With data breaches coming to light in organisations of
all sizes and calibres, it is encouraging to see that the
Information Commissioner's Office (ICO) has launched an initiative
to address data security, writes Mike Gillespie managing
director at
Advent IM.
The
Personal Information Promise, a bid to encourage safer data
handling practices, is a superb idea conceptually. This voluntary
charter, which permits businesses and government departments to
"demonstrate their organisation's senior level commitment to data
protection", is very simple to display a commitment to.
Many companies, however, will arguably use this Personal
Information Promise as a pure marketing mechanism. It also begs the
question as to how much more an organisation can do voluntarily
than it should already be committing to as part of its legislative
obligations.
Although it might be perceived that security is high on the
agenda for the CIO, it still does not gain the financial backing
that is required to make strategies or 'Promises' work effectively.
Security, information management and information risk management
should stop being seen as a costly add-on and in some cases a
'perk'. Instead, they need to be seen as fundamental core business
requirements.
To really raise security on the board level agenda, the ICO
should lobby the government to set the example in the first
instance, rather than approaching the end business as the solution
to the ever frequent data loss threat.
By getting buy-in from the Government, the ICO can highlight
this core business issue by first approaching blue chip companies
before this message filters down through the business
community.
Without the appropriate strategy in place, another large data
loss is inevitable it will just be interesting to see with who or
where the prosecution lies, if at all.
Further, businesses need to stop seeing technology as the answer
to data protection. Technology is an enabler, not a solution.
Instead, businesses need to deal with issues holistically and look
at how security can be used as a business enabler to complement
business practices, enable efficiency and flexibility, while
keeping risks within tolerance.
They must attract key stakeholders to buy-in to security from
the off, in order that any corporate security policies generated
are received from the whole company. Failing that, even a statement
acknowledging that security is an important part of any businesses
success (proactive instead of reactive) is paramount.
All organisations must set business objectives that incorporate
points from the security manager. By recognising this role as
central to the business, guarantees that security sits as the
backbone of the wider business plan, developing as safe and secure
an environment as possible, both physically and virtually.
These business objectives should be linked to time, and time
should be linked to threat, risk and ultimately counter measures.
In hand with this, businesses need to understand that threat
changes with time and therefore needs constant review.
The list of signatories thus far to the ICO Promise, is on the
thin side and interestingly enough, to date does not contain any
central government departments. Surely this should be supported at
the highest level with, for example, all police forces, all
councils and the entire NHS signing up, not just the odd few? With
backing from the likes of the Cabinet Office, I am sure the ICO
could 'promise' a bit more clout.