Dool adds. "This is one area where we're seeing a lot of action at the moment, with big players taking a good, hard look at security architectures to ensure business continuity and reduce their reliance on point-to-point solutions."
Mike Maddison, director of UK security and privacy services, technology assurance and advisory at Deloitte, agrees: "Cost reduction is a top CISO issue, and simplifying the IT estate and introducing centralised management is a popular method of achieving this.
Also, businesses are moving away from the old threat-based views of security," he says. "They're beginning to ask the IT department what is being done to manage risk. The whole environment has changed, and financial services companies are leading the move away from traditional IT security towards risk-based models, integrating market and credit risk - it's a much wider viewpoint. People are beginning to think about security awareness in a wider context, too."
The adoption of risk-based strategies has been a talking point within the security industry for some years. According to Phil Higgins, chief executive of Brookcourt Solutions, this approach is now becoming more accepted. "A lot of consultancy small-print terms and conditions are moving towards placing increased responsibility for risk on the client, which has not necessarily been the case in the past," he says. "Also, in-house security experts have become much more business aware, and a CISO who can communicate between these two areas is becoming an extremely valuable commodity. The days of generalist IT managers are fading fast."
With this sea change in the industry, it's not surprising that IT managers and CISOs have adapted to suit the market. Where once an in-depth knowledge of technology and the ability to write code in several different languages was a pre-requisite, the emphasis has shifted towards business nous.
Business over technology
Dave Martin, principal information security consultant at LogicaCMG, is emphatic: "Technology knowledge is no longer the way to the top. People need to speak in business terms, as well as understand the underlying technology. One IT manager told me his board paid no attention to serious security issues and, after reading his email, I could see why - it was far too technical. We rephrased it in terms of problem, cost, result. This got a positive response in ten minutes."
And consultancies themselves recruit staff with this in mind. "Knowledge of security system technology is often far down the list of attributes we are looking for in consultants now," says Martin.
Roy Harari, UK managing director of Comsec Consulting, has observed the same shift in what is expected of IT managers and their colleagues. "Security technology was traditionally very restrictive, based on blocking this, stopping that etc. Now CISOs are beginning to realise they need to fully understand the business context- they don't exist on an island," he says.
If technology-based talk is out, what of technology itself? "Within ten years, there will be no IT department as we now know it," predicts Martin. "Laptops will be managed remotely and contain no vital data. The growth of a highly mobile workforce is leading to the death of the IT department."
However, it's not all bad news for vendors. While accepted technologies have been commoditised, and can be exchanged with little effort, not everything is so simple. Van den Dool thinks there is still demand in some areas. "Of course, the technology people are seeking is changing too. Workforce mobility and deperimeterisation have affected the way people think about and store data, while outsourcing key functionality has resulted in internal data being increasingly outside the organisation," he explains. "This has lead to increased interest in DRM-style solutions, which can be used to control the flow and access to this data."
Others look to new technologies for salvation. Maddison thinks it is time to go back to basics. "It's all about centralising management and outsourcing 'commoditised' technology," he says. "Even ERP solutions are taking security seriously now; but keeping an eye on indicators of risk is the key, embedding automated risk reporting systems is the way to go."
Higgins also sees consolidation and centralisation as key themes: "Businesses are increasingly merging services into a standard global set of corporate procedures. For example, there's a bigger shift towards UTM at the moment, as well as endpoint security, allowing workloads to be shifted to automated tools, which can help prove ROI. Traditional firewalls with integrated DPS etc just aren't enough anymore," he says. "We're also seeing the adoption of a range of risk-management tools, and the 'risk scoring' of individual pieces of technology - real fourth-dimension stuff."
Harari is less keen on UTM, claiming that most of the noise on this is from vendors rather than customers. "I really can't hold up my hand and say we're getting a lot of requests on this. Our clients are definitely aware of the technology, but I think this is being driven by the suppliers at the moment."
Outsourcing versus in-house
The increasing shift towards outsourcing IT has further fuelled this gradual change. Outsourcing can make the books look much better at a stroke compared with buying in services. But this can be a double-edged sword, warns Harari. "Outsourcing is a challenge for security, but not for business. A company is going to outsource when it makes sense, and let security catch up when it can. The security market is becoming more complex, which is why organisations are considering outsourcing to a consultancy.
"Think of it this way," he suggests, "there are 700 or 800 different security solutions on the market, so if you met two vendors a day you'd barely cover the whole market in a year."
Van den Dool agrees: "Two years ago outsourcing was forbidden territory, but now more and more companies are doing so. The main drivers are lack of specific experience and expertise - maintaining the required levels of skill in-house is becoming increasingly difficult. The trend is to centralise strategy and monitoring, then contract out the rest. Keeping monitoring in-house is crucial, otherwise assessing the performance of your outsourcers is tricky," he advises.
However, Maddison has noticed something of a backlash recently. "Some larger companies are insourcing now, as they've decided that core systems are better kept in-house. Maintaining an element of control is vital, and in some cases compliance hinges on this."
