From sceptic to evangelist

It is appropriate that the new Institute of Information Security Professionals chose Paul Dorey to be its chairman.

The IISP, launched in London at the end of February, is the first attempt anywhere in the world to create a proper independent professional body for the information security world. It marks a key stage of maturity for what many had seen merely as an offshoot of IT. It also reflects the growing role of infosec in defending the organisation against a tidal wave of new threats and legislation.

Dorey has been at the forefront of IT security virtually since before it existed, and has applied a guiding hand to some of its most important developments. He was instrumental in getting the new IISP off the ground, and is also an influential player in the Jericho Forum, which over the past two years has inspired a world-wide rethink of how we do security.

Dorey also regularly speaks at conferences around the world, appearing on the podium with the Information Security Forum, (ISC)2 and the ISSA.

Being on all the right committees does not necessarily make you a good person – IT is full of people who spend their lives on committees for lack of anything more productive to do – but Dorey manages to balance his busy role as head of digital security for BP with spreading his pragmatic, practical version of the word.

Ironically, when the idea of the IISP was first mooted, he was sceptical. "I had always worked for big companies with deep pockets to buy in the people. It was the smaller companies that couldn't find anyone. I thought 'Well, it's a shame, but it doesn't really affect me'. But then I realised, in a world where things digital will affect life and limb and will affect enterprises' regulatory survival, and when there is a huge market shortage, then we needed to do something about it."

Like many a convert, he has become a "huge evangelist for the whole thing" and is now completely behind the idea.

The conversion actually began shortly after the events of 11 September 2001, when BP decided to undertake a major global risk assessment.

"That led us to our next problem. We had been finding it increasingly difficult to find the next generation of information security people who would be the decision-makers we needed," he recalls. "It's the high demand. The headhunters phone up the same 20 people in Britain all the time. We find that people tend to specialise very early because security is now such a wide subject." It means they never achieve the broader perspective needed for the most senior security posts.

"I had a security job before anyone cared about viruses," he says. "When viruses came along we learned about them and the tools to deal with them. When we linked to the internet, we learned about that too, as the first generation of firewalls came in.

"So at each stage, we learned it on the job. So we have enormous breadth. We understand the whole gamut of security, and it's very hard for someone today to get that experience. These days, they end up specialising in firewalls or desktop security, or whatever, and it is hard for them to get the background."

The moment of realisation came when his boss asked him about his succession plans. He responded: "Head-hunting? It's not a good answer, is it?"

Clearly, trawling from a dwindling pool of talent was unsustainable, so he decided it was time to do something about it. "We need accredited professionals and a way to get them to that position. We need mentoring and support functions that help people get a rounded career, and to become the next generation of security."

Following its official launch, the IISP now has to bootstrap itself up into a fully functional operation – harder than it sounds. "A small group of people has no right to declare the industry standard. It has to recruit more and more people to become more inclusive," says Dorey.

For example, it has yet to establish what level of knowledge will entitle full membership. "That will come out of discussion and debate, and within a formalised process to create the measurement system to decide the right criteria."

At that stage, people wanting to join will be told whether they can be certified straightaway, or what they need to do to build up their qualifications.

The creation of the IISP feeds directly into Dorey's other involvement with the Jericho Forum. Again, it was his direct experience of working in the oil industry that initially got him thinking.

"I would never have thought of Jericho when I worked for a bank. In a bank, we put up our borders and controlled our networks. We interacted with the rest of the world in a very 'Us and Them' way," he says. "The oil industry is very different – the number of interactions with third parties in the oil and gas industry is phenomenal. Our three biggest competitors are our biggest customers. We're in joint ventures with just about everyone."

This means the creation of a virtual extended enterprise for the period of a project, where people need to get at information regardless of which partner they actually work for. "You have to create special network situations to gain access to systems. If the person who needs the data doesn't work inside the company, they still need it," he says.

"So your firewalls start to look like Swiss cheese, and you are letting more and more stuff in. We found this quite a big constraint on business projects. These projects cost a dramatic amount of money, and if you delay anything for a week, then you're talking millions."

Traditionally, they had created an extranet for the constituent partners, but this took time and was complicated to set up. Then he began to think the unthinkable: put everything on the internet.

"I talked to our network people because I just didn't like the idea of putting in new firewalls. Then we thought, why not put everything we need on the internet? For a project, we give everyone the URL and an ID, and off they go. That would be a lot easier."

This counter-intuitive approach raised obvious alarms. "The big fear was that we'd jeopardise information security," he says. "But the more we thought about it, the more we concluded that the internal security model was not as sustainable as it could be either, with email and Port 80 traffic letting in all sorts of nasty things."

A risk assessment revealed, surprisingly, that in many circumstances they could create a better security position outside than in. For example, with patching: "We found that Windows devices sitting outside the perimeter with auto patching, patched faster than a managed patch deployed within a corporation because within a corporation, a managed patch needs to go through lots of testing."

They realised they were mixing up risk environments. "On the one hand, we had things the firm should be managing, and we had the non-critical things that perhaps living on the internet would support."

The answer they came up with was to move clients out onto the internet and make sure all the servers were packed into "armoured data centres with very, very good security, with DMZs and layers of defence – all the things we could now afford because we were not protecting the network any more."

They piloted a few hundred machines to see how it worked. "The users loved it. They said it was like getting out of IT prison. They were used to having a good experience at home, and we were starting to spoil it by making them have layers of VPN tunnel and all the rest of it."

The new model won support fast. "The rest of the IT guys got excited about reducing the costs of all the extranets, and also helping the business people to get faster to market with projects. So the whole IT executive bought into the idea.

"Now the whole BP strategy is to move into commodity client platforms, off-the-shelf machines, being served over the internet from armoured DMZ, internet-facing systems, suitable for a very large population at BP. And we are progressing towards this, with 8,500 users so far."

He believes this is the future of security, but to make it work, the vendors need to be brought in. The role of the Forum is to give vendors a firm idea of what will be needed three to five years down the line, so they can start planning for it now.

"If you want to create greater interoperability, you need things that live in the internet cloud as security services - such as company-to-company authentication. We have just been driven by vendors' initiatives. But vendors hold a lot back because they don't want to lose their competitive advantage," he says.

Many big vendors have joined Jericho, even though they don't get to vote on standards. "The Jericho Forum is about building user requirements – stating the problem, not solving it," he says.

He and other members are banking on the vendors seizing the opportunity, and seeing the sense of working together on common standards, not against each other.

And when the Institute starts turning out well-rounded professionals, we will have people capable of implementing the new security model.