'It's important for us to come out in the open'

Hugh H Penri-Williams, chairman of the Information Security Forum's

(ISF's) Council & Executive is busy creating visibility for the Forum that

has prefered to remain a low-profile club till recently. Shubhendu Parth and

Shipra Arora of Dataquest caught up with the man who is busy

walking the tight rope of growing ISF and opening up its doors to benefit non

members, even while ensuring that member companies do not lose their advantage.

All this while juggling the Chief Information Security Officer (CISO) hat at

Alcatel as well. Excerpts:

Traditionally, ISF has been maintaining a low profile. What's

causing the forum to change its tracks now?



It is important for us to come out and explain to the public at large what
we are because it is a not-for-profit organization and there are certain

commercial organizations that we compete with. We want to go well beyond the 300

numbers and reach the 500 mark. There are two dimensions to this. One is the

geographic growth and that is why I am sitting here today. There are parts of

the world that are not adequately represented in an information security arena,

and India is certainly up there at the top and, therefore, should be a part of

that.

And, the other one is going in-depth in terms of the sectors

in order to make sure that we don't just have banking and finance dominating

the forum. We have pharmaceuticals, the transport industry as well as the vendor

sector. So, it's very multicultural in terms of the spread as well as a

multidisciplinary gathering. We have government departments coming in from the

regulatory aspect.

How do you plan to broaden your base and take your work

beyond this standard company? Is ISF ready to handle this change after being

closely guarded for years?



Well, we did that with the forum's standard of good practice for
information security. We put that in the public domain about 6 or 7 years ago.

We have put a couple of reports out on the public website. It's all good

saying that we're a not-for-profit company and we're just a loose

conglomeration of people that we need to have a good legal standing for the

intellectual property. But people need to know if the forum says something,

although we are very careful about making statements because once you are

talking for 300 different organizations, there will always be who say that they

don't agree. It is our delivery work-the reports that come out, the survey

that we do, the congress that we have and it's a workbench-that speaks for

itself. It's an enterprise risk management workbench that we have put

together. It has a threat and vulnerability database, which controls, security

and legislation database, which the OECD has taken a big interest in and would

like to develop with us. So, it looks as though it's going to move actually

into the public domain with their support. It is for people to pick and choose

what they want to have. Hopefully, they get at least half of what they would

like to have because our program is decided by the membership. It is not decided

in some dark chamber. It is actually the members voting for what they would like

to have each year and we're just planning to attack on topics in the year

2007.

The OECD initiative will give us some visibility. I have also

been negotiating with the IT Governance Institute, and holders of the COBIT IPR,

which we have a license to use in some of our deliverables. We would like to do

some joint projects that would be available not only to our members but also to

those organizations that subscribe to ITGI. It might seem a slow process. On one

hand we don't want to disenfranchise the members who are investing in it but

on the other hand we don't want to completely keep the lid on it.

Can you share some examples of interesting things the ISF has

been able to achieve?



Well, the one that I am actually presenting to the ISACA Chapter at the
moment, I can't give it to them, but at least I can show what we have created

called the Security Health Check. This is the result of the survey that we have

been doing every two years. It's not mandatory for the members but we

encourage as many of them as possible to take part in all sectors so that we can

have sector comparability within the survey as well. It is a major undertaking

for a company to engage in the survey. Sometimes they want to have a snapshot of

a particular situation. So we created one survey, which covers the broad

spectrum of things, but it does it in only 179 questions. This survey can

actually show where the strengths and weaknesses are. It is reasonably generic,

so you can use it to look at a network, data center, business process, and third

party outsourcing relationship.

How do different verticals compare internationally in terms

of adoption of security practices? For instance, in India you have a clear

layering wherein the banking financial services, BPO and software sector are

pretty high on security practices and then there is quite a bit of gap with the

manufacturing industry and other industries following in.



