HOW DEBORAH HURLEY’S SEMINAL REPORT ON THE SECURITY OF INFORMATION SYSTEMS BECAME THE BASIS FOR ISO 27000 INTERNATIONAL STANDARDS
Deborah Hurley is Principal of a consulting firm, which she founded in 1996, and a Fellow of the Institute for Quantitative Social Science at Harvard University.
From 1988 to 1996, Hurley was an official of the Organization for Economic Cooperation and Development (OECD), an international organization based in Paris, France. At the OECD, she was responsible for identifying emerging information and communication technology issues. Between 1989 and 1992, Hurley wrote the seminal report on security of information systems, followed by an international accord on the subject, breaking new ground on this burgeoning, important issue, which had not yet received much attention.
“I was really interested in doing things globally, because technology is global,” she says. The international accord was adopted by governments around the world in 1992 and also became the basis for the ISO 27000 international standards.
Looking Back 25 Years
“The thing that is most striking to me is that 25 years ago we were identifying what needed to be done to provide better security of information systems, something that we are still largely failing at today,” she says. Hurley believes the United States failed to instill basic values and laws around the security of information systems when computerization was emerging.
In the early 1970’s, the U.S. led the way in modern day protection of personal data and privacy. The U.S. adopted the 1974 Privacy Act in response to the growth in computerization. The U.S. encouraged other countries to adopt similar laws to protect personal data. However, during the mid-1980s, when most countries continued to adopt, amend and mature privacy legislation, the U.S. became an outlier by consciously pulling away from these types of regulations.
The 1980s also saw concerns around U.S. competitiveness, amid continuing globalization. The computer industry was one field in which the U.S. had a clear lead. “In this era, the U.S. worried about falling behind. Computing was a clear bright spot, creating a mindset towards information technology to penetrate every market, be everywhere, and sell everything, all with a hands-off, no regulations approach,” she explains.
As far as global dominance in information industries, this
strategy was successful. But, the “no regulations” approach came with a number of costs. “There was no incentive structure to provide better computer security. During that time, many products out there were insecure, had vulnerabilities, and were poorly designed. If the product was substandard, the companies were not penalized,” she comments.
The U.S. failed to impart fundamental security policies within businesses when computers were developing, a mindset that continues to exist. Today, business executives do not fully recognize the value of security, preventing most CISOs from gaining proper alignment and resources within their organizations.
Gaining Momentum for Global Standards
Recently, Hurley spoke at an event about one of the newer ISO Standards – ISO 27018. This standard provides guidance aimed at ensuring Cloud Service Providers offer suitable information security controls to protect privacy of their customers’ clients by securing PII (Personally Identifiable Information) entrusted to them.
Even though this standard is voluntary, it is expected to become the benchmark for Cloud Service Providers moving forward. ISO 27018 provides a uniform approach across all industries worldwide. “The standard provides mechanisms for compliance and audit, thus decreasing or removing the need for negotiations over privacy and security provisions,” she says.
One of the most compelling aspects of this standard is its adoption by U.S. organizations. “This standard is exciting for the U.S. because companies may have a competitive advantage if they are ISO 27018 compliant,” Hurley comments. Greater U.S. adoption of ISO 27018 could mean a new era of aligning with global standards and implementing stronger privacy and security policies.
[poll id="6"]
Subscribe
Stay up to date with cyber security trends and more