Visibility is everything in information security. Far too many of the risks and events that threaten the security of our information systems are silent and invisible – until they strike.
You can't expect managers to broadcast details of the incidents they experience – you have to find smart ways to collect this information.
As Donn Parker advised me back in 1989, shortly after I had joined Shell: "You need your own intelligence network to understand what's really happening across your organisation. You can't rely on others keeping you informed."
Like many things in life, this is an easy concept to grasp. In Royal Mail, after several years of hard work, I believe we are getting there. We now have around three years of historical security incident data, so we can rapidly spot, analyse and respond to trends. We also use this information to measure effectiveness of our security awareness initiatives.
And based on our experience, I can assure you that there really is a strong inverse correlation between the level of security education and the number of security incidents.
Over the past year alone, we have reduced laptop thefts by two thirds and virus incidents by a factor of four. We have also reduced password reset transactions by more than 11 per cent. All of this has saved us millions.
This information forms a key part of our executive dashboard, designed to inform and reassure our top management. Each week, we report on major events, new virus alerts and the status of our patch management. Each month, we deliver a more considered analysis of security incidents, outages and our progress in clearing any outstanding audit actions. And every sixth months, we present the results of our latest BS7799 certification audit.
This year, we have carried out impact assessments for our Top 60 most critical applications to prioritise security improvements to our legacy systems, and more accurately assess the impact of security vulnerabilities.
We have also recently introduced real-time vulnerability scanning to complement our regular penetration testing.
Next month, we begin implementing an ambitious new patch management process, intended to deliver a step change in the speed of applying patches to our most critical platforms. Again, the key to achieving this is to maintain visibility of the underlying infrastructure that supports our most critical business applications. But I should warn you that this is not a trivial exercise, and it requires a major effort to collect and analyse the data.
My aim is not to achieve the tightest possible security, but to contain and, as far as possible, reduce the impact of incidents and the costs of security through best-in-class solutions, smart use of technology and, most importantly, by shining a light on what's really happening across Royal Mail.