I think this is fairly global, though the gap may vary. The banks and the
financial industry, apart from the military, of course, and the government

departments have always been at the forefront simply because of the nature of

what they deal with, and invariably they have the money also to address

information security to a very high degree compared to more traditional

industries. Although it is catching up with them now because reliance on

information systems, no matter what you are doing, is increasing.

People need to know if the forum says something, although we are very careful about making statements because you are talking for 300 different organizations

How do you plan to expand your member base from the current

300 to the 500 mark?



Our current strategy is a sort of three-year horizon. So, I hope that at the
end of three years, not necessarily in a linear fashion, we will have these

members in place. There are some sectors that are not as strongly represented as

they should be compared to their importance in the global economic activity.

Therefore, there are still plenty of places and it is not that we have exhausted

the top layer.

£16,000 is a lot of money. At Alcatel, I have four different

departments to pay-the CIO, the chief security officer, the head of the

Internal Audit Department and the head of the Risk and Insurance Department.

This way, psychologically, nobody signs £16,000 and this is what I recommend to

others to do. Also in terms of sharing, I make sure that other departments are

involved in these various work groups in Chapter meetings.

A quick look at the ISF membership profile suggests that

there are more financial services sector participants than others. Does that

mean the sector is more actively engaged in the information security front?



Yes, precisely. The banking and financial services have been the mainstay
and in a wider sense were really the founding element. Around 90 member

companies out of the 300 are purely in the banking and financial sector. Just

think of those in India who are not included in that but who in my opinion ought

to be-both state owned as well as private sector companies.

So, what do you have in store for India?



We still don't have any members from India and this is the reason why I am
dedicating two weeks of my private time here. As a volunteer chairman of this

association my job is to get a critical mass in India and have future Chapter

meetings here. We already have existing member companies with operations in

India who could also participate in this, but they do not necessarily always

have information security specialists on site. I think we could do just with

this companies like I have mentioned but that still, for me, is missing the

point. The actual point is to have the Indian insurance companies, software

companies, manufacturing companies, and government departments.

If you were talking to an Indian technology or BPO or

services company, what would you tell them on the gains of becoming a member?



They would gain the existing library and get a full set of deliverables.
Also, they would be able to participate in the ongoing process of creating new

deliverables. But, above all, they would have, instantly, a networking

relationship with other 300 companies around the world. It's like a circle of

trust where literally you can pick up the phone, look in a directory and see

somebody who is in the same sector as you in Australia. You may not have met

this person but you can make a call to this person or, ideally, have an

introduction through a third party that is commonly known to them. In the forum,

people will happily share information and views without any sense of monetary

gain or goal in their mind. It is really like 'I help you today, you help me

tomorrow'. So, they would benefit greatly from sitting at the table albeit in

a virtual sense, except at congress when we all get together once a year.

It is really like 'I help you today, you help me tomorrow'. So, they would benefit greatly from sitting at the table albeit in a virtual sense

Do you think the law has not changed as per technology needs?



The law by its inherent nature lags behind. I feel very much that there is a
dangerous route that we can take. Whilst on one hand we may criticize the law

for not being able to cope with the cyber age, on the other it should not be the

norm that we try and formulate laws in every single thing that has to do with

cyber activities. There are plenty of existing statutes. But somehow we seem to

think that for information security, we cannot pursue somebody because there is

nothing on the statute that actually mentions the word PC or whatever the

terminology is. Surely, some things need to be changed but we really don't

have to go as far.

The younger generation has this attitude that the cyber world

is a sort of free for all zone and that is, I think, where we get into the legal

aspect. The attitude amongst the younger generation is that if technically

something is possible then it is probably all right. I think this is leading us

down in creating laws for the cyber space, which, in my view, is not needed. If

you have done something that has injured somebody else, who cares what the

weapon was, but we certainly need to be mindful of the fact that there are some

things that might need to be notified. But, I don't think we need to go and

set up like a parallel legal system for the cyber world.