Infosec 2011: Compliance the biggest security juggernaut, says security expert
The biggest security compliance juggernaut for businesses is concentrating on achieving compliance rather than changing they way they work, says Des Ward, president of the Cloud Security Alliance UK and Ireland chapter.
The biggest security compliance juggernaut for businesses is concentrating on achieving compliance rather than changing they way they work, says Des Ward, president of the Cloud Security Alliance UK and Ireland chapter.
"We need to get back to what the information is, how it is used, and what its value is to the organisation, rather then doing the bare minimum to comply with laws and regulations governing the protection of data," he says.
Ward blames the outdated belief of organisations that they can simply put up big walls around their data.
"This mindset is seriously hampering business because it ends up spending a lot of money applying sticking plasters to systems and applications that are inherently insecure because they do not understand the real issues," he says.
The obligations created by the Data Protection Act (DPA), for example, says Ward, extend to third parties.
"The DPA is not just about having a firewall in place, but also requires due diligence to establish that service suppliers are able to process personal data safely and securely," he says.
Ward, who is to lead a panel discussion on the compliance juggernauts on the way for security at Infosecurity Europe 2011 at Earls Court, London from 19 - 21 April, says a lack of communication is at the heart of the problem.
IT security teams, business managers, GRC teams and IT operations teams are not really integrated and are all focused on different things, so there is no real communication between them, and consequently no joined-up thinking, he says.
"Security people tend to talk about standards that don't make sense to the business, and business managers tend to do whatever it takes to get things done, including bypassing what they consider to be stupid controls," says Ward.
ISO 27001 is often criticised as being too rule-bound by those who do not really understand it, he says, but it is one of the few frameworks that states that business needs to understand what information assets they have, the associated risks and how to manage that risk.
"If the audit standard is implemented correctly, then all technical teams are engaging with the business so they take control of what they have to enable them to better manage the risks," says Ward.
He believes companies need to get away from this mindset of compliance and get businesses to see that all of these different regulations and laws have come about because businesses have not taken responsibility for their own information and managed it.
What businesses should be doing now, he says, is integrating everything that goes on at an information level into their risk management processes. Ward believes that if businesses manage their risk properly, compliance will take care of itself.
Security professionals, he says, must now learn to work with all the other functions of information risk management to present a united front in terms of where information assets are and how important they are.
The panel, which includes Marc Goodman of Interpol, Gaynor Rich of Capita Group, Stewart Room of Field Fisher Waterhouse, and Simon Salmon of the Nottingham City Council, will assess where businesses need to prioritise.
The panel will also look at the legislation and compliance that UK businesses need to be aware of and discuss issues related to the various regulations and standards.