Some aspects just can't be handled in-house, though, as Harari points out: "Application security is a good example of something that's extremely hard to do well internally. Keeping pace with threats across different operating environments, languages, platforms etc is an impossible task, and one much better to outsource."
The public's growing concern about personal data security is proving to be a critical driver for the security industry and, as more breaches are announced every month, the pressure not to be the next TJX rises. Maddison sees this as a positive: "ID theft has had a massive impact on the e-world. It's proven to have real costs attached to it, making it a very clear threat. There's damage to a company's bottom line, and with the change in tone of regulation, such as the increasing pressure for EU data breach notification legislation, there are many reasons to do something about it."
Regulation has proven to be a key driver, producing the compliance bandwagon beloved of vendors. The financial sector has led the way in the UK, while the Data Protection Act and imminent legislation such as the Markets in Financial Instruments Directive (Mifid) and the recent PCI standard have combined into a definite force for change.
"Compliance and regulation have turned into the winning card for IT managers," Harari continues. "They can take their wishlists from the past three years and present them through the prism of Mifid etc and probably succeed. It's made justifying security much easier."
However, the flipside of the coin is that the rise in outsourcing and growing awareness of compliance are not necessarily running in parallel, and companies that blithely outsource key data processes without checking the credentials of those partners extremely carefully are likely to run into trouble. "The client has to retain responsibility for security - you can't outsource everything," warns Martin. "Successful businesses will manage suppliers carefully, bearing in mind that their directors are liable at the end of the day."
One thing is certain - as the security industry reacts to such issues with new products and processes, it will become increasingly complex, and the ability of individuals to monitor the latest breakthroughs will become more and more limited. The rise in "commoditised" technology and increased mobile working are also likely to result in an even more bewildering choice of options. The easy way out is to bring in outside help in the form of a consultancy, in itself a challenging decision. One thing is for certain: the choice won't get any easier.
CHOOSING THE RIGHT CONSULTANT
The consultancy market is large and confusing, and choosing the company and individuals that you will trust with your most vital assets is no simple step. The bigger names attract clients due to their perceived solidity and experience, but are they the best value for money, and do they have the right skill sets? Smaller companies may be more specialised, but this may translate to a narrower breadth of business experience.
So where do you start your search? Conducting in-depth research before you start calling prospective consultancies will save time and money later. The best way to begin is to talk to the analysts in your sector, such as Forrester Research. They'll know something about the companies you're looking at. Talk to your peers, too.
Do your homework
Of course, a central step in recruiting outside expertise in any sector is the brief. Critical issues include working out what exactly you want from the consultancy, the resources you have to commit, and the timescale you are looking at. Being very clear about your goals and expectations from the outset will help build a good, lasting relationship with your consultancy - remember this is a two-way process. Ensure they can meet your needs, ask yourself if they have the right level of expertise. It's here you can decide if you're looking at a senior level project or a simple commodity exercise.
Phil Higgins, CEO of Brookcourt Solutions, has some straightforward advice: "Companies used to make this choice purely from an ROI perspective and think the bigger the saving, the better the firm offering it. This really isn't a good way to start. To begin with, look into the consultancy, check that their own house is in order - are they fully aware of regulatory issues, is their compliance documentation up to date, has due diligence been done?"
It is also crucial to check references and make sure that the consultancy you choose has the kind of experience you are looking for.
Having done the groundwork and researched a shortlist, what are the indicators of a good fit for your business? Roy Harari, UK MD of Comsec Consulting, reckons it's about the personal touch: "Look for consultants who will adopt your point of view, who understand your business methods and drivers. These people will be able to think like your existing internal staff, not like outsiders on a temporary post. Beware of companies that offer purely technology-based answers, and those that do not have impeccable communication skills. Technology without communication is useless."
Dave Martin, principal information security consultant at LogicaCMG, has a list of the traits to look for when interviewing consultancies: "A consultant should never tell the customer what to do, they can only inform them about the risks and costs associated with a project," he says." Your ideal consultant will be someone who accepts the way your business needs to work and tries to move towards best practice bearing that in mind. Also, to be effective, a consultant needs support from the very top of the client's organisation. Without this the process will be much less effective - beware of anyone who says otherwise."
The perfect match
It doesn't have to be this much work, however, if a niche requirement is top of your list, Floris van den Dool, head of security for EMEA and Latin America at Accenture, points out. "The question to ask yourself is 'what does this consultancy bring that I can't do in-house?' Also, check out their track record. Speak to their past clients, and follow up any references they can provide."
Higgins sounds a final warning note: "Once you've signed up to a consultancy, you are accepting liability for them. It's not acceptable, in business or legal terms, to blame your outsourcer for any issues you may have. Checking them out properly will take longer, but the relationship will last longer."
- Decide precisely what you want to achieve, define as much as possible before you even start contacting anyone
- Make sure your choices have the expertise you seek - don't be a test case
- Check references carefully
- Ask peers and analysts for their opinion on your shortlist
- Make sure their house is in order before you let them play with yours.