How do you tackle Data Diarrhoea?

We face the most lethal of situations – secure (if properly used)  technologies in the hands of insecure people.

The juxtaposition of postings on Linked In by Professor Bill Buchanan linking to his blog entry headed “The most important area of cybersecurity? Perhaps Identity and Access Management” and by Graham Cluley on  Rogue IT security worker failed to cover his tracks  caused me to look up when I first blogged on why impersonation and insiders were the biggest risk and technology was only part of the answer. I was indebted to Professor Richard Walton, who had recently allowed me to quote his comment that the purpose of investing in technology was to cause the enemy to focus on corrupting your people.

Below is a repost of my introductory comments as chair of a conference on privacy enhancing technologies (PETs) organised by four of the UK Knowledge Transfer Networks (predecessors of the Catapults of today) under the last Labour Government. I was to introduce Lord Erroll as the opening key note speaker and he wanted the audience in a mood listen to some difficult messages and ask challenging questions for those who were to come later. Much of the subsequent discussion was about how technology could already do most (albeit not all) of what we needed for security by design – but we were failing to use it to support the secure people processes without which secure technologies are a waste of budget. I believe we still are.

======================================

A Fine Balance – chairman’s opening comments.

Good morning and Welcome.

My opening remarks have three objectives.

– To allow late-comers to take their seats without missing anything important

– To allow us all to get the hang of the acoustics

– To get you in a mood to ask interesting questions later today.

I am piggy in the middle between politicians and techies. Getting them to talk to each other is easy. Getting them to listen is much harder. Even when they use the same words they use them in very different ways.

Many years ago I was a bleeding edge techie. I deconstructed the assembly code for IBM BOMP, the predecessor to CICS, when we were unable to translate the documentation from the original French. But like so many techies, I got so close I lost sight of what we were trying to do.

Then I was assigned as technical support to the annual audit – and learned the unreliability, to put it mildly, of the base data, including component costs and specifications, in the files on which our production control and estimating systems depended.

Garbage in equalled garbage out – with a £x00,000 of system spend and a couple of years in between.

The consequences cost the company many £millions before the division was closed, never having made a profit.

Today [2008] we can see similar exercises in technology assisted garbage handling costing £billions and lasting decades before they are abandoned. Whether or not the data is secure, it is not fit for purpose.

How do you tackle Data Diarrhoea? 
# Digital Diapers?
# E-Imodium?
# A change of diet?
# A Change of lifestyle?
# Adopt a PET?

I spent five years outside the world of IT, as a corporate planner for the Wellcome Foundation, which is why I often use crude medical analogies, like Data Diarrhoea, to make simple points.

The e-imodium analogy may not be obvious to those who though that Imodium was more than just liquid cement – ideal if you are about to board an over-crowded jumbo for the flight home – but no substitute for finding out what caused you to have the runs. e-imodium refers to those processes which block information flows unless specifically authorised – but lack routines for rapid and well-informed over-ride – thus causing organisational constipation, without addressing the underlying business needs.

It is much better to change your diet – just stop taking the e-laxatives.

Change of lifestyle can be much harder – especially when the organisation is faced with a slew of semi-incompatible legislation and regulation, for example that mandating or forbidding data retention or sharing. That is why EURIM [now the Digital Policy Alliance] has [I was secretary -general at the time of speaking – I retired over a decade ago] a major programme to try to reset the Information Governance Agenda around good business practice.

[the reports published in the course of that programme included:  EURIM Transformational Government DialoguesFrom Toxic Liability to Strategic Asset: Unlocking the Value of Information , Can society afford to rely on security by afterthought not design? ,  Why World Class Identity Governance is central to UK economic performance , Information Governance ]

We face a very real risk of deepening recession and delayed recovery if Government responds to regulatory failure and data loss with yet more layers of irrelevant tick box compliance bureaucracy.

Hence my view of the “Balance” we will be discussing today.

The Corporate Balancing Act

Objective: organisational survival in the face of conflicting demands to delete or retain data, protect it or make it available to those who have demonstrated that they cannot be trusted

•      neither shut down for non-compliance with incompatible regulatory requirements

•      nor put out of business by overheads, fraud or loss of customer confidence

But we also have to be clear about the risks we are seeking to manage and control.

Practical Risk Assessment

The biggest risks are:

•      Insiders: Top management, IT staff, marketing, cleaners, untrained users

•      Digititis: cock-up compromising or crashing “over-integrated” databases or networks

•      Mother Nature: storm, flood, flu etc.

•      Accident: fire, explosion

•      Then comes outside attack

The most serious risk is that of loose nuts at the top: including because the Chief Executive or Directors have been misled or confused by advisors briefing them on the basis of selective, distorted, out of date or fictitious data.

Add layers of secrecy and information security can all-too-easily become the enemy of accuracy, let alone of availability and timeliness.

Hence the need to put privacy enhancing technologies into context.

Which PET suits which need?

•      Yappy puppies ?

•      Silent killers ?

•      Piranha Fish ?

•      Bloodhounds ?

•      Wolf Packs ?

•      Horses for courses ?

•      Friends for life ? 

It’s the wetware stupid but people processes commonly need the support of PETs

Once again I will use some crude analogies.

I am fed up with yappy puppies, security products which bombard me with incomprehensible meaningless warnings – when I get an e-mail from some-one new, try to install a competitive product or visit a website from which their protection racket is not taking a cut.

Even worse are the silent killers, which delete important e-mails without telling me.

I only wish competing products would work better together, like Piranha Fish.

I also want more Bloodhound services, to find out who was wasting my time or trying to defraud me, so I can join a class action against them – perhaps hiring a wolf pack, like that working to ensure that McColo and its malware customers never get back on-line.

But threats are evolving. We need not only horses for courses but reliable and trustworthy partners with whom we can work over time – do read Machiavelli on the use of mercenaries, the outsourced security services employed by the princes of renaissance Italy as they openly fought or quietly assassinated each other.

Secure technology without secure people processes is lethal. The enemy within is the most dangerous – but people processes need the intelligent use of technology to support security by default, embedded in efficient processes which remove the need or temptation to work round the system in order to meet legitimate business objectives.

Hence the importance of the work of Cybersecurity Knowledge Transfer Network and of today’s event.

[There is no equivalent today but the new City University Multi-Disciplinary Centre for Cyber Security and Society, at the heart of London’s fintech and cyber tech cluster will hopefully fulfil that role with clubs/mobs of researchers, investors and lead customers agreeing how to work together to mutual advance  – from R&D programmes, through product and market development to user education and training. I also look forward to see the Digital Policy Alliance organising the necessary political briefing sessions supported by active corporate members  who want to see the UK as a global hub for security inter-operability between those who will never agree governance and/or regulatory, let alone business, models].

 

.

 

 

 

 

 

 

This is a re-post