Infosecurity - Sept/oct 2005 - Consultants wave integration flag

In partnership with:

September/October 2005 issue

Consultants wave integration flag

Mick James

Consultants of every stripe are climbing on the information security bandwagon. All of them carry the flag of integration.

The modern management consultancy industry has a rich and varied heritage that gives it a broad range of perspectives on information security. Consultancies can draw on the services of any and all of accountants, disaster recovery experts, defence specialists, software engineers, to name but some. As security moves up the management agenda, they are bringing these strands together in an effort to work with their customers in a more strategic and integrated way.

“Information security is caught in the middle,” says Barry Beale of Capgemini, a systems integrator. “Customers are extending their businesses much more in terms of connectivity with workers and customers. The net result is that core information assets are more exposed. What used to be in the back office is now online.”

However, Beale says during the “gold rush of the dotcom years”, information security was pushed onto the back burner. As a result many companies are still playing catch-up, even as the need for information security increases.
At the same time, the fundamental model of information security is changing. “The old perimeter-based model is based on a number of assumptions, such as that you have good control over everything inside the perimeter, that the people inside are low-risk. We would question that,” he says.

IBM, the jolly blue giant

In recent years IBM has shifted its business away from IT manufacturing towards services. Since it acquired PwC’s consultancy business it has been the biggest consultancy organisation in the world. As such its view of information security is particularly broad, ranging from strategy and human resources to disaster recovery and security products.

“A couple of years ago IT security was all about point solutions,” says Nick Coleman, who heads IBM UK’s security practice. “Now security is not just a product but a service you give to your customers.”

One of the growing markets in security consultancy is for forensics and investigation. “The number of incidents is rising. Companies don’t always have access to the best resources, so they look to consultants,” says Coleman. “When you’ve had a risk incident and need to investigate it, you’re not only quantifying the impact on the organisation, but on a qualitative scale you’re working out the risk to those assets.”
As businesses become increasingly dependent on IT assets, IBM is bringing together a long history in areas like business continuity with its newer focus on consultancy.

“When you look at security from a disaster recovery perspective, it’s all about having resilience across your organisation,” says Coleman. “Take access control — from a business continuity perspective that’s about how many employees there are in the building and how do we evacuate them (in an emergency). For the integration of these requirements you’re not just buying a technology, but buying a service to integrate these databases.”

This takes information security far beyond IT skills. “Our business consultancy has skills in human resources and business process reengineering whose activities complement our IT security practice, so it’s very easy for us to build a team from any or all of these disciplines,” says Coleman “It’s also important to have the sector-specific skills. For example in airports, you can use RFID tags at check-in so you know whose bag is whose. These technologies are now part of security, but are people including check-in in their information security thinking?”

In future, says Coleman, security should be an enabler of business as well as a protector. “Information security is not a niche business anymore. It’s part of the core and affects the whole way the board looks at and runs the business.”

While groups such as the Jericho Forum call for deperimeterization, the so-called “boundary-less enterprise”, Capgemini wants “reperimiterization”. This combines the management of data, access and intrusion detection in a single model.
Beale says: “Fifteen years ago you had a lot of ill-integrated point solutions, creating islands of connectivity. PCs and mainframes were kind of linked but not in a very satisfactory way. Today most organizations will have a decent network infrastructure and use strategic sourcing.”

By working with an integrator like Capgemini, organizations can take similar approach to information security, instead of buying links in the chain piecemeal from the highly-fragmented solutions market.

“I’m not suggesting you buy everything from a single vendor, but by breaking security down into domains such as access management you can first create the architecture and then fulfil that through strategic sourcing,” he says.

Thinking outside the box

PA Consulting is one of the longest-established British consulting firms, and combines strategic and business consultancy with industrial and technical expertise.

Bernard Robertson, a member of PA’s management group, is responsible for the firm’s IT security services offerings. He says: “Information security is becoming commoditized at the product level, but in terms of managing the people and processes that underpin it, it’s requiring more and more strategic thinking.

“One of my clients is a really visionary IT manager. He can see things coming two, three or even four years away. He doesn’t seem to bother about technology at all — he looks at the appetite for risk and what’s changing in the world, then he makes sure he’s shored up the dykes before the water starts rising.”

Working like this has led PA into new areas of security. “One of the really interesting things we’re doing at the moment is outside the area of pure IT security, what we call process control security,” he says.

In the past, machines that controlled manufacturing and distribution processes were never connected to the IT network. But this is changing. “Now management wants to know what’s happening, so they’re integrated into the logistics system to give real-time data,” says Robertson. “Now they’re connected to the IT network and even the Web, to receive updates from the factory floor via modem.”

The potential for hackers is clear. Worse, whereas these machines used to use custom-built processors and proprietary operating systems, they’re increasingly based on standard kit and protocols and have “inherited the weaknesses of those systems”, as Robertson puts it.

