Eleanor Dallaway invited along five experienced and talented information security professionals to talk about the current government’s information security, and to give advice on what needs to be done. John Colley, Managing Director, ISC2; Adrian Davis, Senior Research consultant, ISF; Sarb Sembhi, President ISACA London; Gerry O’Neill, CEO of IISP; and Raj Samani, vice president of communications ISSA joined Infosecurity at the Houses of Parliament on Wednesday 12 November 2008.
William Wallace, Researcher for Eleanor Laing, asked why there have been so many government data breaches this year. “Data has always been leaked” said Colley, “but now, we’re just seeing more disclosure”.
“Data breaches are happening in the private sector too”, added O’Neill, “but the press just zoom in on the public sector losses. I guess the private sector has better PR”.
“Government are always a target because there is tax payer’s money at stake” said Davis. “Of course, many of the breaches have occurred through third parties from outsourcing. You can outsource contracts, but not the risk. Information security is low on the agenda in the contract, nobody takes ownership and so the data gets lost between the two”.
“The third party organisations are often more information security savvy than the government” argued Sembhi. “The organisations are willing to spend money on infosecurity, but the government is not”.
“You’ll never get rid of the problem, because it all comes down to money” Samani agreed.
One of the items on the agenda was a question of what technology is available to increase data security. “It’s a people issue” insisted Davis. “You can have the best technology in the world, but you need people to have the awareness and education about information security”.
The people problem, Colley reminded the group, must be split into separate areas.
“There’s the people who inflict accidental damage, and those that make deliberate attacks. The latter is the most difficult to handle because they, by right, have access to all of the data – and there’s a good business reason for them having this access”.
“The problem really gets deeper” continued Davis, “when you consider that a classic profile of someone who wants to damage their organisation is this: they come in early, they stay late, they always get involved and are eager to make several contacts throughout their organisation. Unfortunately, this is the exact same profile as that of someone who is an excellent worker”.
The malicious insider problem, said Sembhi, may indeed worsen due to the current economic climate and large amount of redundancies which will no doubt be made as a result.
Out of one pocket, into the other
The question of penalties for non-compliance was discussed. While in the private sector, legislations such as PCI promise to fine organisations for non-compliance, applying penalties to the government is somewhat less effective, the professionals argued.
“There’s no point in the government fining itself”, said Davis. “It would be like taking money out of one pocket and putting it into another. The problem is, there are all of these regulations, and everyone is following different standards. You need to get a grip and get one set of standards that applies to everyone. It will be more effective, and cheaper in the long run”.
Wallace raised the question of a chartered institute and a potential kitemark scheme.
“The problem is”, said Samani, you’re saying that it’s assured when you’ll never be able to say with certainty that there are no vulnerabilities. All software and processes have information security risks”.
As for the kitemarking idea, said Davis, “that would only apply to one day, and everything could go wrong for the rest of the year and not be noticed. It’s like an MOT”, he analogised. “Standards encourage box-ticking, which can often mean that people miss the bigger issue”.
Samani suggested that there may be a lack of lack of understanding amongst ministers, and that the introduction of an expert may go a long way to understanding the concerns of the industry. It does of course seem nonsensical, agreed the group, that laws and regulations are currently being made by people who are not experts in information security. "Why not get someone from industry? A trained information security practitioner who knows what they’re doing?” asked Samani. Wallace agreed, highlighting the need for a high ranking minister who could make all of the decisions.
On the topic of legislation, Davis argued “Never ever legislate technology. It changes too quickly”.
Need more teeth
It was agreed by all attendees of the meeting that it’s important that the Information Commissioner makes better use the powers that he already has, with clear communication to organisations about personal data handling responsibilities and tough but consistent penalties for infringement.
Amongst a list of powers that Samani suggested that the Information Commissioner be given, audit on demand, increased funding and transparency were among them. Samani also emphasised that the current five investigators working for the information commissioner to investigate “every business in the country” was ludicrous.
“Data security is a problem that needs to be tackled globally” said Davis. “Your regulatory routine is only as good as far as it reaches”. Wallace responded with concern about sending business outside of the UK. “We don’t want to make the UK out of kilter with the rest of the world, we need to keep businesses inside the country” he argued. “We’re wary of over-legislating and thus over-burdening UK businesses”.
Wallace stated that the reason for reaching out to Infosecurity is to develop a framework to tackle these issues. The interest in information security is coming from the top of the party, he said, adding that there’s a sense of wider responsibility that they want to address.
In conclusion, O’Neill said, “Technology is not a panacea for data breach problems - it must be appropriately deployed and operated, and so 'People' and 'Process' are the other critical elements to consider. In almost all of the recently publicised security breaches, it is these latter factors which have failed, and caused the problems. We could sum up the conversation we’ve had so far with the strapline ‘data breaches – this time it’s personal’". O'Neill ellaborated on this, explaining, " By this, I mean that the responsibility for protecting information assets should be made ‘personal’, so that there is clear ownership. Equally so, the sanctions for mishandling should be personalised to the individual or the organisation, and proportionate to the nature of the breach, its impact, and the scale of the organisation.”
“The problem at the moment”, Davis added, “is that there’s no duty of care. If it’s not their own bank card and PIN number that someone is handling, it’s just a mass of meaningless data that doesn’t mean anything. We need to make it mean something”.
The next step
The meeting proved so useful that the Conservative MPs have invited Infosecurity and the five information security professionals back to offer further advice and focus in more depth on particular issues raised. Although it’s evident that the government, and the Conservative party data security group, has quite some way to go, the important thing is that they are listening.
Check the Infosecurity website for further reports.