A while ago, a press article quoted me as saying that the only way things were going to change in most organizations in terms of how they manage risks and IT Security overall was government and regulatory policies – forced down management’s throats with threats of bad things if basic, common sense things were not implemented. (I didn’t actually say the latter but, then again, maybe I did but it wasn’t printed).
After a couple of years seeing what the financial regulators were starting to do in Asia and seeing what was not happening here in Australia, it became evident that the one common denominator to the success of things happening in IT Security and Risk Management practices in Asia came down to regulators like the MAS, BOJ, FSA etc. Development and circulation of pretty decent “Guidelines” (Read: Do it or else!) to Banks (with a particular focus on foreign owned entities) to minimize “weak” practices and potential bad flow-on effect to the country in question meant that for the first time, IT Security people were being brought into real-world facing positions and dare I say it, finally being listened too on a fulltime or close to fulltime basis.
Oh what a difference it was coming from a position in an Australian company where every achievement was a battle, to being in a position where a company’s reputation and business was staked also on the success and input of specialized IT Security and Risk guys. Finally, proof that it can happen! Now don’t get me wrong. Things still weren’t and aren’t perfect but they were far, far and away light years from what I was used too.
When I did return to a local focus, the difference in practices was scary – very scary. WTF was going on here in Australia? WTF do the regulators do? WTF does the government know? Nothing had really changed.
Sadly, things haven’t changed that much more in the last few years. SOX, ISO standards and other various things have seen their fair share of popularity, but at the end of the day, who really believes that their implementation has made any significant difference? Great, you’re SOX compliant and you’ve just had an audit to show you’re almost 27001 compliant BUT, (and luckily for you that you have a smart IT Manager who decided to hire us to do a real security review for you), we’ve just managed to demonstrate how we can own your entire global network (relatively easily and due to basic security controls not being in place). But at least you are compliant! Go figure that one out. (More on security vs. compliance another time).
Anyway, so in the press article, the journalist needs to include a response from someone in “authority” to round off the story. A government dude responds – disagreeing with my view that the only way things will change is by firmer controls being mandated. He goes on to state that they are in the process of developing some FYI standards and that organizations will be able to read and hopefully use them when they bring them out – and that will solve the problem. Awesome I thought! Just what we need – another set of optional standards to sit alongside the scores of similar ones that are out there already collecting dust.
PS. They never did release anything (at least not that I am aware of).