Human Firewall Council Sees Security Immaturity

A Human Firewall Council survey of the state of information security, as measured against ISO guidelines, shows plenty of room for improvement. Is the problem a lack of overarching vision, a dearth of adequate resources or a little of both?

April 01, 2003 — CSO — Anecdotal evidence suggests that information security is surprisingly immature, frequently underfunded and often poorly implemented. Now survey data backs up those reportsat least to a point.

Recently, more than 1,000 respondents filled out an online self-assessment tool developed by the Human Firewall Council (www.humanfirewall.org), a nonprofit infosecurity organization that uses words like alarming and dismal when describing the general state of information security.

While those reactions are more subjective than the survey presentation might at first indicate (more on that follows), practitioners agree on one conclusion: Information security has a long way to go.Survey Says...The council's "Security Management Index" (which, in spite of the broad name, refers only to information security) is an online questionnaire that allows organizations to grade their security efforts in 10 categories, based on the ISO 17799 guideline from the International Organization for Standardization (see "Holistic Medicine" for the category descriptions). The results: Eight out of 10 respondents earned an overall grade of D or F (see charts, right, for scoring breakouts by category and industry).

The Human Firewall Council attributes the low scores principally to a point-solution mind-set: seeing each problem individually and reacting by buying a solution to address the problem at hand rather than looking at the whole operation and devising an overall approach that includes education, policy, architecture and so forth. That kind of thinking, according to the council, dominates the corporate mentality about the security field today. "People approach infosecurity through products, but that only addresses the tactical side. It's much more of a business problem, and people are just starting to wake up to that," says Michael Rasmussen, an information protection analyst for Giga Information Group and one of the survey's principal authors. "I can build an impenetrable fortress from an academic sense, but if the employee sitting behind the desk gives out that private information," then the fortress is all for naught. The ISO standard presents a more holistic approach, covering categories such as policy, end user education and asset classification, in addition to more technical areas.True or False?Still, "alarming" and "dismal." To what extent can these conclusions be attributed to perpetually underresourced infosecurity professionals crying wolf?

In factdespite a few cautionary notespractitioners say the survey instrument and results appear generally reliable. "I think the survey is excellent, very useful," says Stephen Locke, chief information security officer of Northern Trust, a Fortune 500 financial services company. Locke stresses the need to avoid sounding the klaxons unnecessarily in information security. "I'm more interested in instilling a business focus and not a paranoia focus," he says.