“You could take control of the machine or send a denial of service attack, or flood the network to the point where it falls over,” says Robertson. “That could be a drug company or an oil company or the signalling system on the railway or the valves on a dam.”

To tackle these issues requires industrial engineering skills rather than IT skills. “But,” says Robertson, “you also get to deploy the fundamentals of IT security — the solutions are IT security solutions.”

In fact, process control security could become the next big thing in information security. “The first year we started talking about this, clients thought we were from Mars,” says Robertson. “Last year they began to understand. This year they’re putting budgets together to determine the level of risk they face.”

Holistic view
For this holistic view to succeed security needs to be driven at board level. “Sometimes the chief security officer can become marginalized,” he says. “Security needs to be holistic across the organization and have sponsorship and support at the highest level.”

Now that regulatory regimes such as Basel II and Sarbanes-Oxley have put managing risk high up the boardroom agenda, this support may be more forthcoming. The new emphasis on compliance also plays to the strengths of the “Big Four” audit firms. With the exception of Deloitte, firms like Arthur Andersen, PricewaterhouseCoopers, KPMG and Ernst & Young sold off their highly lucrative consultancy arms. Most of this was done prior to Enron. Subsequent regulatory changes ask, but do not insist, that an audit firm avoids conflicts of interest when providing management advice and services to its clients. As they rebuild their advisory services, information security is a hot area.

PwC’s partner for information security assurance, Chris Potter, says his firm tackles information security from the broad perspective of enterprise risk management. The fundamental issue is to establish why you want to have security in the first place. This helps to determine the risks and how effective information security fits into that risk management structure.

“If you don’t take any risks you don’t make any money,” he says. “Too many people look at information security in its own right rather than in the context of the business and its governance and compliance and management structures.”
The key is “connected thinking”, says PwC. “A lot of people have a worldwide risk management structure, and at the other end of the scale you might have an information security structure,” says Potter. “That can end up as high-end and meaningless versus too detailed and technical. A good organization will marry these up.”

Potter says clients increasing combine physical security, anti-fraud and IT security responsibility under a single person. However, it’s important that senior management remains involved, he says. “Ownership has to come from the business,” he says. “If the security team doesn’t get the right input from the business on what the real risks are, then they won’t ask for the right things to counter them.”

Standards and regulations are no substitute for this, he says. “BS7759 for example, is fantastic, but when people implement it they suddenly find themselves with lots of security controls they don’t need. The fundamental thing about BS 7759 is to do the risk assessment; you have to get away from the details.”

This also goes for new regulatory regimes such as Sarbanes-Oxley and Basel II. Says Potter: “There are two ways of approaching compliance; you can take it from the bottom up and do everything under the sun, or you can go top-down and say, what are the real risks and what have we done with them? If you look at Sarbanes-Oxley and Basel II, they’re quite happy if you go top-down.”
This makes security focus on the business issues. “The real issues are things like setting up IDs for new joiners,” says Potter. “Many organizations have a time-lag of days or even weeks. But if those employees need computers to do their jobs, what are they doing all that time?”

The case of Booz

Strategy consultancies like Booz Allen Hamilton, McKinsey, Bain and AT Kearney are often seen as the elite of the consultancy profession. Though small in size, their revenues per consultant are generally more than double those of process or IT-based consultancies.

Frequently boards bring them in for crucial independent strategic advice rather than implementation. Consequently they can play an important role in getting security discussions into the boardroom.

“We see information security as part of the broader topic of business resilience, maximising a company’s ability to endure, protect shareholder value and grow, while minimising the impact of costly disruptions to its business,” says Kevin Gardner, a principal in Booz Allen’s IT group. “The challenge is to integrate security into the firm’s strategic business planning and its business operations.”

Strategy firms seldom have problems attracting talent, and Booz Allen’s experts include former leaders of security and intelligence agencies, as well as experts in cyber-security, global supply chain management and wargame-based scenario planning.

“We integrate information security (or information risk management) very closely with a broader approach to risk management, and more specifically to operational risk management,” says Gardner. “Information security can often struggle to gain traction with the business — until a major outage or threat happens. We can bridge the gap between business strategy and IT/operations implementation. One area Booz Allen is working on is the changing nature of information security in an increasingly outsourced world
“For many firms, outsourcing represents a step-change in the complexity of information risk management,” says Gardner. “There are critical questions of how to manage and verify these risks most effectively. Current mechanisms, such as policies and standards, may not extend effectively beyond the enterprise.

More critically, outsourcing often highlights fundamental flaws in the way the organisation has been managing its information risks to date.
Booz Allen has now launched an annual survey to capture senior executives’ views on managing security and data privacy in outsourcing relationships. To take part in the survey and to receive a copy of the results go to: http://extweb.bah.com/outsourcingsecurity/survey

Not overhead
By bringing skills such as systems integration to the table, consultancies are able to talk about information security, not as an overhead, but as a route to greater business efficiency, says Richard Dykes, a consultant with Atos Consulting’s security team.

