I disagree, but then nobody asked for my opinion on this one. Maybe I don't yet mix in the right circles or get invited to the best parties where all the experts are gathering. I certainly don't know Alan Calder, chief executive of IT Governance Ltd, one of the experts quoted in the article as stating that Companies should always ensure that PID (personally identifiable data)
is destroyed on their premises and not left to a third-party. That's nuts. I'd rather not leave it up to the IT department, brilliant and capable as they are. I contract a perfectly capable third party who specialise in data destruction and do the job properly.
Back to the point though. Do stronger penalties work? I doubt it. Stronger penalties might motivate organisations to try harder but until we put an end to this break/fix way of running information security and start focusing on dealing with the problem - which is all about people and not about technology at all - then the incidents will continue to occur on a depressingly frequent basis.
What is meant by a stronger penalty? One that's so severe it puts the company out of business, or simply teaches them a harsh lesson? Make the penalties too severe and we'll end up with an equivalent of the health and safety culture where nobody is willing to take any chances for fear of the consequences. Imposing penalties is not solving a problem, it'll increase the fear of disclosure and lead to a "check-box" compliance mentality. Tackle the problem from the root causes and we might start getting somewhere.
Comments (1)
Stuart, I’m delighted you have a capable disposal company. I’m sure you audit their destruction of your storage devices and are delighted with the audit findings.
Information security is really about people, process and technology. It is plain wrong to say that it ‘is all about people and not about technology at all’; just try running a secure IT system without security technology, such as firewalls, anti-malware, IDS, ACLs, backup and all the rest of it.
I absolutely agree, however, that dealing with the people issue (recruitment, vetting, training, awareness, culture, etc) is a really important part of getting security right. The people issues, though, are harder than the technology ones. And ‘dealing with the people issues’ won’t just happen. It has to be part of the corporate strategy – i.e. the board has to push for it.
The evidence – formal, informal and experiential – is that the vast majority of boards simply don’t prioritise information security sufficiently for adequate attention to be paid to any of the people issues. And, as there is no obvious profit for most organisations from protecting personal information, combined with a currently weak DPA compliance regime, there is widespread inadequacy in protecting PID. What, other than significant fines (by which I do mean ‘harsh lessons’), will get boards to focus an adequate level of resource and attention on protecting PID?
Posted by Alan Calder | September 11, 2008 9:56 AM
Posted on September 11, 2008 09:56