The Information Security Forum's latest reports are aimed at helping CISOs identify and protect essential assets, and the ISF offers consulting services to aid in adoption.
The Information Security Forum (ISF) announced a new series of reports designed to help organizations protect their most essential assets. In concert with the release, it also announced a new component to its business—short-term consultancy services to help ISF members implement its advice.
"There's probably no one better-equipped to deliver these services than we are," Steve Durbin, managing director of the ISF, told eWEEK
. "We developed the tools, and we have the ability to help members use them."
The ISF, founded in 1989, is a not-for-profit organization that helps member enterprises around the world and from every vertical market understand and act on cyber-security risks.
Durbin added that the ISF won't be "doing the work of the Deloittes—it's not about putting a large number of people on the case."
Rather, what it aims to do is provide independent evaluations and validations of members' security arrangements; assess information risk; help senior staff build effective "cyber-resilience" programs; provide pragmatic, vendor-neutral advice; translate security risks into board-level reporting; and securely deliver business-essential projects.
Because the ISF is a not-for-profit, fees will be well below what companies would pay a "Big Four" firm," Durbin added. "It's a very natural next step for us."
Protecting the 'Crown Jewels'
According to the ISF, information assets can represent 80 percent of an organization's total value. The new reports, collectively titled, "Protecting the Crown Jewels: How to Secure Mission-Critical Information Assets," are the largest the organization has offered in a while, according to Durbin. It's the ISF's belief that while business leaders may understand what constitutes their so-called crown jewels—the assets most likely to attract motivated, well-funded and organized threats—few understand the extent to which their assets are exposed to threats.
The reports explain how to identify mission-critical information assets; identify the greatest threats to them; determine the right protections to put in place; determine how to implement those protections; and determine how to counter adversarial threats.
"To me, the most challenging piece of that is identification," said Durbin, explaining that the mission-critical components of a business may exist in different places.
"If you sell ketchup, your recipe is mission-critical. That's easy," said Durbin. "But if you're a smartphone maker, your marketing plan is also a mission-critical item, until the launch, anyway. Mission-critical items can have varying life spans. And they can be things that not everyone may right away identify as mission-critical."
And even then, a corporate information security officer's (CISO) work isn't always done.
"If you look across the enterprise, who's most attractive to a hacker?" asked Durbin. "Probably someone in the board room, who's storing information on a tablet. These people have so much information, from the mundane to the hugely confidential."
Such a person also may be disinclined to fully honor an enterprise's security protocols, or to believe they present much of a threat—which can be where the ISF's consulting services come in. Security is no longer just a technology issue in the old sense; gone are the days when any worker had the luxury of existing within a stereotype—the communication-averse IT person, in this case.
"Today it's just as much about people skills," said Durbin. "If you can't understand a guy [and his tech jargon], you're not going to talk to him."
The ISF's old framework was self-help oriented.
"We'd give you the tools to do a job. Even if you may not have the resources in your organization to the job effectively," said Durbin. "Now, we're providing a convenient way to make sure your business needs are met."
ISF Consultancy Services were soft-launched over the last few months, and the response has been good, said Durbin, adding that particular interest has come from the finance and retail industries. A hard launch will arrive in October.