Thus, it is not a surprise to see spending and resource allocation to security to continuously increase. Companies invest heavily in people, software and hardware to address security and data protection needs.
Yet, at the highest level of organisations, C-level executives are frustrated with the lack of impact and effectiveness of their information security function. Despite all the attention and investments in security, viruses and warms are still rampant and disrupting IT operations, compliance with industry and SEC regulations is a problem and reports by the media on lost or disclosed private or sensitive data are increasing at an alarming rate.
One of the reasons behind the appearance of low performance of many information security organisations is the lack of a formal and measurable framework for providing directions as to how the function should operate and interact with the rest of the organisation. Without such a framework, companies tend to focus on specific aspects, often the sole technology, without the supporting processes and defined roles and responsibilities, on-point solutions rather than strategic thinking, and reactive event-based rather than performance and compliance-based reporting. Although recognised information security and service delivery standards have been widely available for a while, their adoption is still low and inconsistent. Over half of a recent survey's respondents said they had no plans to adopt such a standard. Internal audit was reported as the leading evaluation method by nearly three-quarters of survey respondents, followed by formal external audit at 62 percent. Assessment against a widely recognised industry standard, such as ISO17799:2005, was reported by only a third of survey respondents
The most significant advantage of adopting formal information security standards is striking an effective balance between roles, responsibilities, processes and technology in building a sound control framework. For example, ISO17799 specifies implementation guidelines ranging from defining your policies and procedures to operating your infrastructure and deploying new systems. Following the framework helps organisations keep a long-term view on what has to be done, without getting distracted by new technologies or regulations. Speaking of regulations, ISO17799 and other similar standards can and should be used for reconciling various industry or SEC regulations. Compliance is not always straightforward as regulatory requirements often lack the specificity organisations need to know how to comply. Companies must decide for themselves which security controls are appropriate for their organisations. The good news is that most controls required by such regulations can easily be mapped to the controls defined by the standard and as a result adherence with ISO17799 facilitates compliance with many regulations from varied sources by providing a rationale for the implemented controls. Dealing with new regulations is as easy as performing the mapping exercise and evaluating if gaps exist. The gains in efficiency, particularly for heavily regulated organisations such as in financial services or pharmaceuticals, can be substantial. Finally, formal frameworks based on standards allow organisations to consistently track and benchmark their progress towards achieving their information security goals over time, or against peers. Investment and other resource allocation decisions can be made based on the areas of the framework that lag in performance.
It is worth noting that applying standards is not limited to your own organisation. Evaluating vendor relationships, particularly in an outsourcing scenario, through the lens of a standard or embedding standards-based content in service level agreements is an effective vendor risk management tool. A recent security survey reports that only a fourth of the respondents say that they know their vendors are aligned with a recognised standard. One of the frequent questions around standards is "Which standard or framework should my organisation use?" The reality is that there isn't a single standard that can address all issues facing high-performance information security organisations. For example, while ISO17799 does a good job defining the operational aspects of security, it does little to offer implementation guidelines on setting strategy and alignment with the organisation's business objectives. Similarly, ITIL, an IT service delivery standard, has a limited focus on security, but focuses its scope on building transparency and accountability between IT and the rest of the organisation. An effective, world-class information security organisation is likely to apply a few complementary standards rather than a single one.
So, the appeal and value proposition of standards is evident, but do we have to endure the claimed pain of certification? For many organisations, the answer is a resounding "yes." Certification is an independent acknowledgement that the organisation has implemented effective controls and is, therefore, a trustworthy communication partner. The other significance of obtaining a certification is the recognition of continues improvement processes to sustain the effectiveness of the existing controls. Remember, information security will be effective only at a certain point in time unless we have the sustainability processes. As the business, regulatory and risk environments change, so should an organisation's information security function. Compliance with standards is certainly an effort that requires commitment, discipline, and a long-term view on information security. The benefits of compliance, however, far outweigh the pain of compliance and should be considered by any organisation striving to build an effective information security organisation.
Rudy Bakalov, a senior manage with Ernst & Young, and Stephane Geyres, a principal with Ernst & Young, collaborated on this article.
Note: The opinions in this article are the opinions of the authors and do not represent the opinions of Ernst & Young, its partners, principals, or affiliates.