Monthly Archives: November 2012

Top Down Security (or “How To Learn To Love Information Security And Get It Into The Boardroom”)

Originally published on the Darlingtons Solicitors Blog 23.11.12

You say the word ‘security’ to people and get a variety of responses or perceptions. Some people think of manned guarding and a nice guy who works the barrier and checks the CCTV images to keep everyone safe.  Others go a bit ‘Mission Impossible’ and imagine consultants dangling from wires, testing floor pressure pads in secure areas whilst hacking into the Pentagon. And yet more others regale you with tales of every night club they have been asked to leave by a man in a black puffy jacket.

This post is not really about any of those perceptions, it is about a business enabler and how it is placed in successful organisations. I can appreciate that compared to Tom Cruise dangling from the ceiling this may appear dull, but as far as business goes, it’s a bit more useful.

“Yeah, IT does Security”

According to the Ernst & Young Global Information Security Survey 2012, there is a real gap between where Information Security sits within organisations and where it needs to sit. As Security Consultants we know this to be true and are also aware that other disciplines, FM for instance have also had a bit of a battle to get a voice in the boardroom. Given the interconnected nature of so many business areas, joining the dots and having top-down policy and behaviour, has never been more important.

Milky Way and our Solar System – image Ecology.com

As we are talking about Information Security (IS) let’s put it in perspective. IT security is the vital technical security of IT such as firewalls, encryption, password policy, patches etc. How an organisation behaves with regard to security of information is a much larger area. (If the organisation’s use of Information were the Milky Way for instance, IT might be our solar system– see picture). The rest of the organisation uses information in a myriad of ways, not always electronically and not always on a device (at least not one that IT is aware of…) the rest of the organisation may be vast and so the potential for compromised information is exponentially increased. Especially if everyone thinks that “IT do security….”

IT departments traditionally do not have a formal risk assessment mechanism. Risk is something a whole business faces not simply the systems in IT – important as they may be.

An organisation’s IS needs to be aligned to its Risk Appetite – but if accountability for it is placed in IT then realising this will be challenging.

Business solutions are not always technical or IT based. At the end of the day the users are people and people make mistakes or behave in questionable ways. Around 80% of data breach is generally accepted to be human error or malice. Technology can’t mitigate all of that risk; you need to consider policy, procedure and education of these concepts through your organisation.  Hopefully you can see now why we are moving out of the realms of IT and into the realms of business centric solutions that cut across silos, not reinforce them.

“Place your bets! Place your bets!”

Risk is a part of business, without risk there is no innovation and nothing can exist for long in a vacuum. Therefore it is vital to know how far you can push something before it becomes too great a risk. Not from an instinctual level but from a tried, tested and accepted level that comes from the boardroom via regular review. So understanding your organisation’s risk appetite and tolerance is vital. Aligning your IS policy and procedure to that appetite seems logical if not essential, yet 62% of organisations surveyed did not align IS to Risk Appetite.

How then can an organisation securely implement something like Bring Your Own Device (BYOD) which sounds on the surface like an IT project – which won’t be aligned to Risk Appetite? So in other words, the risk attached to allowing employees to use their own devices, which may mean access to corporate networks and drives, access to sensitive information, has not been assessed in terms of the business’s overall appetite. So rogue apps (which we hear about every week) for instance could be scalping data from the device on a regular basis and the user would be unaware. Previously, it was the user’s data alone that was compromised, with BYOD the scope of data available increases vastly as an organisation’s information assets open up to that user.

InfoSecurity – share the love

The Ernst & Young survey highlighted the need to bring Information Security into the boardroom. Perhaps asking who owns the risk or who is accountable for the Information risk is where to start. Well according to this survey only 5% have Information Security reporting to the Chief Risk Officer, the person most responsible for managing the organisations risk profile. Placing responsibility within IT can cause ineffective assessment and alignment with not only Risk but with Business priorities.

If 70% of the respondents are stating that their organisations IS function only partially meets the organisational needs, it becomes clear that this is a ship that has set sail without a map. IS needs C level direction and input, it needs to have the support of the board, be implemented and understood top-down and really start to make a positive impact on business growth by enabling it to happen securely, with threat and risk awareness, accountability and mitigation.

