By Helen Beckett
1 November 2005
When an issue becomes so grave that it threatens the national way of
life, a "tsar" is ushered in by the prime minister to fix it.
Something similar is happening in the corporate world, where security
bouncers are being appointed to ensure the company infrastructure is
protected from internal and external attack.
The chief information security officer (CISO) goes under a variety of
titles, but they are the person who carries the can for keeping
businesses secure and the regulators happy. They are more common in
the US, where growing pressure to comply with corporate governance
legislation such as Sarbanes-Oxley has spawned a new population of
However, the UK is fast following suit and the progress of the
forthcoming Companies Bill will produce a fresh population of security
"Everyone is very concerned that customer files and corporate
accounting information is protected and that someone is accountable,"
says Brian Collins, professor of information systems at Cranfield
University. "The UK is treating data ownership more seriously, and
security is becoming part of a risk management and data ownership
The Companies Bill may be the stimulus for reviewing how accounting
data is treated. But strategies for managing security have been
evolving since the days when firewalls were seen as the ultimate
panacea. The role has certainly grown beyond the scope of an
individual, or even a team, whose purpose is to outwit external
attacks over IP networks.
Company directors are waking up to the fact that exposing customer
data to a security breach will not just harm the brand; it could put
them out of business.
Public services organisations are just getting a handle on the
implications of the Freedom of Information Act - when to keep
information and when to dispose of it. And a further challenge is the
increasing number of internal security breaches at UK organisations,
according to the Department of Trade & Industry's 2004 Security
According to analyst firm Gartner, the bodies of technical expertise
set up in the 1990s to protect internet users are no longer the
appropriate stewards of security.
"By 1996, everything you wanted to have done on a firewall had been
done," says Gartner research vice-president Jay Heiser. "We are done
with that. Security expertise is becoming a lot more tactical and is
part of broader business risk."
According to Gartner, the maturation of technology makes it safe to
put security into the hands of a high-level risk manager who is the
intermediary between the business and IT. It predicts that by 2008,
65% of the Global 2000 companies will employ a CISO to operate a
centralised security programme.
"There is an arms race of security technology going on today.
Companies need [the CISO] to make educated choices because each
organisation has different needs that call for different approaches,"
says Paul Proctor, research vice-president at Gartner.
However, others question whether a risk assessor could take on as
complex an issue as security as another part their portfolio.
"Personally, I cannot see a business person or a professional manager
being able to sort this one out," says David Roberts, chief executive
of user group the Corporate IT Forum.
"There is a point at which the focus of security moves from wires and
bits and bytes to the words on pieces of paper," says Roberts. "But
the bottom line is that in order to assess risk and formulate policy,
one must understand the complexities of the technology."
The argument for having a business manager in charge is also flawed
because it assumes security technology is mature, says Collins. "There
are lots of threats for which the CISO does not have an instant set of
tools," he says. "It is an overstatement to say that technology is
Technology for totally eliminating spam is not there, for example, nor
is there a single tool to monitor the configuring and patching of all
Although there is no consensus about who should be in charge, there is
agreement about the need for a change in mindset. The move towards
viewing IT security as an intrinsic part of the corporate
infrastructure has partly been a response to wider global events.
"Y2K prompted people to think about the holistic impact of IT. Also,
after 9/11 the concept of the critical national infrastructure started
to mature," says Collins.
As a result of this holistic thinking, the emphasis on evaluating
risk, as well as being a technical hotshot, is filtering into security
roles in all kinds of organisations.
At the high-end, Zurich Financial Services has discovered this
approach can yield big savings. And the good news for smaller
companies is that they do not have to employ someone on an enormous
salary to be risk savvy.
This is demonstrated by the approach of Brian Shorten, information
risk manager at Cancer Research UK, who explains the framework for
security provision at the charity.
"As with all risk, you look at what the assets are, the threat to them
and the cost of something adversely affecting them," he says.
