ISF Updates Security Standard, While Encouraging Accountability

The ISF, which offers guidelines to help companies meet NIST standards, is changing along with global thinking about security, a growing focus of the C-suite.

ISF guidelines

The Information Security Forum, a not-for-profit association that offers research-based security guidance to a global membership of enterprises, on July 27 issued a major update to its Standard of Good Practice, a guide for meeting the objectives set out by the U.S. National Institute of Standards and Technology.

The updated guide has been restructured into 17 categories and makes it easier to more systematically address four information security life cycles: employment, information (electronic, printed and spoken), hardware and system development.

Steve Durbin, managing director of the ISF, has pointed to escalating security threats and the need for organizations to be more transparent and methodical about their governance, as they'll eventually be called on to show the steps they've taken to secure information. In a statement announcing the update, he said he hopes businesses view the Standard as "practical guidance" and a "business enabler."

Speaking with eWEEK the day before its release, Durbin discussed how data breaches used to be so-called messes left to "the security guys" to clear up, which is now far from the case.

"More recent breaches and hacks have demonstrated that when something goes wrong, someone has to stand up and say something about it," Durbin said, on a call from London. "The bigger the breach, the higher up the executive chain. … It has served to tell the C-suite that security is something they have to address, as a matter of business continuity."

Stock prices fall after a publicized breach, yes. But they tend to recover.

The change taking place has more to do with customers and employees, said Durbin. "It's about trust, reputation, brand. And that's where people like the CMO [chief marketing officer] tend to get involved. As you break down the impact, everyone in the boardroom has a role to play now."

Durbin has been preaching for some time that security has become an issue that can put the entire C-suite on trial, as it were, defending their actions.

So what about the ways governments handle data? Are officials feeling the same pressure as CEOs? Not yet, says Durbin.

"Government doesn't seem to have the same level of accountability," Durbin said. "The reality is that they seem to be able to gather it, store it and if it gets lost, well, that's the nature of the beast. Sorry about that."

Which, he notes, has a lot to do with where organizations decide to put their budgets.

"This is increasingly where we see risk assessment taking place—private or public, it doesn't matter," said Durbin.

And in both cases, there's a need to engage people to help improve the outcome.

"We're battling a range of elements. People want to say, 'It's not really my responsibility. It should have been secured. It's not my fault.' … And really there is no easy answer. But it does come down, in part, to individual training … and to raising the level of engagement," said Durbin.

"Humans do have the ability to be the strongest link—to spot things that are out of pattern," he continued, noting that such areas are where sophisticated technologies such as machine learning can contribute as an additional line of defense. But humans will still always play a major role.

As for the ISF, its membership has changed along with the thinking about security. According to Durbin, ISF membership has doubled over the last four or five years, with now more than 400 members in 32 countries—versus 15 countries a few years ago.

From a vertical perspective it's also changing. While inherently security-centric verticals once dominated—banking used to represent one-third of membership, but is now one-fourth—membership from verticals such as transportation, manufacturing, retail and utilities is increasing. Which Durbin says points to how "mainstream" security is, now that everything is cyber-enabled.

"We've seen an increased level of understanding of the importance of security, certainly. That said," he added, "companies are still trying to play catch up."