By Larry Greenemeier
May 22, 2006
Much has been made of our inability to prevent cyberattacks. New
technology at best slows attackers, forcing them to find other ways of
terrorizing victims. Now some tech pros are pointing to an ISO
security standard as the answer.
ISO 27001 was approved in October, replacing British Standard 7799-2
as a way to position companies to pass security audits. In certifying
to it, companies are in a position to move quickly when they identify
a potential problem.
Consulting firm Churchill & Harriman worked with the Federal Reserve
Bank of New York to bring its national incident response unit into
compliance with ISO 27001, putting the bank ahead of most U.S.
businesses. The national incident response unit monitors, analyzes,
and escalates information about security threats to the business. Out
of necessity, financial services companies lead the way in technology
adoption, particularly in security, says Ken Peterson, CEO of the
Of the 2,546 businesses worldwide certified to BS7799-2 or ISO 27001,
only 120 operate in the United States. By contrast, 1,517 of the
certifications have gone to Japanese companies, the most in any
ISO 27001 may help businesses secure cybersecurity insurance, says
Barry Kouns, the Churchill & Harriman VP who led his firm's work with
the Federal Reserve Bank of New York. "This type of insurance would
pay if there was a denial-of-service attack or data theft," he says.
To qualify for such insurance, companies must demonstrate that they
have security measures and processes in place.
Of course, standards will never be more than a foundation; they don't
predict the next bug in Windows or an attacker's ability to exploit
that bug. ISO 27001's detractors say it's an expensive process with
little guarantee of success in combating the next threat. Standards
primarily organize a company's security strategy so that security
professionals know what to do to address a particular problem.
Process frameworks such as ISO 27001 are built by committee, "but not
all of these ideas are good or have been tested," says Gene Kim, CTO
at Tripwire, which makes change-auditing software. "Management has to
do something, so they go with what's most popular." Based on his
research of successful companies, top performers address specific
problems rather than overhauling their entire organization. Says Kim,
"It's best to do 20% and get 80% of the results."
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.