In thinking through this question and working towards an answer I found my self flip-flopping on which position I was going to take. Just for background purposes, the main driver for this question came from my reading of The Big Switch by Carr. In this book, and another by the same author, Does IT Matter?, Carr eludes to the fact that Information Technology has become so common across companies and industries that it rarely creates a competitive advantage. While I found myself disagreeing at first (mainly because all IT people want to think they are special) I was eventually persuaded by his argument. One thing hat helped sway me was my consulting background and the fact I had an opportunity to see the inside of so many different IT organizations. In thinking back to these companies I started to think of how each did almost the same thing on almost the same platforms. An example is email and the fact that all organizations were all providing the same service to their employees using the same software. It didn’t matter if the organization under review was a large healthcare provider, a bank, or an energy company. The Big Switch, which is actually supposed to be more about cloud computing, brings in the idea that these IT “commodities” can be outsourced to someone who can do the same thing faster and cheaper than your IT staff can do it in-house.
So, if information security is an extension of IT then I would ask if it also will be viewed as common place and therefore subject to the same forces or consolidation? Does information security matter? I made the mistake early on, working at a privately held company not subject to many regulations or security requirements, in thinking that the direction of the program could take any route necessary to meet the end goals. I didn’t view our organization as having any of the tedious compliance requirements. But then, we started to see our clients (mainly healthcare, banks, and energy companies) sending questionnaires asking how “well” we were handling security and what controls we have implemented. Their concern was very simple. They have certain security controls in place to protect their data while it is in their possession…how do intend to protect their data while it is in OUR possession. My days of not worrying about compliance were quickly coming to an end. The reality is that we need to benchmark our controls against our client’s requirements and not other law firms.
To date I am unaware if these questionnaires have actually caused us to gain clients, keep existing clients, or to lose clients. One reason I believe I don’t see a change quite yet is that we are at the “questionnaire” stage. I would assume as we move into “questionnaire followed by assessment” that information security may be able to provide a competitive advantage…obviously in conjunction with reputation and bill rates. One other open item will be how quickly we move from competitive advantage to doing the same as our IT friends. At what point will security be uniformly applied across companies such that it no longer offers a competitive advantage, and more importantly, when and if security will be outsourced?
My prediction is that it will take some time as security (good security) is lacking at too many organizations. Regulations and other industry standards (i.e. PCI DSS) are forcing companies to enhance security, however, I don’t think we have reached the stage of standard security controls being applied across companies. For now it appears to have a neutral effect at least for law firms being neither an advantage nor disadvantage. Then again, we could be one big law firm breach away from that position shifting very quickly in favor of advantage.
Agree of disagree?
Social engineering is never going to go away. So, as Valentine’s Day has passed there is little doubt that the Waledac botnet just got a little bit bigger. I was passed a link that made it through into a user’s personal email account (read:hotmail) that contained a link to a greeting card from someone they didn’t know. At least our awareness campaign at work seems to be working since the user did not open the link and simply forwarded it on to us.
Want to connect your system to the Waledac botnet? Follow this link: http://kgiooc.greatvalentinepoems.com/?code=1ded8ca8edba09d6a295130 and download postcard.exe (WARNING: This is the actual malware exe, and if you run it you are infecting your system). Just for fun, try to upload a copy to www.virustotal.com and see how many AV engines find this as a Trojan…was yours in the list? If not, consider using NOD32…for some reason you never hear about them but they have a very high catch rate for malware. I’m not endorsing the product, but it does seem to work well for ~$40.
More info about the Trojan and the botnet here: http://www.eset.com/threat-center/blog/?p=536