Information Security Is Not Just An IT Thing

Every industry is complex and has facets which only become obvious to experienced, well trained professionals. Complexity is in the blood of information security, which requires detailed knowledge of software, hardware, networking, compliance, legislation, industry standards and training. In a perfect world whole teams of specialists should be employed to manage this enormous challenge, but all too frequently security is thought of as one of those 'IT Things' that should be handled by who ever is changing the toner cartridges.

This attitude comes from the relative youth of the sector and its constant development. In the past forty years the landscape of computing has changed beyond recognition and the avenues of attack on systems have increased geometrically, probably at the same rate as the reliance on computers in business. Uneven though this stereotype is, for service based business the only place where computing knowledge isn't required is at the top. CIOs are needed who can combat the top level feeling that information security is an impediment, describe the complexity and explain the advantages.

Barclays won SC Magazine's 2009 Information Security Team of the Year award, and yet earlier this month it was reported that "Barclays Capital Securities and Barclays Bank have been fined £2.45 million by the Financial Services Authority (FSA) for failing to provide accurate transaction reports and for serious weaknesses in its systems and controls in relation to transaction reporting." This isn't to say that the team has failed: firstly this could be a compliance matter for another team and secondly Barclays' Security Team has doubtless saved the company many times the cost of this fine. The fact that this happens simply shows that the range of tasks that fall within Information Security's role keeps increasing and that expensive problems can ensue if issues are missed.

Barclays is an outlier company that shares challenges with only a few other organisations in the world and few companies will have the resources to emulate its practical approach. What can be applied is its way of thinking about Information Security. Stephen Bonner, the Global Head of Barclays' Information Security team, described a central part of their approach in an interview:

"[Information security] has to be cost-effective – you need to undertake a cost analysis of the loss events that have been near-misses, against what controls there are in place." Bonner likens it to a large-scale medical study. “[...] We need to be a lot more professional. It is not helped by checklist-driven regulations. Certain controls must be put in place, whether or not they manage a risk.”

Information Security is about more than just applying patches. An annual penetration test will not make a company secure. Applying a checklist standard will not make a company secure. Firms should treat Information Security in the same way that they treat accountancy - as important, potentially devastating if it goes wrong and only entrusted to professionals. Ideally, they should employ a full time information security professional who has years of experience in the industry and more qualifications than letters in their name - failing that, employ someone who is working to get themselves to that point and give them the budget to call on experience.