Human Firewall Council Sees Security Immaturity

Anecdotal evidence suggests that information security is surprisingly immature, frequently underfunded and often poorly implemented. Now survey data backs up those reports

at least to a point.

Recently, more than 1,000 respondents filled out an online self-assessment tool developed by the Human Firewall Council (www.humanfirewall.org), a nonprofit infosecurity organization that uses words like alarming and dismal when describing the general state of information security.

While those reactions are more subjective than the survey presentation might at first indicate (more on that follows), practitioners agree on one conclusion: Information security has a long way to go.Survey Says…The council’s “Security Management Index” (which, in spite of the broad name, refers only to information security) is an online questionnaire that allows organizations to grade their security efforts in 10 categories, based on the ISO 17799 guideline from the International Organization for Standardization (see “Holistic Medicine” for the category descriptions). The results: Eight out of 10 respondents earned an overall grade of D or F (see charts, right, for scoring breakouts by category and industry).

The Human Firewall Council attributes the low scores principally to a point-solution mind-set: seeing each problem individually and reacting by buying a solution to address the problem at hand rather than looking at the whole operation and devising an overall approach that includes education, policy, architecture and so forth. That kind of thinking, according to the council, dominates the corporate mentality about the security field today. “People approach infosecurity through products, but that only addresses the tactical side. It’s much more of a business problem, and people are just starting to wake up to that,” says Michael Rasmussen, an information protection analyst for Giga Information Group and one of the survey’s principal authors. “I can build an impenetrable fortress from an academic sense, but if the employee sitting behind the desk gives out that private information,” then the fortress is all for naught. The ISO standard presents a more holistic approach, covering categories such as policy, end user education and asset classification, in addition to more technical areas.True or False?Still, “alarming” and “dismal.” To what extent can these conclusions be attributed to perpetually underresourced infosecurity professionals crying wolf?

In factdespite a few cautionary notespractitioners say the survey instrument and results appear generally reliable. “I think the survey is excellent, very useful,” says Stephen Locke, chief information security officer of Northern Trust, a Fortune 500 financial services company. Locke stresses the need to avoid sounding the klaxons unnecessarily in information security. “I’m more interested in instilling a business focus and not a paranoia focus,” he says.

As with many large companies, Northern Trust uses the ISO 17799 standard as a guideline for its information security efforts. Still, Locke notes that full compliance is not necessarily realistic for everyone. His own company earns a B-minusor about 80 percenton the survey, which he attributes not to oversights but to rational evaluation of where the ISO recommendations are, and are not, appropriate for their particular business requirements. ISO compliance is enormously time consuming, and Locke’s company and his staff have plenty of other demands pulling on themnotably legislation such as the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act (better known as HIPAA), not to mention assorted laws for doing business in Singapore and other places around the globe. “We spend a lot of time with federal regulators and our own legal and compliance people, and it takes a lot of time for my staff to work through all this documentation,” says Locke. (For more on the challenges of fully implementing ISO 17799, see “Guiding Lite,” March 2003.)Grading on a CurveAnother possible reason for lower scores of some other survey respondents, says Locke (himself a former manufacturing company employee), is that other industries vary in their exposure to information security and may find certain categories in the index simply less critical than do financial or health-care organizations.

Finally, there is one more significant caveat to bear in mind with the survey results: The assignment of letter grades is quite subjective. For example, a company that checks “partially implemented” for a particular set of ISO best practices automatically receives a score (5 out of 10) that maps to a failing grade for that category. “In my opinion, partial implementation might be more deserving of a C,” admits Rasmussen.

Nevertheless, the index makes its point. “You can look at the methodology and say it’s skewed one way or another,” says Rasmussen, “but I would say the results are fairly accurate based on what I find in the field.”