Take the current hot potato of regulatory compliance, e.g. Sarbanes Oxley. If you believe the marketing, you can identify any number of products which will solve your SOX problems for you, which completely ignores the fact that compliance is all about opinions - specifically, convincing the relevant auditors that you have the necessary business processes and culture in place to be compliant. Good products can help - but they can also be a placebo and lull you, literally, into a false sense of security.
The other problem of a product led approach to security is that you can end up spending a fortune and still not be secure. Take the simple example of internal versus external security. Most companies have realized that there is a significant risk in connecting their internal networks to the wider world (in the shape of the Internet) and have therefore implemented multi-layered firewall defences to stop rogue traffic coming in. Yet the most high profile security breach of recent times, the foiled £220m sting at Sumitomo Bank, was probably initiated by an insider installing keyboard logging software onto workstations used for moving large quantities of money. Frankly, it doesn't matter how big a lock you put on the front door if the crook is already inside the building.
Of course products have a part to play in information security, but they should not be the first consideration. If information security is to be improved in an organisation, what's needed upfront is a clear recognition and statement that information security is a "whole business" issue and not something that's confined to the IT department.
This fact hits home even more when you realize that one of the widest recognized information leakage scenarios is employees talking loudly about their confidential business activities in the bar after work - I'd be very interested to know how you'd tackle that one from an IT perspective!
A standards framework, such as BS7799, provides good security practise that suits most types of organization. BS7799 has a reputation as a solution that only fits large companies, but in reality an implementation can be focused at specific parts of the business and then expanded to other areas when appropriate. BS7799 also provides the benefit of independent verification that the security practices are in-force and effective on an ongoing basis.
The first step within any such framework is to understand the information you're trying to protect. To do that, you need to understand what information you have, what its value is, what the threat to the information is, and the consequence if that information is compromised. This piece of work constitutes the risk assessment, and by doing this you can determine what needs to be addressed, what the priorities are, and where your budget is going to be spent. With this approach it's easier to find and eliminate unworkable scenarios - such as where an information asset is worth $5,000 but you need to spend $500,000 to secure it. An IT focused approach probably would not give you this information.
Once you understand the information that you have, the next step is to look at how that information flows through your business. Again, an IT focused approach will probably identify any number of products to secure the information in the place where it's normally stored. But unless you understand where and how that information moves in the organisation, you're back to a "weakest link" scenario, with a weak security spot in one place completely compromising all your investment in another.
One of the major points about looking at information security rather than just IT security is that plugging the security holes is not simply about products. The thing that makes the biggest positive impact to a secure environment is shaping employee behavior so that good security practice is built into the standard operations and culture of the organization. Formal policies and guidelines are the starting point here, but they need to be backed up by training, enforcement and reinforcement to prevent behavioral lapses.
Of course, the project that attempts to improve information security across the whole organisation is going to be a daunting one, and one that may struggle to get off the ground no matter how much business sense it makes. Some organizations prefer an approach tackling one or more departments in isolation first - such as the IT department. Whichever department it is, there is always the need for involvement from internal departments offering common services across the business such as HR, Finance and Legal. What needs to be borne in mind however is that as you're strengthening processes and behaviors in one part of the organisation, other departments which aren't involved in such activities need to be considered as "untrusted".
Ultimately information security will determine the need for controls; these may be any combination of, training, procedure or technology. Often the fix does not have to involve technology and does not have to have any real cost. When it does involve technology, organisations may still end up making the same technology choices but in this scenario the reason and justification have come through business involvement and the use of a repeatable process that should provide consistent results.
One of the most interesting aspects of the recent Sumitomo case is that the bank elected to go public with the information, since in the past, organizations have gone to great lengths to keep major security breaches quiet. A mitigating factor here is that the security breach was foiled and the bank didn't lose any money. However, it's also likely that compliance regulations such as SOX are starting to have an influence. These regulations insist on full and prompt disclosure of significant business events which could impact the share price - and a major security breach certainly fits into that category. We may well be entering an era where there is much greater openness about security incidents, and therefore an even greater imperative for companies to get on top of their information security problems.
The author is director of consulting at Plan-Net.