Thursday, March 20, 2008

Information Security, Governance, Compliance and Safety Belts

The state of Victoria in Australia made wearing safety belts compulsory in 1970. This is now almost universal practice.

I don't know the exact statistics but a study done in South Africa found that more people used safety belts after it was made illegal to not use them than when it was left up to the driver.

The conclusion really is that people are more likely to obey a rule because it is law than because it may just save their life.

I think that the same is true with Information Security. It won't (necessarily) save your life but it is good practice. And yet companies are only doing it because it is now law.

The problem with this is that it is not accepted by people in their hearts. I know of people who drive around without their belts on and put them half on when they see a traffic cop.

The Information Security equivalent is jacking up your InfoSec program when the auditors come to visit and letting it slide when they are not around. Or making sure that they don't see some issues that you are well aware of.

I have seen a lot of complaints about PCI and SOX etc etc in the same way that people complain about "self protection" laws like safety belt laws. The thing is that the government is stepping in only because people are very bad at self regulation. Really, what a number of InfoSec experts are trying to promote is - understand why you need to protect yourself, understand how and abide by it. Do it for your company, not because the government demands it.

That way, not only will you be "compliant" and full of "good governance" but more importantly - your company will be safe.

Friday, March 14, 2008

More from Securiosis...

While Rich was away he brought in David Mortman who wrote this gem.

I think he hits the nail on the head and together with the article I linked to in my previous post, this is the future of Information Security.

I believe the take-away quote is this:

"However, compliance is not a technology problem — it’s a business problem which needs a business solution. By instituting sustainable business processes that effectively leverage people and technology, enterprises will become not just more secure but also compliant with current and emerging regulations."

I think that everyone involved in Information Security should read that, understand it and learn it off by heart. And then practice it.

Once we can define a process and what information is used in it, who does it and when it happens - bingo - we can secure the process from start to finish. Most companies I have worked in (and I have worked in plenty) have no formal process design and so would not be able to properly enforce Information Security properly.

Security 2.0

There is a post on securiosis that I think sums up the future of Information Security quite nicely.

In the past information was very structured because of disk space issues. Then Moores law kicked in and information got messier and less structured over time.

Now because of Information Security needs the information has to become tidier and more structured again. But now I think we have tools like XML that will allow us to be able to clean up our mess and be more secure and more productive while not being totally restrictive.

It is a very interesting time and I call it Security 2.0 (even though this term is already used by the likes of Gartner and such.)