Former spy says policy essential to good security

Businesses should base their IT security plans on the principals used by the secret service, according to a former head of MI5
Written by Munir Kotadia, Contributor

An organisation can never be truly secure until it has developed and enforced a well prepared security policy, according to Dame Stella Rimington, former director general of MI5.

Rimington, who was a keynote speaker at the Gartner Security Conference in London on Monday, said companies should use the same principles that the secret service does in order to ensure trade secrets do not fall into the wrong hands.

"The principles of national security and commercial security are exactly the same," said Rimington, who admitted that different techniques are involved, but explained that, essentially, the most important thing is having a rock solid security policy that is enforced. "It all comes down to sensibly applied security measures closely related to a realistic assessment of the threat. All protective security, including the security of information, is about assessing risk," she said.

According to Rimington, there are a number of questions that companies have to be able to answer before they can fully appreciate what they need to do and, more importantly, how to do it.

First, said Rimington, companies should calculate the true nature of the threat: "Who is your enemy, what is their objective, what do they want to do to you, do they want to steal your secrets, goods, poach your staff, embarrass you in the press, take over your company or blow you up?" she asked.

She also warned against spending too much time and effort on protecting yourself from unlikely threats while more likely threats were ignored: "Is the enemy capable of doing whatever they want to do -- is it a real threat? If they are, how are they going to go about it? Do you need to look after your documents, information on computer, telephone calls, people or goods?" Companies need to answer all these questions before they even start thinking about what they are going to do, or even what they can do to secure their systems, she added.

Editorial standards