With cyber security constantly in the news, Vigilant Software thought it would be both timely and topical to catch up with one of cyber security’s leading experts, Alan Calder.
Alan Calder is CEO and founder of Vigilant Software and an acknowledged information security risk management thought leader. Alan managed the world’s first successful ISO 27001 (then BS7799) implementation project in 1996 and is a frequent media commentator on information security risk management issues.
1. When did you first get involved in cyber security and what were the business drivers that led you to the cyber security field to begin with?
In the knowledge economy, I saw the protection of client and staff information as a key business differentiator. As the number, variety and complexity of cyber threats have changed over the last few years, this has become increasingly true and relevant.
2. How has the demand for cyber security solutions changed over the years and what is, in your opinion, the main reason for this change?
Cyber security has become increasingly a matter of cyber resilience – organisations have to have defence in depth, and those defences have to combine technology, processes and people – identifying assets at risk and ensuring that appropriate controls are in place for each of the assets is fundamental.
3. You led the world’s first ISO 27001 implementation back in 1996. The question is simply ‘Why?’ To elaborate, what were the business drivers for gaining the certification? How did you feel before, during and after?
I saw external certification as a key business differentiator. I also saw the process as an effective way of ensuring that technology decisions were, at a strategic level, taken by business managers, rather than by IT management on its own.
4. Referring to the above, what would you do differently now compared to what you did back in 1996?
Back in 1996, we had to work out step-by-step what to do. More recent implementations (for e.g. IT Governance Ltd., or with our clients) have been enormously simplified by using tried and trusted tools like our Documentation Toolkit and the information security risk assessment tool, vsRisk. There are now training courses we can send people on so they can learn what they have to do and so the IBITGQ learning paths are ideal for this sort of thing.
5. There are now modern software tools, such as the information security risk assessment tool vsRisk, to help with the key risk assessment part of ISO 27001. How would having vsRisk back in 1996 have helped you?
The risk assessment was the hardest part of the exercise. Initially, we misunderstood what we had to do, so our first risk assessment was wrongly completed which meant going back and repeating the whole procedure again. But if we could have used vsRisk, with all the assets in a single database and a formal, structured methodology for doing the risk assessment, it would have enabled us to focus on the risks, rather than the methodology.
6. What advice would you give to an organisation considering ISO 27001 certification?
Don’t lose time – get started – the benefits are much greater than simply the market ones.
7. What would you say to an organisation NOT considering ISO27001 certification?
If information is not important to your business, if you don’t need to protect customer and client data, and if you’re not connected to the internet, then you don’t need to worry about cyber security and ISO27001. For everyone else, there are no good reasons.
8. And finally, you have been referred to in the media as an information security ‘guru’. How do you feel about being described as such?
I don’t really see myself as a ‘guru’ – I just work at understanding what has to be done, at finding practical and pragmatic solutions to business security issues and sharing what I’ve learned as clearly as I can.