“If we did a Sarbanes-Oxley audit we’d look quite closely at the processes and governance aspects of that organization for weaknesses that are broader than pure compliance,” he says. “One of the present trends is to move away from the risk dimension towards security transformation, where we try to reduce the cost of the way those processes are administered.”

Identity management is a case in point, where organizations are beginning to count the cost of multiple password resets across a multitude of different applications. “Underlying that are core business processes which, for many large organizations, are fundamentally broken,” says Dyke. “You need to bring together payroll, HR and line management as well as physical access controls, or bring in an element of self-administration. Here we have an opportunity to get a much smarter deal with authorization and access but we pay for it by mending some fundamentally broken processes in the business itself and in doing so make the organization more robust.”

For consultants like Dyke, information security is increasingly a primary enabler of the new ways of working they want to introduce to clients. “Security is very dull if you concentrate on scaring a customer into buying some sort of countermeasure,” he says. “I like to do the kind of security where you bring big ideas to the table, and talk about things they want to do as a business, but once were too dangerous.”

Accenture’s Richard Lane, a senior manager in the security practice, says organizations should see developments such as the loss of the perimeter as opportunities rather than threats. “We used to say the perimeter was security,” he says. “Now we talk about the ‘porous enterprise’,” he says. In both his own and clients’ organizations, Lane sees more people using VPN (virtual private networks) or secure portals to access enterprise information from home via broadband or on the move.

Perimeterless
“If I can be at a client site and connected to the same network, why do I need a perimeter any more?” he asks. “Why do I need to manage a physical network at all, when I can use cable or broadband in the office the same way I do at home?”
Lane points out that this could lead to immediate savings in terms of reducing physical security or even doing away with smaller networks in satellite offices. But combined with other technologies, but it can also transform the way people work.
“You end up in a networked environment where you can send a group of people to work at a client and they can work just like they’re in the company,” he says. “You’ve not just secured the company you’ve enabled them to have a more mobile, flexible work-style and to get closer to the customer.”

Lane sees exciting possibilities in areas like enterprise-wide digital rights management. “Most people see DRM as a technology for protecting entertainment media that doesn’t work, because of the ‘analogue hole’. In the enterprise we can secure against that,” he says. “In the enterprise DRM enables new workflows solutions — I can allow contractors to gain access to sensitive documents, knowing I can always revoke that access even if they’ve taken a copy home.”

For Lane this kind of thinking about security moves away from measures such as ALE (Annual Loss Expectancy) and ROSI (return on security investment) that try to balance the cost of security against potential losses. “Customers aren’t buying this stuff anymore. They’re less and less inclined to believe it, and if it’s used inappropriately it’s garbage-in, garbage-out,” he says. “That’s good — we don’t want people buying out of fear. We want people to look for long-term value, to come back in five years time and say that was a good investment.”

For consultants to achieve these goals they have to ensure that security is discussed early in the life cycle of projects rather than being bolted on afterwards. “One of the biggest challenges to make an organization secure is to get security awareness built into a change management programme,” says BT’s Allison Barnett, business development manager for BT’s security practice. “If you want to sell security, don’t mention the word. You have to sell it on the back of something else the organization wants.”

BT is reinventing itself, and consultancy is a big part of its move to become a business services provider rather than “the phone company”. It has had some major wins over the big consultancy brands recently, and, claims Barnett, in many cases information security was what won the deal for BT.

“In BT we have not just customer-facing consultants, but also internal consultants because of what we have to do with our own networks,” says Barnett. With 400 external consultants, 200 of them in the UK, and 800 internal ones, this “puts us right up there with the big boys,” she says.

BT’s security practice draws heavily on this expertise, and also its work with government. This includes certifying security products against government specifications. “We take our rich government experience, and apply it pragmatically to other areas such as finance or petrochemicals, and then bring in their own regulations and standards.”

Compliance transparency
Barnett calls this approach “compliance transparency”, or “the convergence of compliance”. This is similar to the way data voice and video networks are converging, she says.

“Compliance transparency should enable any organization to comply. It’s not a total solution but you’ll be 99% there and also ready for future regulations,” she says.

BT does an enormous amount of research into information security, not least because it is basing its so-called 21st century network on the Internet Protocol (IP). Barnett says: “Everything’s converging on IP, which of course is inherently insecure. A huge amount of work has gone into it and we have to demonstrate that the network is insecure.”

“BT is always being asked about future technology, customers say if you’re doing this (switch to IP) you must be forecasting the 2010 and the 2015 landscape,” she says.

In response, this autumn BT will run a customer showcase about the security aspects of future networks. This will help them be more proactive about future security threats.

It’s hard to imagine this would have sparked much interest a few years ago, but the world has changed. For the big consultancies at least, security is no longer a back room issue, but a major selling point for their firms.