Dataquest : DQ CEO Series : 'It's important for us to come out in the open'

'It's important for us to come out in the open'

-Hugh H Penri-Williams, chairman of Information Security Forum's Council & executive and chief information security officer of Alcatel

Saturday, January 27, 2007

Hugh H Penri-Williams, chairman of the Information Security Forum's (ISF's) Council & Executive is busy creating visibility for the Forum that has prefered to remain a low-profile club till recently. Shubhendu Parth and Shipra Arora of Dataquest caught up with the man who is busy walking the tight rope of growing ISF and opening up its doors to benefit non members, even while ensuring that member companies do not lose their advantage. All this while juggling the Chief Information Security Officer (CISO) hat at Alcatel as well. Excerpts:

Traditionally, ISF has been maintaining a low profile. What's causing the forum to change its tracks now?
It is important for us to come out and explain to the public at large what we are because it is a not-for-profit organization and there are certain commercial organizations that we compete with. We want to go well beyond the 300 numbers and reach the 500 mark. There are two dimensions to this. One is the geographic growth and that is why I am sitting here today. There are parts of the world that are not adequately represented in an information security arena, and India is certainly up there at the top and, therefore, should be a part of that.

And, the other one is going in-depth in terms of the sectors in order to make sure that we don't just have banking and finance dominating the forum. We have pharmaceuticals, the transport industry as well as the vendor sector. So, it's very multicultural in terms of the spread as well as a multidisciplinary gathering. We have government departments coming in from the regulatory aspect.

How do you plan to broaden your base and take your work beyond this standard company? Is ISF ready to handle this change after being closely guarded for years?
Well, we did that with the forum's standard of good practice for information security. We put that in the public domain about 6 or 7 years ago. We have put a couple of reports out on the public website. It's all good saying that we're a not-for-profit company and we're just a loose conglomeration of people that we need to have a good legal standing for the intellectual property. But people need to know if the forum says something, although we are very careful about making statements because once you are talking for 300 different organizations, there will always be who say that they don't agree. It is our delivery work-the reports that come out, the survey that we do, the congress that we have and it's a workbench-that speaks for itself. It's an enterprise risk management workbench that we have put together. It has a threat and vulnerability database, which controls, security and legislation database, which the OECD has taken a big interest in and would like to develop with us. So, it looks as though it's going to move actually into the public domain with their support. It is for people to pick and choose what they want to have. Hopefully, they get at least half of what they would like to have because our program is decided by the membership. It is not decided in some dark chamber. It is actually the members voting for what they would like to have each year and we're just planning to attack on topics in the year 2007.

The OECD initiative will give us some visibility. I have also been negotiating with the IT Governance Institute, and holders of the COBIT IPR, which we have a license to use in some of our deliverables. We would like to do some joint projects that would be available not only to our members but also to those organizations that subscribe to ITGI. It might seem a slow process. On one hand we don't want to disenfranchise the members who are investing in it but on the other hand we don't want to completely keep the lid on it.

Can you share some examples of interesting things the ISF has been able to achieve?
Well, the one that I am actually presenting to the ISACA Chapter at the moment, I can't give it to them, but at least I can show what we have created called the Security Health Check. This is the result of the survey that we have been doing every two years. It's not mandatory for the members but we encourage as many of them as possible to take part in all sectors so that we can have sector comparability within the survey as well. It is a major undertaking for a company to engage in the survey. Sometimes they want to have a snapshot of a particular situation. So we created one survey, which covers the broad spectrum of things, but it does it in only 179 questions. This survey can actually show where the strengths and weaknesses are. It is reasonably generic, so you can use it to look at a network, data center, business process, and third party outsourcing relationship.

Page(s) 1 2




	'I believe experts and scholars have a lot to share with the world'
	'Moore's Law is now more economics, less physics'
	'Developing markets could be 25% of the whole revenue portfolio for Xerox in 3-5 years'
	'I am trading nine members of the board for one CEO'

ZTE:Leading CDMA Technology

Extraordinary Networks:Freedom of Choice

Collective Intelligence @ Work

• Analysts: Guiding Stars or Shepherds?

• How's the 'pitch' looking?

• What's your Everest?