Article for ComplianceExecutive.com
January 2007
Information security compliance: the box is far from ticked
The past year has seen corporations make further, much needed progress in embracing information security as an integral part of their businesses. But…
In its 2006 Global Information Security Survey Ernst & Young found that information security is now a greater concern than ever before for board directors, and that regulatory compliance is providing a substantial catalyst for companies to understand and tackle information risk challenges. Nevertheless, while there has been substantial improvement in the past couple of years, there remain many businesses in which board directors are ill informed of the state of their information security and therefore unable to properly tap its potential as a strategic asset.
The past year has seen corporations make further, much needed progress in embracing information security as an integral part of their businesses. In its 2006 Global Information Security Survey Ernst & Young found that information security is now a greater concern than ever before for board directors, and that regulatory compliance is providing a substantial catalyst for companies to understand and tackle information risk challenges. Nevertheless, while there has been substantial improvement in the past couple of years, there remain many businesses in which board directors are ill informed of the state of their information security and therefore unable to properly tap its potential as a strategic asset.
We are now three years into a world in which Sarbanes-Oxley has transformed our understanding and expectations of business risk management. At the same time, directors and audit firms are gearing up for the looming demands of Basel II, Solvency II, the EU's 8th Directive and the likelihood of additional new regulations around the world. Compliance and the management of risk have become top level priorities and information security has undoubtedly improved as a result.
E&Y has also noted that information security is now more a part of corporate cultures, with many more employees being aware of corporate policies and of their responsibilities in light of these. This is good news for compliance officers and CIOs and reflects an increasing adoption of corporate-level controls that carry the full weight of the board's backing.
However, while there is much to celebrate in this report, there is inevitably much more to be done.
A significant number of organizations are still failing to report on information security to their board directors on a regular basis. For example, in 41 percent of cases information security compliance was formally reported to board level less than once a year; in 14 percent of the sample such reporting was not performed at all.
There is a risk that, if poorly informed about information security issues, directors may oversee the implementation of inadequate measures. The proliferation of increasingly complex, sophisticated and global threats to IT systems requires businesses to adopt a properly 'joined up' response to information security. However, what grabs the headlines is the profusion of hardware-, software- and vendor-driven security solutions that constantly vie for corporate budgets. Individually, such offerings fail to address the wider security challenge, can be dangerously inadequate and certainly do not amount to a satisfactory system of IT governance.
Instead, more businesses need to adopt a 'whole business' approach to information security that is properly integrated into their overall risk management. This requires controls that are as much about process and individual behavior as about technological defenses. It should also involve information security as a proactive function in areas such as mergers and acquisitions and the creation of new business units, where it has the potential to boost competitiveness significantly. Only the board can set out the objectives and requirements for such a cross-organizational management system, but the compliance function has a vital job to play in keeping this issue high on the management agenda.
To date, compliance has proved effective in promoting information security within many large and farsighted businesses. The challenge for 2007 is not only to encourage other businesses to follow suit in addressing their IT risk issues; it is also to consolidate the gains made thus far by getting businesses to become certified to the relevant independent standards. Such certifications not only satisfy the demands of regulators, but also compel companies to make sure their arrangements are fully watertight.
For an issue so seemingly complex the good news is that a ready-made solution exists. ISO 27001 is widely recognized as international best practice in IT security, providing a reliable framework for an information security management system that truly preserves assets, protects directors and improves competitiveness. More than 3,000 companies have already been certified to this standard, but many more need to follow suit. Therefore, at this time of New Year's resolutions, compliance executives need to put information security at the top of their list and list and push for certification in 2007, the surest way to master information risks.