May 2010 Archives

I was staggered to read that authorities in a southern Indian state are planning to set up an outsourcing unit in a jail. They obviously think it's a good idea. But any customers that suffer a major data breach are likely to be heavily criticized for taking such a risk. Personnel security checks are a major component of information security standards.   

This development highlights the increasing importance of conducting due diligence on off shore arrangements. "Always remember the maxim: choose your business partners with care! " warns Alastair MacWillson warns in his Forward to my new book Managing Security in Outsourced and Off-shored Environments. 

Ten years ago I forecast that the concept of privacy would not survive the growing interests in mining the growing bonanza of personal information for commercial, security or espionage benefits. I termed this scenario 'spy versus spy', reflecting the fact that it's not just Big Brother that wishes to exploit the vast amount of data that the Internet can generate.

Not everyone agreed. Some believed that the public would not stand by and watch their privacy disappear. So far they've been wrong. Nobody has been sufficiently motivated and empowered to halt the relentless march towards a surveillance state. Perhaps the new UK Government will intervene, though this would be against the global trend.

I'm disturbed though not surprised by the activities of companies such as Google, who boast that they aim to 'do no evil', yet seem to continuously ignore consumer privacy interests. The latest incident of 'mistaken' interception of wireless traffic might reflect a wider, modern enterprise culture that is focused on exploiting rather than satisfying customer relationships. The actions of individual staff speak louder than the gloss of media relations.

Where is it leading? The reality is that we have a super-abundance of data at our fingertips, and it's too compelling to ignore. Unless governments intervene with strict rules and limits, it will be commercial suicide for marketing staff to resist. Let's hope that Cameron and Clegg might harness the political will to shape a healthier digital environment. In the meantime I will continue to expect the worst but hope for the best. 

his week sees the publication of my new book "Managing Security in Outsourced and Off-shored Environments: How to Safeguard Intellectual Assets in a Virtual Business World". It's published by BSI and is both highly informative and jolly good value. Don't sign a contract without reading this book!

The cover is attractive and interesting: a clown fish in a sea anemone. The clown fish is one of the very few fish that is not poisoned by this environment, so it represents a 'safe harbour', an important concept in outsourcing. I'm indebted to BSI for suggesting this delightful nature theme, as well as Geoff Harris, President of the ISSA-UK for educating me about this interesting fact. 

It saddens me to see good security initiatives holed by sloppy security practice. My in-tray has been full of emails urging me to comment on reports about the lack of security in the web site for the UK Cyber Security Challenge, sponsored by leading security institutes such as the UK Government's Office of Cyber Security, SANS institute, the Institute of Information Security Professionals and QinetiQ.

Operational security is easily overlooked when dealing with educational or research initiatives. That's the learning point. Reputation can be equally damaged by an incident on a minor web site as on a mission critical one. All public sites need to be safeguarded whenever brand value or reputation is important. Security professionals in particular need to aim for higher standards in widely promoted initiatives. 

The response now demanded is for the sponsors and organisers to demonstrate their crisis management skills and turn this threat into an opportunity. It's not easy, but it can be done.

Last week I was fortunate enough to be conducting keynote presentations in Hong Kong and Singapore. Amongst other things, it was fascinating to contrast the Asian perspective on information security with other geographic regions, each of which has their own particular set of interests and skills, though globalization is gradually diluting traditional stereotypes.  

US enterprises, for example, seem most keen on technology, though they have also woken up to the need for a greater focus on process. In the UK, process has always dominated, though the importance of the human factor has been gaining ground. In contrast, continental Europe and the Middle East have a better appreciation of people and politics.

So how does the Far East compare? Where does it excel? In my view, the answer is in their unique interest in both people and technology - arguably the more important future dimensions of the 'people-process-technology' triangle. Compliance might be the contemporary driver, but processes can be swiftly copied. In a modern commercial environment, it is essentially no more than an audit trail for the regulators. An interest in people, however, and a thirst for technology take much longer to cultivate.

Organisations concerned about information security need to take account of these differences. Whether or not you agree with me, the key learning point is to accept that different regions and cultures have varying skills and interests. A one-size-fits-all approach will  not work in a global business environment.