Whatever the outcome of today’s General Election in the UK one thing is certain: there will be increased scrutiny of IT spending post 6th May, especially in the public sector. Increased scrutiny does not necessarily mean decreased spending though, particularly with regards to information security.
In this General Election campaign, the parties have talked about “back office cuts” and “wasteful IT projects”, but the need for information security spending has never been greater. At Info Security Europe 2010 last week in London, Pricewaterhouse Coopers presented their findings of the biannual Information Security Breaches Survey. To illustrate the need for information security spending, 92% (72% in 2008) of respondents who are large organisations (defined as greater than 250 staff) reported a security incident in their findings, costing the organisations, on average between £280,000 – £690,000 (£90,000 – £170,000 in 2008). Smaller organisations (less than 50 staff) fare little better, with 83% of respondents (45% in 2008) reporting a security incident, costing them on average between £27,500 – £55,000 (£10,000 – 20,000 in 2008). In addition, Chris Potter , a senior partner at PWC’s information security practice recently reported to the Financial Times that the total cost of cybercrime to the UK’s economy had more than doubled from “around £3bn to £5bn” in 2008 to “at least £10bn” in 2010.
Furthermore, in research commissioned by the Information Commissioner’s Office, presented at the keynote speech at Info Security 2010, there were a total of 962 serious data breaches reported to the ICO since November 2007. Of these, 271 or 28.1% (excluding other and third sector) occurred in the private sector; whilst the public sector (including the NHS, but excluding third sector) accounted for 621 or 64.5%. Clearly, there is more work that needs to be done in both sectors, but given the balance of the UK economy is roughly 50/50 between public and private sector currently; the number of breaches is greater in public than private sector. Here therefore is an opportunity for the next government to reduce waste by improving information security.
A common theme at Info Security Europe last week was: how can I secure funding for security projects? Aside from the studies mentioned above, organisations need to be much smarter in the procurement process – both with raising their business case clearly internally to their board level, and secondly with their dealings with suppliers. “Regulatory compliance” have been the industry buzz words for a while, but evangelising this as the sole reason for security purchases is to miss the point: complying with regulations will not only decrease risk but protect your organisation’s reputation and thus add to the bottom line of the business. Usually, the damage to reputation is costlier than the fine resulting from the security breach.
Sometimes, it’s easy for IT managers to be driven by what IT needs rather than what the business requires. In the last security blog, Excelgate looked at how the ISO 27001 standard forms the baseline framework for compliance across a number of areas. It also fosters an information security awareness culture in the organisation, by having buy-in from board-level downwards, thus removing a knee-jerk approach to security. It also provides the opportunity for an organisation to do a risk assessment. This involves looking at the risks to an organisation, and then (potentially) putting a number on both the cost of risks to the business vs. the cost of the controls required. Thus the business can make a decision about what controls need mitigation and which – for their environment – are not appropriate.
Changes to the procurement process are also required. In this General Election campaign we have heard about this, with regards to transparency. I would also argue that there needs to be a smarter scrutiny process in place as well. At present, proposal questions are simply too vague to allow an informed decision to be made on the business case properly. Hardware and software proposals should include a detailed project plan for the time and costs associated with the implementation and ongoing support of a solution. This should not be the proverbial rocket science, since if implemented frequently there will be past history and case studies to back up those numbers. Similarly, when working in a particular sector, it is always easy to ask contacts with a similar estate their experiences and recommendations working with particular solutions. Even on the technical side, there is often vagueness – proposals ought to ask about performance – which if responding as per the published materials online-may produce a “negligible” response – as though the products in question magically doesn’t use either memory or processor. Where is the in-house or third-party performance testing metrics to back up this assertion? If it isn’t available on-line, now is the chance to ask this during the procurement process. Would you buy a car without knowing its tested performance, especially its fuel consumption? Vehicle manufacturers would not get away with “negligible fuel consumption!”
In order to raise the business case for security spending in your business, remember compliance is a necessity since it adds to the bottom line of the business by safeguarding its reputation, and without it- you cannot do business effectively – or at all; the ISO 27001 standard forms a good security baseline with which to drive security awareness and culture within your organisation; share opinions and best practices freely with peers for a good sounding board; and expect changes to the procurement processes, particularly within the public sector. Greater scrutiny and openness drives greater competition and innovation, and as an industry we should welcome change in this area.
Phil Stewart is director of Excelgate Consulting