The chairman of the Information Security Forum has big plans to take his message to businesses everywhere. Ron Condon reports.
If you have never heard of the Information Security Forum, don't worry – you're probably in the majority. The ISF is a low-profile club that has hitherto kept itself to itself, with a strict ‘members only' approach to its activities. Nonetheless, the organisation counts some big businesses among its 280 members, from AstraZeneca to Zurich Financial Services. And for a membership fee of £16,000 a year, they get access to a steady stream of research on a wide range of security areas, conducted by members with special expertise in the subject.
It also provides them with a safe environment where they can discuss problems with their peers and search for answers using the combined knowledge of the group. Recent reports tackle subjects as wide-ranging as VoIP, securing portable storage devices, and how to comply with new legislation.
Hugh Penri-Williams, recently elected ISF chairman, accepts that the organisation can sometimes appear somewhat publicity-shy. “Yes, I suppose you could say we were a bit like the Knights Templar,” he acknowledges. But the oganisation's 280 member companies expect some special privileges for their money, and the research is the most valuable of those benefits.
It is a conundrum he plans to tackle with over the next year, aware that security cannot be easily contained within a box, and that standards work best when they are industry-wide.
Penri-Williams is a man with a truly international heritage. Fluent in German, Dutch and French, he is also chief information security officer for French telecoms company Alcatel, and has a background in audit and fraud prevention. He has previously worked at Barclays, Cigna Insurance and Swift, so he understands the challenges of his role.
He describes the job of security as “chasing your own shadow” for much of the time, and he is quite pessimistic about the current state of information security. “We spend too much time trying to fix vulnerabilities,” he laments. “I don't think we're in any better shape now than we were 20 years ago. In fact, we're in worse shape.”
We may be spending more on security, according to Penri-Williams, but the dangers are far greater now than they were 20 years ago. “I started life with the 96-column card – and there wasn't very much you could do with that except drop it in the street. Now we have 101 means to have information to hand, which is good, but all those devices are easy to lose or to steal.”
Communications technologies offer the same mix of benefits and dangers. “First we had infrared, which was innocuous, then Bluetooth came along, and WiFi, and now Wimax. It means that we can share information positively, but also that it can be intercepted.”
On top of that, information and intellectual property are probably even more valuable to companies today than in the past, and therefore need a higher level of protection. And yet, as he points out, vital information can easily be stolen at a trade fair, without anyone knowing. “It is very hard to prove, as no physical object is taken.”
For all the good work done by security people, the big challenge is to convince people in higher management that security matters. “Companies are aware of the dangers, but we sometimes have a difficult time bringing that to the attention of the right people in our organisations,” says Penri-Williams.
It all depends on the type of industry and the appetite for risk. For instance, in his days at Swift, “you only had to mention the possibility of a security threat or vulnerability and you could consider it fixed”. he recalls. “In other areas, security has to fight harder for budget.”
But he doesn't blame company bosses for their occasional failure to listen. “They are there as entrepreneurs and to take risks,” he says. “It is our duty to give them the information, so that when they take a risk, they take it in the full knowledge of what could happen.”
That does assume, of course, that security gets the chance to talk directly to senior management, which is often not the case. “Our big problem is that, in most cases, the CIO is not someone who sits on the board. So the whole technology issue – not to mention security – has difficulty getting their attention.”
To try and rectify this problem, ISF has done some work with certification body ISC2 (the International Information Systems Security Certification Consortium) on identifying the qualities that make a successful CSO/CISO – successful being defined as someone who is listened to – and wins budget.
“The most successful CISOs are not geeks,” he insists. “They are people who realise that if they to communicate their message, they have to frame the content in a different language in order for it to be understood by business people. You need a little switch that changes the terminology and the way of presenting things. We know the ‘war stories' approach doesn't work. It's no good trying to scare senior management into action, that is counter-productive.”
His personal tip is to get to know people in other areas of the business, and communicate with them on a regular basis, rather than hiding inside the IT bastion. “I have always fostered good relationships with other departments. If you think of enterprise risk management in the broad sense, I work closely with the insurance department, risk engineers (people looking after the physical assets), the audit department, and anyone else I can get close to,” he says.
