Much has been made of our inability to prevent cyberattacks. New technology at best slows attackers, forcing them to find other ways of terrorizing victims. Now some tech pros are pointing to an ISO security standard as the answer.
ISO 27001 was approved in October, replacing British Standard 7799-2 as a way to position companies to pass security audits. In certifying to it, companies are in a position to move quickly when they identify a potential problem.
Consulting firm Churchill & Harriman worked with the Federal Reserve Bank of New York to bring its national incident response unit into compliance with ISO 27001, putting the bank ahead of most U.S. businesses. The national incident response unit monitors, analyzes, and escalates information about security threats to the business. Out of necessity, financial services companies lead the way in technology adoption, particularly in security, says Ken Peterson, CEO of the consulting firm.
Of the 2,546 businesses worldwide certified to BS7799-2 or ISO 27001, only 120 operate in the United States. By contrast, 1,517 of the certifications have gone to Japanese companies, the most in any country.
ISO 27001 may help businesses secure cybersecurity insurance, says Barry Kouns, the Churchill & Harriman VP who led his firm's work with the Federal Reserve Bank of New York. "This type of insurance would pay if there was a denial-of-service attack or data theft," he says. To qualify for such insurance, companies must demonstrate that they have security measures and processes in place.
Of course, standards will never be more than a foundation; they don't predict the next bug in Windows or an attacker's ability to exploit that bug. ISO 27001's detractors say it's an expensive process with little guarantee of success in combating the next threat. Standards primarily organize a company's security strategy so that security professionals know what to do to address a particular problem.
Process frameworks such as ISO 27001 are built by committee, "but not all of these ideas are good or have been tested," says Gene Kim, CTO at Tripwire, which makes change-auditing software. "Management has to do something, so they go with what's most popular." Based on his research of successful companies, top performers address specific problems rather than overhauling their entire organization. Says Kim, "It's best to do 20% and get 80% of the results."