Best practice - handle with care

Fragile Tape The rising tide of regulation in insurance has been good news for the information security industry, says Jennifer Mack, head of compliance at Cybertrust.

Firms battling to comply with everything from Sarbanes-Oxley, (SOX) to the Payment Card Industry (PCI) initiative to the Markets in Financial Instruments Directive (MiFID) have thrown money at security purchases in the hope that it will help their compliance efforts. 

But in the panic to demonstrate good practice (and keep their chief executives out of jail), many companies have spent unwisely and failed to make any real impact on the underlying security of their organisations.
But what do insurance companies actually get out of the process? Is ongoing security really improved? Does this way of thinking help IT managers understand the actual level of risk to the business? Is security investment aligned to that level of risk?

In many cases, No. It is just a tick in the box that sends the auditor away happy for another year. To make matters worse, some companies even have different teams of people working on different compliance regimes - a team for MiFID, BASEL II, SOX, another for PCI or BS7799 and so on. And yet, so much of what they are trying to achieve is identical.
If companies see compliance, and adherence to some theoretical, generic 'best practice', as a goal in itself, they are missing the point.
Information security should be regarded as an integral part of the way the insurance industry does business. Compliance should be a natural by-product of good security practices, rather than the other way round. The 'tick the box' approach to compliance just encourages everyone to relax once the inspection is over and then continue the cycle.

Technology investment and false economy

One symptom of this approach is a blind belief that buying more security products will solve the problem. Compliance has created a feeding frenzy among security product vendors, all promising to make companies 'compliant' overnight by adding more levels of security to their IT infrastructure. Whilst this has given the illusion of security, it often, in fact, has made the company less effective at stopping security incidents.

Good security, or, real best practice, includes user education and awareness, as well as sound security policies. For example, no amount of intrusion detection systems will stop a poorly-trained user from opening up a dodgy email attachment. Good security also needs firm leadership from the top, and involves a proper understanding and management of risk at all levels of the organisation.
The challenge for an organisation is to gather risk information right across the board - including operational risk, strategic risk, information risk and business risk. This means getting all the people involved to talk the same language, in order to gauge where your overall business risk lies.
Once you have done that, then you can start focusing your efforts where they are actually needed. For instance, by analysing previous security events, you can determine where threats came from, and how often.

You may find that updating your antivirus signatures could be done less frequently, for example, saving time, resource and with no impact to risk. Or you may decide that, instead of reacting to every vulnerability alert instantly, software patching could be done once a month without serious risk.
A well-managed security programme will monitor the risk profile of the company and, even key business partners, on an ongoing basis. But the appetite for risk will always be set by the senior management of the company. 
It is all a question of assessing the threat, the vulnerability and putting a cost to it. How much are these worth to your business?
This is basic security practice, but so often forgotten in the rush to be compliant.  The risk-based approach not only achieves better results, but it also saves time and precious resources. Pre-disposition to any particular threat will change from company to company, so it makes little sense to continue to invest in security products that you might not actually need.   
Why is it not universally adopted? The problem for many insurance companies is that security has traditionally been viewed as an add-on, rather than integral.

Attention and budget was focused as a reaction to changes in IT infrastructure, such as wireless networks or more general systems management. And then only as part of the overall IT budget. It may only have gained board-level attention because of compliance concerns and increased understanding of information risk management as a discipline. 

Compliance - risky business or risk management?

This approach also requires buy-in from all parts of the organisation. For some senior management, it may be the first time they have given serious thought to their attitude to risk, and their risk profile. But the effort can pay real dividends. It will improve the way the company operates; keep risk within manageable levels and will reduce the cost of compliance.
Appropriate security needs to be in the bloodstream of the company. Which means it must be aligned with company goals, objectives and strategies. It must be based on an appropriate risk analysis and then communicated, understood and valued from the Chief Executive downwards - not just something to impress the auditors.

27 March 2007