ISACA chief: Power is with the people after NSA saga

Since whistle-blower Edward Snowden opened the floodgates on revelations surrounding the US National Security Agency’s (NSA) hyper-surveillance programmes earlier this year, the steady stream of 'leaks' has become something of a tsunami.

With collaborators ranging from the UK’s own GCHQ to an array of data-rich corporations, the NSA’s campaign appears to draw no distinction between targeting guilty or innocent, or indeed friend or foe, as demonstrated by this week’s reports that politicians in both France and Germany have been spied on by US authorities.

With the scandals having such far-reaching implications for the IT industry, and particularly the information security sector, ITProPortal was keen to hear the thoughts of Ron Hale, the CEO of non-profit security association, ISACA, when he paid a recent visit to London. With over 110,000 members across 180 countries, ISACA is well positioned to relay the concerns of IT managers and businesspeople around the world, and Hale admitted that the past year has seen privacy and data handling sky rocket as major anxieties in the enterprise.

Hale (below) explained that in 2012, a study conducted by ISACA and the Cloud Security Alliance found almost no examples of business concern about how third-parties protected their information, whereas industry discussion post-Snowden has “shown us a change in how people are perceiving technology and how it’s used.” Hale believes that the adoption of cloud and other technologies that disperse sensitive data may now slow significantly, as companies and consumers wonder what will become of their private information.

“I think with some of the recent disclosures about the National Security Agency and how they’re getting information from Amazon, Google, [and others] - people weren’t very sensitive to it before. They thought there’s nothing that I’ve put out there that’s harmful to me and I’m much more interested in being safe. But I think people are getting a little bit of a different feeling because we have an understanding of what we think the government is doing with our information and identity now.”

While the surveillance exposés have left many of us feeling more at the mercy of governments and corporations than ever before, Hale says the increased awareness around data handling can actually empower normal people, who can hold organisations accountable for the misuse of their information. Moreover, with their inherent reliance on customer loyalty, Hale believes big companies will be forced to placate the public and be more transparent about their data handling.

“In the Internet world everybody can take a stand and the public opinion is very strong. Public opinion is now being expressed, and companies like Google and Amazon who shared information will think, hey, we don’t want to get a bad reputation so we’re going to have to play more on this public image side.

“So I think that the power of the people who have designed the Internet, built the Internet, and are the users of it have such a stake in this, and the general public are going to set bounds for what’s appropriate and what’s not,” Hale said.

But in an increasingly volatile online world, data collection isn’t the only government activity worrying CISOs and businesspeople. Stories continue to buzz around nation state cyber-warfare, with countries’ critical infrastructure apparently being put at risk by increasingly sophisticated attacks. Are such reports media hyperbole, or something more serious?

“I think that it’s real, and it’s a concern,” said Hale, adding that companies of all sizes could be affected by state-orchestrated attacks. “There’s a lot of people that are part of the critical infrastructure that aren’t necessarily big organisations with well-qualified security staff. [Companies] might have a lot of down-street suppliers that they count on for building systems or installing security devices – and do they understand what they need to do?”

As a result, improving employee understanding and creating a ‘security culture’ at every company is crucial, according to Hale, and forms a fundamental part of ISACA’s work.

“Last year we did a book on the culture of security and recognising that if you don’t have a security culture, the technologies, processes and policies that you establish aren’t going to be effective. Security has to be running through the DNA of the people in your organisation.”

Hale’s meeting with ITProPortal came amid a brisk London tour for the ISACA chief, who revealed that meetings with other security associations similar to ISACA were firmly on his agenda. Collaboration and the sharing of intelligence was key to progression in the security industry as a whole, he argued, saying there was “no value in competing.”

“I think that in the association world, and in general, we’re coming to a recognition that joint activity can have a greater impact than things you take on your own. The things that ISACA puts out - COBIT for example [the group’s framework for IT management] - people should take pieces of that but also pieces of ISO, ITIL, and work that is done by the information security forum too.”

The IT sector would do well to heed such a notion as present. As the NSA saga continues to foster anxiety and distrust, dividing companies, governments and citizens, increased cooperation and openness could begin to repair the damage caused by recent revelations. And ultimately, as Hale hopes, it could restore some online power to the people.