Thursday, October 27, 2011

Our security paradigm is out of date

At a recent Cloud Security event, the president of the UK & Ireland chapter of the Cloud Security Alliance (CSA UK & Ireland) said that the perception of security as a concept is out-dated.

According to Des Ward, the current focus on complying with the myriad of assurance frameworks is taking focus away from the obligations placed on organizations to identify and manage the risks to their information assets; which, in turn, places an inordinate and inappropriate burden on external service providers to satisfy the concerns of organizations with no common terms of reference.

“The discussion following my presentation was very interesting as it highlighted that, whilst security in the cloud services environment is clearly a concern for many IT security professionals, there is still a lack of assurance within the external supply chain as whole,” said Des Ward, President, CSA UK & Ireland.

“What this tells me is that, whilst the message on security is getting through to businesses, there is no consistent language to determine whether the service provider will operate the controls to a level that assures the client that their risks are managed appropriately.

This proves to me that the current security mindset is little more than managing risks to achieving compliance rather than empowering organizations to understand the controls required to manage the risks to their information.”

“It is important”, says Ward, “to understand that all organizations in the UK and Ireland, on both sides of the public/private sector divide, have an explicit obligation under law to ensure that personal and corporate information is managed in a safe manner.

“The current compliance overload over the past four or five years has led to an inordinate focus on managing risks to compliance rather than understanding the risks to information – and this focus has meant that we look to overuse of technical controls to show due diligence to ensure that when a breach occurs, that penalties will not be levied; it is not designed to reduce the likelihood of breaches themselves,” he adds.

“This approach is, in my humble opinion, unsustainable, as it does not look to the implementation of the controls and fails to address the business risk management issue that exists in most organizations.

This is turn has no more benefit to the business than placing money in the shredder.” he explained.

“A classic case of these issues”, he says, “was the ICO's recent engagement with Lush after the cosmetics retailer suffered a payment card breach; although the outcome was favourable for all concerned, the key lesson to be learnt is that the current compliance boundaries can now be crossed by another interested party.

What stops the ICO from looking beyond the compliance scope of PCI and entering its own jurisdiction which is the entire business?

“The current lack of corporate information governance in today's businesses will soon result in increased penalties and I feel that this case will be a tipping point; despite the clamour for more prescription from assurance frameworks, my own experience is that many implementations of the PCI DSS are tightly scoped and shows there is little appetite for additional level of prescription that comes with little more benefit than a licence to undertake business on the internet.

This proves to me that the current focus on compliance risk management as we know it is nearing an end, and something else is required to assist organizations to understand and manage the risks to their information going forward.”

No comments:

Post a Comment