Following up from the initial meeting initiated by the Conservative Party in November 2008 – when Infosecurity were asked to create an information security working group to act as an advisory panel to the political Party – the independent panel of industry association leaders were asked to return to Parliament and give a presentation.
The focus of the presentation was current problems and impact, and the roles and responsibilities of the government in relation to protecting our data. Attendees included John Colley, managing director, (ISC)2; Adrian Davis, senior research consultant, ISF; Sarb Sembhi, president ISACA London; Gerry O’Neill, CEO of IISP; Geoff Harris, president of ISSA UK and Eleanor Dallaway, editor of Infosecurity.
It was agreed by the panel that the current government’s shortcomings could be simplified into a short, but by no means exhaustive list:
- Lack of awareness, caused by lack of education
- Poorly understood responsibilities
- Bad implementation
- Too much focus on technology
“We need to get away from people thinking that [our information security problems] are about the complications of pressing buttons on computers. It’s all about people” Eleanor Laing agreed, insisting that the list of shortcomings had “hit the nail on the head”.
“Technology is often seen, and sold, as the easy route” said Davis. Colley agreed, arguing, “It is generally wrongly accepted that technology will change everything”.
The impact of the government’s failure to protect our data is “public loss of confidence in the government and banking world” said Colley. “It’s an expensive disruption to ‘business as usual’ in terms of both money and time”.
Needs must
While data breaches and information security failures are by no means restricted to the public sector, it’s of upmost importance that the government get data security right as it is “custodian of a lot of different information” said Colley.
Eleanor Laing agreed. “The government requires information of people. It’s not a choice matter. Therefore, there must be a duty to safeguard that information”.
Davis emphasised the government’s obligation to not only secure our data, but ensure that “they have the correct information, and maintain the correct information over a period of time. The government has a duty not to be sharing any information unduly; whether it’s within the government or the people that they outsource to.”
The topic of legislation once again came under scrutiny, and was highlighted in the presentation as one of the roles of government.
“Don’t legislate around technology” insisted Davis. “By the time the law comes into force, technology will have changed and you’ll never keep up with it. Use principles for the basis of any regulation or legislation – and make sure it’s proportionate”.
Role model
It was agreed unanimously that the government must act as a role model for the sector, which could be achieved by advancing professionalism and demonstrating skills, knowledge and competencies in the field.
“The government should always be demonstrating best practice [when it comes to securing our data]. If they expect and encourage everyone else to be doing it well, the government should be doing it even better”, said Eleanor Laing.
“Inevitably, you will have heard my colleagues and I chastising the current government and how they’ve handled the recent data losses. But it’s a question of responsibility and accepting the importance of this. The current government seems to have been very cavalier in its attitudes, but that’s just our opinion” Laing continued.
It was agreed by all attendees that the current government is certainly not fulfilling this role, and agreed that on a list of the best information security teams and professionals in the country, “no one from the government is on this list”.
“It’s an issue of trust”, agreed William Wallace, researcher to Eleanor Laing. “It’s the government’s role to create a framework so that people can go about their lives, trusting their information with government”.
“We want to professionalise the service” Wallace continued. “We want accredited people in government, we want to get these positions in place”.
The complexity argument
“Many large companies face the same challenges as government” said Davis, referring to the securing of large amounts of data. “Government can’t hide behind this complexity argument”.
“The real challenge” said Harris, “is how you educate people to carry out these principles? The challenge is the individual. The issue is management controls in various departments”.
Davis acknowledged the threat of the people doing the “mundane jobs. These are the people that are putting information into systems. The real risk is on this level. You can’t build management on these rocky foundations. You have to invest in good people. If you give them the right environment, they are worth their weight in gold”, he advised.
The next step
The Conservative Party are looking to set our their general approach to data security very shortly.
Meanwhile, Infosecurity and the independent panel of industry association leaders will continue to act as a sounding board and offer advice when called on, representing the information security industry.
“Information security should transcend political Parties” said O’Neill, agreeing with Laing who had earlier commented “This is not a Party political issue. The difference is that one group may believe that a solution can be met in different ways”.
“If this is going to make the information security sphere a better place, I’ll sit down and talk to any political Party” said Colley.
The intentions of the working group were summarised by Davis, who concluded, “Whatever the government decide to do will affect our industry and the people we represent. That’s why we’re here”.