We have still got a long road to travel

The 2004 SC Conference highlighted the industry's concerns that an impending swathe of regulations is likely to hit it hard, and that this trend is only going to get worse. From Basel II, to the UK's Companies Bill and Freedom of Information Act (FOIA), IT professionals are going to find themselves pursued by regulation and legislation which, while it will almost certainly be expensive to implement, will be impossible to avoid.

In particular Sarbanes-Oxley (SOX) and the Californian Senate Bill 1386 put pressure on UK organisations to comply with legislation that, while ostensibly for overseas, still affects them.

"There's more to come," said Bruce Potter, head of technology practice at Morgan Cole. "New acts and bills, whatever part of the world they are in, have a knock-on effect on the industry."

Outlining the likelihood of any upcoming legislation in areas such as broadband, outsourcing and ID cards, Potter pointed to instant messaging as the next big test for the industry.

What is clear is the fact that companies are under an increasing legal obligation to retain, protect and store records of data. Recently, the British Phonographic Industry launched legal action against 28 major filesharers. Potter also highlighted legal cases, such as the Hutton enquiry, in which email played a major role.

"This is a real headache, both technically and legislatively. We have moved from information security legislation to information governance in FOIA, SOX and the Companies Bill," he continued.

This message was reinforced by Gus McDonald, IT security and training manager at Lothian Health Board. He discussed the impact that legislation has on email monitoring policies: "Paranoia becomes a good thing. Monitoring is a fine idea, but for legal reasons needs to be constantly and consistently justified."

But David Lacey, information security director at Royal Mail, claimed that all this was simply a result of where the industry seems to be heading. Industry standards, he argued, will increasingly appear as a result of the disappearing security perimeter. As information security moves down to the data level, it will have to be consistently recorded and monitored, and this will be achieved through regulation and legislation.

Lacey used the conference to outline his determination to create a more IT secure environment through the Jericho Forum, a loose grouping of security leaders that is seeking to drive change within the industry. To achieve this, one of the key areas that needs to improve is security management.

An undercurrent of security management issues continues to worry the industry. Conference speakers and delegates constantly called for a greater focus in tackling the problem.

"We are stuck on a treadmill," said Simon Perry, vice-president of security strategy at Computer Associates. "We need to change our infrastructure. Parallel projects occur because departments don't communicate, so we're not getting the benefit of existing technology."

And when new technology does come through, such as in wireless networking, businesses are slow to respond. "We're past the sexy new technology phase and they're now embedded in systems. But large firms only protect a third of wireless networks," warned Andrew Beard, infosec advisory director at PricewaterhouseCoopers.

So with the industry facing ever-increasing levels of legislation and creaking under the strain of numerous security issues, what is the answer?

Around the conference, the consensus seemed to be interoperability and purchaser power.

For many, the security Holy Grail is the range of options offered by linking hardware and software of your choice. The ability to live and die by your own sword, rather than be tied by a single vendor's security options. And the gradual move to this, according to conference speakers, will come from both ends.

"Secure business will be increasingly driven at the shareholder level," said Simon Perry. "When the fragility of the corporate systems becomes obvious, management will start to encourage security."

But the IT security fraternity often lets itself down through poor judgement – opting for stop-gap solutions in a knee-jerk response to security vulnerabilities, often taking whatever is offered by vendors, rather than looking at the bigger picture. "We've got to stop making decisions based on hype and cost," said Andrew Wilson, project manager at Information Security Forum.

Making informed decisions and not putting up with what is offered is all part of the idea of purchaser power.

Through groups such as the Jericho Forum and the Information Security Forum, the wheels are starting to turn. Increased pressure is being applied on vendors to make sure they raise their game. But if the conference highlighted one thing, it is that work still needs to be done.

In his address, Simon Perry said that organisations need in general to be more proactive. "We are getting better at preventing vulnerabilities before exploits occur, but that's being reactive," he argued. "There has to be a better strategy."

Perry also pointed out that the fault doesn't simply lie with the vendors. And Ray Stanton, global head of security services and solutions at BT Group, agreed. "We all need to work together, its not just the vendors' fault," he said.

The final word went to Stuart Okin, the departing chief security advisor for Microsoft, underlining a theme of his tenure he said, "Systems are never going to be 100 per cent safe. There's not a lot you can do to prevent black hats."

Improvements in security management and purchaser power may increase security, but the increased workload offered through compliance and the continuing threat of attack ensures that IT security professionals will not be out of a job any time soon.