Article for Managing Risk
Autumn 2007
IT security: getting up to Standard
Law firms have faced a growing threat to their information systems in recent years, with increasingly sophisticated attacks directed at any vulnerability. When information and trust are the currencies of your industry, it is vital to ensure that your information assets remain watertight; most firms have therefore acted in some way to shore up their defences. However, just as a successful legal action depends on a considered and thorough strategy, so must a firm’s information security if it is to achieve its full potential.
Unsurprisingly, few senior lawyers are technological in orientation. While IT has made a profound impact on how their work is done, most in the profession remain distant from the finer points of how these systems work. As a result, infosecurity has for many years been relatively neglected at the top, often seen as a burden best delegated to the IT department.
This situation has begun to change in the past five years, as the corporate world has become enveloped in a new climate of governance - IT security has at last become a boardroom issue. However, many top lawyers remain uneasy with the subject and consequently run the risk of implementing measures that are kneejerk or piecemeal.
There is a profusion of hardware, software and vendor-driven security systems on the market, all of which promise to safeguard your business from the latest threats. However, while some may provide useful parts of the whole, taken in isolation they can in fact prove dangerously inadequate.
For example, and particularly in professional services, it is crucial to recognise the human dimension to information security. All the clever, whizz-bang email filters in the world are of little use if spyware can unwittingly be introduced by a trainee who doesn’t realise that he shouldn’t plug his personal USB drive into the corporate network.
At the same time, deciding which security elements to combine demands that firms adopt a ‘whole business’ approach. Every organisation is unique in the interplay of its departments and design of its workflows. An adequate information security system needs to recognise and respond to all these features so that it addresses the entirety of the business.
For many, grasping this point entails a fundamental change in how they perceive infosecurity. It is no longer enough to see it simply as a bolt-on that ensures existing work patterns can continue unmolested. Instead, it has to become hardwired into the culture and allowed to mould new habits that are more appropriate to today’s hostile environment.
The more progressive firms have moved on from seeing security as purely defensive. Managed strategically, it becomes an asset that improves competitiveness on many levels, not only in business continuity and client confidentiality, but also in marketing, knowledge management, purchasing and even recruitment.
That’s all very well, I hear you say, but you’re talking about fundamental changes and we don’t have time to rewrite our rulebook. Well, the good news is that there is an off-the-shelf solution ready and waiting. ISO27001 is the new global best practice standard for information security. It provides a reliable and effective framework for deploying an information security management system (ISMS) that meets the exact needs of your organisation.
ISO27001 outlines the processes and procedures to be adopted, guides important IT investments and prescribes the training and internal communications that drive the system throughout the business. As over 3,000 organisations have already demonstrated, becoming certificated to ISO27001 not only gives you peace of mind, but is also something to shout about. It demonstrates to clients, regulators and others that you protect your systems and data as rigorously as you tackle all other tasks. In today’s information age what could be more important than that?
Alan Calder is CEO of IT Governance (www.itgovernance.co.uk), the world’s most comprehensive publisher and distributor of books, tools, information and advice on ISO27001, governance, risk and compliance.