ISO 27001 Security Management? “It’s Bloody Brilliant!”

Some time ago, VPNs were seen as necessary but encrypted storage wasn’t, even though data was much more at risk at rest on laptops and USB sticks, than it was crossing the Internet. People didn’t build in risk.
That’s exactly right. CAP Gemini and others have demonstrated the ease with which one can lose a USB or a laptop. I think the Bank of Ireland managed to lose one at a bus stop.

That’s a real risk, and it has a real impact, so you should spend money on it. You should apply whole disk encryption. This is a no brainer. The chances of someone intercepting data between your remote office and your headquarters is much slimmer – particularly if the data you are sending isn’t terribly value.

If you are sending personal data, then it should be encrypted – as there is a danger of a man-in-the-middle attack. Having said that, VPNs are now a very minor expensive – even cheap networking kit come with VPN technology that is easy to deploy.

Five years ago, you should have been making a decision between VPNs and whole disk encryption, based on probability and likely impact – not on the basis that the head of IT has discovered VPNs, thinks they are really good fun and wants to roll them out.

So what are today’s issues?
Management don’t understand risk. Th ey have demonstrated that in relation to mortgages and investments. Extending that inability to understand risk to the realm of information, it’s not surprising they have failed at that.

If you have the personal details of hundreds of thousands of people on your system, in an environment where you can buy credit card details, and all the information you need to take someone’s identity for a pound or two on the Internet – then I think organisations have a moral if not a legal responsibility to protect personal data.

I do hope we see in the next couple of years, in increase in the bite of the Data Protection Act to deal with organisations that treat protection of data with disregard. I hope that means jail terms for directors

Directors not CISOs?
Yes. In every organisation, management says to the IT people, if it goes wrong, it’s your fault. So if you’re the security person, what do you do? You lock everything down. Which of course makes it difficult for the people in the business to do their job, which means they put stuff on laptops and USB sticks to get round the controls.

So there’s a breach, and management says to IT – it’s your fault. But it’s not IT’s fault, it’s the directors’ fault, because they never said these are the risks we should deal with, and these are the principles we should apply for selecting controls.

If anyone should be in trouble when things go wrong, it should be management.

The Data Protection Act should be changed, so there are significant fines for reckless breaches of the Act. If directors had the opportunity to do jail time, then within months there would be a significant change in the way organisations approached data protection.

It would cease being “That’s a £5000 risk if we get caught who cares,” and become “I go to jail? No!”