"This framework allows my security team to let everyone else see what's going on," says Hyatt, a jack-of-all-trades who has been at Vanguard 23 years and counting. "It's very effective for getting action: Here's something you own; it's red. You rarely get, 'I'm too busy.' It's also a great tool to monitor progress and helps my group prioritize what to look at. In the past, information security would rush to address anything that audit may have found, and so you did spot-fixes here and there, as opposed to having a nice, cohesive plan."

If it sounds as if ISO 17799 was the answer to Vanguard's security management, there's just one catch. Vanguard isn't really following the standard. Some of the categories don't apply and were thrown out. Other areas were reworded, or "Vanguard-ized," as Hyatt puts it. For instance, the IT department at Vanguard is split into application development and technical operations; likewise, some of the ISO categories had to be split in two. "We'd change the standards to fit the organization as opposed to making the organization fit the standard," Hyatt says. His justification is sound: "If we don't get something in place that fits within the organization, then it's not sustainable. This felt more like guidance as opposed to rules."

Not that it would matter if Vanguard wanted to salute every word of the standard. ISO doesn't offer certification for 17799 as it does for other standards. There just isn't support for a standard precise enough to measure compliance. The question is, if individual companies modify ISO 17799 to make it work, and if there's no way to be certified, then what's so "standard" about it anyway?

In theory, standards are the key to making information security a mature discipline. In reality, standards are still the greatest thing that never happened to security management. And in the future, a real, certifiable standard would, could - and probably will - be the key to the board-level credibility that information security desperately needs. It's up to CSOs as to whether that day comes sooner rather than later, and whether they'll be able to shape the standard into one that really works.

Standard Politics

CSOs looking for a set of standards to follow will have no problem finding one. That's the problem. "People are confused about which they should be using, big-time," says Steve Crutchley, CSO and cofounder of 4FrontSecurity, a startup consultancy based in Reston, Va.