It was initially encouraging to read that almost 40% of organisations planned to spend more on IS over the next 12 months. But on reflection, if this is going to be mainly directed by IT departments – unaligned to Risk, unconnected to the board and occupying a similar space as the sun in the Milky Way or an organisation’s Information usage, it is doubtful that the dissatisfied 70% of organisations who feel IS is not currently meeting their needs, will reduce. What is concerning is that this could end up looking like wasted spend on Security, when in actual fact it is merely a potentially unwise or undirected spend. The upshot could be through a lack of board level understanding, that future spend then has a line run through it instead of under it.


All data sourced from Ernst & Young Global Information Security Survey 2012, all visual representation copyright of Advent IM and not to be reproduced without express permission.

Our School Security Service has won an award!

We are delighted to announce that our School Security service is now an award winning service. Thank you very much to the judges at Tomorrow’s FM.

For those unfamiliar with this one day health check, it provides assurance and guidance relating to Information Security,  Data Protection and the physical security of data in schools, academies, colleges etc.

We are delighted to have our expertise and experience in this field recognised and we look forward to helping many more schools reassure their key stakeholders that they have Information Security very much under control. You can find out more here.

Guest post from Darlingtons Solicitors: Holistic and practical approach to business risks is best

We would like to thank Darlingtons for this guest post on a business imperative.  Its always reassuring to have a legal perspective on Security.

“As a law firm offering specialist advice in areas including employment law and fraud, at Darlingtons Solicitors, we see on a day to day basis the impact of legal and security threats which turn into issues causing at best, significant damage, in financial and other terms to a business, and at worst, which can literally put a business out of business.

In our experience, all clients, big or small, do have a sense of threats to their businesses, internal and external, but many tend to somehow try and put these to the back of their mind, and this ties in with the general problem both legal and security professionals face – we are not selling something which clients see as a clear benefit to their business.

Benefit has a traditional sense of a positive outcome, generally financial, and in that sense, preventing damage does not fit with the traditional sense of the word. However, when thinking of bottom line figures, preventing or mitigating losses does have a real impact on any business.

Failing to advise is failing a client

Accepting as a starting point that pushing an argument, however correct, too hard on the lines of “failing to plan is planning to fail” will be unlikely to result in a client handing over a blank cheque to either lawyers or security consultants, what perhaps differentiates the better companies is an ability to understand proportionate threats, limited budgets and to provide advice to clients tailored for that client and based on experience.

Take data protection as an example. Most businesses know that there are laws about data protection, most also understand that their business data, client lists, product information, suppliers and other data are a critical part of their business, but a smaller business with a limited budget may not know which are the biggest threats and what options there are which they may be able to afford to limit the potential damage that could be caused by doing nothing.

It makes sense for professionals to work together when advising clients on risk prevention, something which lawyers should frankly embrace more than most have in the past.

For example, it is all very well advising a client that they need a data protection policy, a social media policy, a contract of employment with strong restrictive covenants and so on, but ultimately, these are pieces of paper. A determined, desperate or foolhardy employee intent on stealing business or vindictive damage on an employer may not even care whether they get sued later and are quite possibly not worth suing.

However, if lawyers work closely with security professionals, the legal paperwork can more easily dovetail with practical safeguards which may prevent loss, such as IT security controls.

In turn, security professionals need to take on board legal issues, such as, for example, where a business decides to monitor it’s employees online activities. In that situation, serious legal consequences would result if the business does not advise the employees it is monitoring them, which can be criminal as well as civil.

Solution ?

In our experience and view, the best approach to legal and security threats, particularly for small businesses is to consider seriously an annual security and legal audit. Progressive law firms and security companies are now offering these at low cost or in some cases even free. A composite report, identifying threats based on risk level and potential ramifications, both legal and practical, presenting the commercial and legal argument for taking action, based on priority and cost is reasoned, proportionate method and good business sense.

For further advice or assistance on legal risks, legal problems you currently have or to discuss a legal audit, we would be happy to assist, please get in touch.” –  Darlingtons Solicitors.

And if you need support, consultation or mentoring with Data Protection or Information Security including ISO27001, contact Advent IM bestpractice@advent-im.co.uk www.advent-im.co.uk