Security accounts for between 1% and 2% of Cancer Research UK's IT
budget, and the charity always favours pragmatism over technical
sophistication purely for the sake of it, says Shorten.
"If you need to check the identity of people entering an office area,
such as in one of Cancer Research UK's shops, there are several
solutions. One is to buy smartcards. The more effective and cheaper
alternative would be to install a reception desk and ask everyone to
sign in and out," he says.
Simon Janes, former Scotland Yard detective and consultant at security
specialist Ibas, says the job description for security chiefs needs to
get broader. Risk is just one of many aspects of the job that they
will need to master, he says. "The job description is wider in scope
than IT security. It has to include legal domains and physical
security too," he says.
He advises the next generation of security chiefs to install
procedures for incident handling, to cope with the surge of internal,
physical breaches of security that are occurring as storage devices
get smaller and more mobile. Managing physical security tends to fall
between the IT and human resources departments and could be a weak
"You have to ensure that you comply with the law when you are
investigating an incident, otherwise evidence can be thrown out in
court," he says.
Janes also believes that success in the security realm is more likely
if the role is a dedicated one. "The police force knows this and has
dedicated teams for handling armed robbery and drugs," he says.
Because of the interdependence of different functions, one of the
critical tasks of the CISO is to get conversations going across
different divisions. The most critical of these is the conversation
with the HR department.
"One of the roles of the security officer is to educate the HR
department about the dangers of IT abuse. The law is out of date and
it is not an easy function to get hold of. Defining what employees can
and cannot do needs discussion and this is something that IT should
lead," says Roberts.
Meanwhile, as firms are starting to evaluate risk more closely before
spending money on security investments, most of the budget is spent
after an incident, according to Collins.
"The budget is moving towards spend on the management of incidents.
Because of the negative impact on brand value, security breaches can
affect capitalisation of market value," he says.
Roberts says, "Whoever gets to be security tsar in the new era will
have to be a multi-dimensional person. They will need to talk to HR,
the business, IT and finance, and certainly the legal team. But if
they do not have the underlying understanding that will enable them to
spot the vulnerabilities, all the words in the world will not make a
Case study: Zurich Financial Services
Zurich Financial Services overhauled its security strategy as part of
a larger consolidation that saw two datacentres and 20 global chief
information officers merge into one operation. The cost of running IT
was reduced from =A32bn to about =A31bn.
Security had previously consisted of a very small team that was
distributed worldwide among the regional IT departments. "There were
no synergies and no collaboration. It was virtually impossible to
agree on anything," says Stefan Vogt, head of IT risk at Zurich
Post reorganisation, the firm decided to take an insurance approach to
its information security. "Our business is calculating the risk of
things going wrong and putting money on that risk," says Vogt. "What
is different between that and making sure that a relatively large IT
infrastructure is secure? We are a classic IT information shop that
has grown into an information risk management business."
This means that the configuration of firewalls or provisioning the
day-to-day management of secure clients is no longer the day job.
Instead, that revolves around reporting on risk and creating policy.
There are two components to this - the risk strategy and risk
management. The former is akin to the pilot boat. "We are like a small
boat ahead of the parent ship, spotting icebergs," says Vogt.
The twin priorities for 2005 have been to achieve operational
efficiency and raise the awareness of information security.
To achieve operational efficiency, it was essential to find a way of
reporting risk. This had originally been done through a traffic light
system, but a dashboard approach offered the company a more
comprehensive way of flagging different risks.
The traffic light system works by periodicially assessing risks and
giving them either a green, amber or red light, depending on the level
of risk. The dashboard approach gives an overall view of operational
and security landscapes inside companies and allows proactive
A key aspect of the new risk management regime was to quantify the
risk. "I expressed this in dollars as a figure we could expect to lose
if a certain aspect of security were to fail," says Vogt.
"People challenged these figures of course, but were usually unable to
come up with an alternative. And the figure promoted discussion, which
is healthy. It is better to have the discussion than the old default
of 'let's install another firewall'."
Earn your Master's degree in Information Security ONLINE
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.