I ripped this blog title off from CSO Online.

In December of 2006, I predicted that we would see a nationally recognized information security rating system come to fruition in 2007.

In today's financial markets investors rely on analyst reports and metrics. Often time simply referred to by the company providing the metric - Moody's, Morningstar, Fitch and others. As an investor, these rankings and metrics generally weigh heavily in decision factors. However, we have no security index or rating systems. If as a consumer, you had a choice to take a loan from two companies with varying different security index ratings, you might think twice. Would you want to risk your personal information being negligently handled in return for a lower rate or take a slightly higher rate knowing your information is safer?

Well, 15 months later, Moody's will be announcing their own Vendor Information Risk Rating Service soon. That according to this article in CSO Online.

As a security manager, I can't wait for the day when this tactic is mainstream. The amount of time, resources and lost opportunity given to individually assessing each vendor security practices drives me nuts. Lets hope Moody's does this well. Even more so, lets hope that every independent and trusted rating company jumps on the bandwagon to drive competition in this new marketplace.

Undoubtedly you've heard about the iPhone SDK. While Apple DDoS's their own developer site with thousands of people trying to download the SDK, enterprise security managers are bracing for round 2 of iPhone security vs the yearning corporate executive.

Putting myself in its proper place

Lets face it; the shiny objects at todays town hall meeting wasn't the Exchange integration or the remote wipe feature. It was all about applications and their sheen. Salesforce.com, Electronic Arts, Sega and AOL all orchestrated today's focus away from enterprise security and into Apple's foray of cool. Lets also face it; enterprise security is only fashionable for a very small target audience. I'm in the minority.

Obviously, though, the minority does have a voice with Apple. The engadget live blogging of today's events show Phil Schiller taking the stage at 10:04AM. By 10:19AM he was done demonstrating all the enterprise integration and security. The enterprise voice lasted 15 minutes; the SDK and iPhone apps from 3rd party developers went on until 11:03AM.

Does Apple really get it?

Does Apple really understand what it takes to sell something to an enterprise? An enterprise has tens of thousands of IPs, hundreds of network ingress and egress points, thousands of ways for intellectual and private property to be absconded. Let us not forget the deluge of regulations, oversight committees and conformance to hundreds of international governance restrictions. For most enterprises, they are not running in a resource positive mode with overflowing headcount sitting idle, eager to consume another mobile device. In order for the iPhone to make headway in the enterprise it will have to up heave an existing technology. The most likely candidate for the smartphone junk drawer will be Windows mobile device, not the blackberry.

The RIM is here to stay

Phil Schiller's slide showing the 'old' Exchange integration vs the new method clearly was meant to show ActiveSync's dominance over GoodLink and Blackberry. Both of those 'inferior' technologies require an intermediary server, whereas ActiveSync is a direct push technology. However, the Blackberry enterprise managers look at it quite differently. They see the Blackberry Enterprise Server not as a stumbling block, but as a full-fledged necessary component of the overall mobile device risk management solution.

Apple trusts Microsoft?

How many Mac vs PC advertisements have you seen? Isn't the PC bloated, a Petri dish of viruses and represents everything uncouth? But here is the catch, while we wallow in wait for Apple to release the nitty gritty of how the iPhone enterprise security controls function, Phil Schiller shows a slide that's right out of the Microsoft ActiveSync security deck. Could the iPhone's enterprise security offering be nothing more than adaptation of the Windows Mobile security options? If that is the case, Apple in some strange twist of events, will be relying on Microsoft for security conformance.

Whatever might happen, myself like hundreds of other security managers reached out to our user base today. We all sent the predictable email out to the entire company reminding them that despite today's town hall meeting, the iPhone still is not yet an approved device (not yet).

In Newsweek, Daniel Gross said there is a growing "crisis of confidence" when it comes to Wall Street. The evidence is readily available - the fall of Bear Sterns, the sub prime mortgage mess and consumer confidence declines to new lows. For the second year, Audit Integrity provided their annual data to Forbes and they have likewise published the data as the "most trustworthy companies". Audit Integrity claims to have an objective means of analyzing a company to deliver an accounting and governance risk score. What that means is simply stated something like, "those companies that play by the rules and take few risks when it comes to creative accounting get a higher score". The higher the score is supposed to equate to a higher level of trust.

While it's the market data that gets the majority of the headlines these day, it's the use of the careful words now being used that gets my attention. Words like: confidence, trust, trustworthy, fear. Sound familiar? They are the exact same emotional words we use in information security.

And while this blog isn't intended to discuss financial market stability, it is about risk management. For us in the information security world, open your eyes; there is a giant event happening outside the bubble of your office. Trust is at an all time low. If you've been in any services oriented group, infrastructure or operational setting for a while you've probably already witnessed what happens when trust is lost - its never regained to the levels it was once before.

To accept a vendor's information security practices, is to some degree to say, "I trust you". Is that an accurate use of what just happened? Or, are you as the person held responsible for ultimately keeping your company's information secure, actually thinking,

"Our information security due diligence process that took months (and way too much money) derived some kind of fallible rating that didn't fall into the bottom of the failure category. As such, we can do business, but I'm going to hand over reams of documents and disclaimers to some legal team which now has the job of limiting our risk by contractual risk avoidance disclosures".

We don't enjoy apathy or lackluster personal performance. And we don't relish the requisite current toolset either. Yes, we have regulation. Yes, we have defined standards and we also have auditors, reports, disclosures and exceptions. And yes, we are suppose to use all that to provide the business guidance in determining the best route to deliver the upside, reduce risk and keep costs down.

While Audit Integrity's list of the America's Most Trustworthy Companies might seem hard to grapple for an information security professional, the idea itself provides hope to this infosec person that, one day I might see a similar list of the America's Most Secure Companies. Though, infosec still has many years of maturity before we can start deriving standards based scoring anywhere on par with the financial models. Hopefully, though, we can learn from this crisis of confidence and not repeat history.