In other words, you need to be open to the other parts of the company. “Then when the day comes and you have a problem, they don't all look round the room and ask ‘Who's he?'”
That involvement is all the more important because, as research shows, the greatest dangers to security come from within the organisation. Security has to be embedded in the company culture to work effectively. But, as someone who has worked around Europe and the US, Penri-Williams has some words of warning when it comes to security awareness programmes. “You have to be sensitive to different cultures. ‘Security employee of the month' might work in some places, but in others, it would be laughed at,” he cautions. “You have to design the programme in the context of the environment you are trying to target.”
At Alcatel, he puts ISF information on the intranet for all 58,000 staff to access, and each November they hold a special computer security day to maintain awareness. He doesn't believe in trying to stop people using technology, for example by restricting the use of USB ports. “That's attacking the problem from the wrong end. You need to have employees who are worthy of your trust,” he says.
“You can screen new employees, but what about the ones who've been there 20 years? They are not necessarily the same people they were when they joined. They may have other problems and worries.” And that brings us back to getting the security message out to departmental managers. “You can only rely on management supervision at the departmental level. Managers need to know their employees can be relied on.”
And this is where ISF membership helps, says Penri-Williams. “The forum produces a couple of reports a month. If I need to do a presentation, I can look up the relevant report and download a ready-made presentation. It is quite legitimate for me as a member to take off the ISF logo and put on my company's.”
The body also produces executive summaries CSOs can give to their bosses – “Ladybird books for senior management”, as he calls them.
His main goal for the ISF during the next year is to increase overseas membership, especially in the US and in new markets such as India, and China.
“By enhancing our geographical spread, we can achieve greater wealth of experience. For instance, the Indian companies can bring a completely different slant to it. We have done work on outsourcing, and it's strange that we don't have Indian or Chinese members in the working group. You end up with a very one-sided view,” he says.
More members will mean greater economies of scale, and the ability to fund more projects more quickly in order to meet current needs. “Immediacy is very important,” he explains. “It comes back to the notion of us chasing our shadow – we need to shorten the process, so that we can answer the user community's questions more promptly. We have already worked hard to shorten the time to market for these reports.”
And will the ISF be more open in future? He claims it will, citing the fact that its Standard for Good Practice for Information Security is now available for non-members to download from the ISF website, as well as some reports.
He points out as well that the ISF is in close dialogue with other standard-generating bodies, such Isaca and the IT Governance Institute, to create what it calls a “metastandard” that will allow cross-referencing between the various governance standards. “We stand a small chance of progressing the dialogue to some level of harmonisation in IS security standards,” he says. “It is getting out of hand because everyone wants to have their own. And we need a non-proliferation treaty for certifications in our domain. With 20 different security certifications to choose from, we're doing do a disservice to our community. ”
But as he opens up the ISF and extends the membership, it stands to lose some of the exclusivity that made it attractive to some companies.
The head of security at one large financial services company voices some strong concerns. “I will think very hard this year about paying for membership. I am not sure it really offers value for money any more,” he says. “I don't think the ISF is forward-thinking enough, the material it produces is getting of less and less value to us as businesses. Also, it brings together such a different range of organisations and levels that it is difficult to get real value out of a meeting or workshop, unless it is very topic-specific.
The critic continues: “The body has failed to modernise and grasp the initiative, and is becoming too inwardly focused. I have heard mutterings from several members that are thinking of dropping out.”
Penri-Williams acknowledges that it's hard to please everyone all the time, but insists that extending the geographic breadth of the ISF, and forming alliances with other bodies, will bring a richer vein of information into the organisation.
He adds that he makes a point of going to all the national chapter meetings to hear members' views - “to rub shoulders with people and feel what the groundswell of opinion is” – and wants to get their feedback.
But he is adamant that the ISF must broaden its membership and become more open. “Members are naturally very protective and don't want others to benefit without paying their fair share,” he says. “But I am committed to finding ways to disseminate more of what we do without diluting the exclusivity of the membership. It's like squaring the circle.”
Visit www.securityforum.org for more information on the ISF.