The security priorities for IT decision-makers can be plainly stated: to allow the business to operate unfettered by security issues while protecting it from threats. However, the task of developing a strategy to meet those priorities can be much more complex and painful.
While the value of taking a formalised strategic approach to IT security management is beyond doubt, the practicalities of building the strategy are a source of much dispute. Much of the disagreement surrounds the appropriateness of using security standards – such as BS7799 or its international equivalent ISO 17799. These standards are universally recognised by security practitioners as sensible and effective protection methodologies. "There are any number of standards you can use – the point is that they are all based on conducting risk analyses, ensuring a link between IT and the business," says Allison Barnett, head of security business development for the UK at BT.
Security standards are also a useful mechanism to deal with the tidal wave of corporate data regulations currently hitting organisations, says Stuart Ritchie, systems architect at media giant British Sky Broadcasting.
"The standards encourage the adoption of practices that meet a lot of the requirements that are flowing from compliance regulations. Instead of looking at compliance as a burden, businesses should be using it as a check on how well they are run: good businesses tend to be naturally compliant."
The debate starts when considering the difference between merely following standards and achieving full accreditation. Many insist that only by following the accreditation route can organisations ensure that security policies are more than just idealised wish-lists. "Without some mechanism for measuring results it is very difficult to assess whether you've achieved your objectives," says Ritchie.
But others argue that accreditation is a complex, expensive paper chase; the value comes from introducing the recommended practices, not gaining a qualification. "We have worked to the guidelines, but I see no point in having to force people to complete the paperwork," says Peter Pedersen, CTO of online bookmakers Blue Square.
Chris Potter, partner specialising in information security at consultancy PwC, sees considerable weaknesses in the current standards approach: "When we ask whether BS7799 has helped meet the objectives, clients are overwhelmingly positive. But they gained the business benefits from taking a risk assessment approach to implementation."
While the tendency to avoid tortuous paperwork is understandable, it is misguided, says BT's Barnett. Accreditation's real strength is that it allows businesses to ensure that technological advances do not open up new security threats.
"Security has historically been a reactive process – new technology introduces new threats and then businesses have to invest," she says. "Over the next few years we'll see a growing use of technologies such as voice-over-IP and wireless, but unless their introduction is accompanied by a proactive [security] strategy they will be accompanied by an element of risk."