"A Fine Balance", the joint conference of four Knowledge Transfer Networks in Thursday provided an excellent update on the current state of "privacy enhancing technologies". When I introduced the Earl of Erroll I made the point that the Lord High Constable of Scotland was not only the sole cybersecurity professional in either House of Parliament, he is also the only person genetically cleared to draw a sword in the presence of the monarch
The Earl then told the story of the debate in the House of Lords on the legislation that permits Sikhs to wear their daggers for ceremonial purposes. It took place on the evening of the Caledonian Ball. He and one of the other Scottish peers had changed into full highland evening dress, with skean dubh (4 inches of murderous cold steel) and dirk (18 inches). The doormen goggled as they approached the Chamber and decided to do nothing. (I will not draw analogies with what happened in the "other House" last week).
Much of the subsequent discussion at the KTN event was how technology can now do most (albeit not all) of what we need for security by design - but we have failed to use it to support the secure people processes without which secure technologies are a waste of budget.
It was also clear from the reaction to my opening comments that I trod on a great many corns. My remarks were quite short so I will reproduce the full text rather than wait until they are on a website to which I can link.
A Fine Balance - chairman's opening comments.
Good morning and Welcome.
My opening remarks have three objectives.
- To allow late-comers to take their seats without missing anything important
- To allow us all to get the hang of the acoustics
- To get you in a mood to ask interesting questions later today.
I am piggy in the middle between politicians and techies. Getting them to talk to each other is easy. Getting them to listen is much harder. Even when they use the same words they use them in very different ways.
Many years ago I was a bleeding edge techie. I deconstructed the assembly code for IBM BOMP, the predecessor to CICS, when we were unable to translate the documentation from the original French. But like so many techies, I got so close I lost sight of what we were trying to do.
Then I was assigned as technical support to the annual audit - and learned the unreliability, to put it mildly, of the base data, including costs and specifications, in the files on which our systems depended.
Garbage in equalled garbage out - with a hundred thousand quid and a couple of years in between. The consequences cost the company many millions before the division was closed, never having made a profit.
Today we can see similar exercises in technology assisted garbage handling costing billions and lasting decades before they are abandoned.
Whether or not the data is secure, it is not fit for purpose.
How do you tackle Data Diarrhoea?
# Digital Diapers?
# A change of diet?
# A Change of lifestyle?
# Adopt a PET?
Later, I spent five years outside the world of IT, as a corporate planner for the Wellcome Foundation, which is why I often use crude medical analogies, like Data Diarrhoea, to make simple points.
The e-immodium analogy may not, however, be obvious to those who though that Immodium was more than just liquid cement - ideal if you are about to board an over-crowded jumbo for the flight home - but no substitute for finding out what caused you to have the runs.
e-immodium refers to those processes which block information flows unless specifically authorised - but lack routines for rapid and well-informed over-ride - thus causing organisational constipation, without addressing the underlying business needs.
It is much better to change your diet - just stop taking the e-laxatives.
Change of lifestyle can be much harder
Especially when the organisation is faced with a slew of semi-incompatible legislation and regulation, for example that mandating or forbidding data retention or sharing. That is why EURIM has a major programme to try to reset the Information Governance Agenda around good business practice.
We face a very real risk of deepening recession and delayed recovery if Government responds to regulatory failure and data loss with yet more layers of irrelevant tick box compliance bureaucracy.
Hence my view of the "Balance" we will be discussing today.
The Corporate Balancing Act
Objective: organisational survival in the face of conflicting demands to delete or retain data, protect it or make it available to those who have demonstrated that they cannot be trusted
• neither shut down for non-compliance with incompatible regulatory requirements
• nor put out of business by overheads, fraud or loss of customer confidence
But we also have to clear about the risks we are seeking to manage and control.
Practical Risk Assessment
The biggest risks are:
• Insiders: Top management, IT staff, marketing, cleaners, untrained users
• Digititis: cock-up compromising or crashing "over-integrated" databases or networks
• Mother Nature: storm, flood, flu etc.
• Accident: fire, explosion
• Then comes outside attack
The most serious risk is that of loose nuts at the top: including because the Chief Executive or Directors have been misled or confused by advisors briefing them on the basis of selective, distorted, out of date or fictitious data.
Add layers of secrecy and information security can all-too-easily become the enemy of accuracy, let alone of availability and timeliness.
Hence the need to put privacy enhancing technologies into context.
Which PET suits which need?
• Yappy puppies ?
• Silent killers ?
• Piranha Fish ?
• Bloodhounds ?
• Wolf Packs ?
• Horses for courses ?
• Friends for life ?
It's the wetware stupid but people processes commonly need the support of PETs
Once again I will use some crude analogies.
I am fed up with yappy puppies, security products which bombard me with incomprehensible meaningless warnings - when I get an e-mail from some-one new, try to install a competitive product or visit a website from which their protection racket is not taking a cut.
Even worse are the silent killers, which delete important e-mails without telling me.
I only wish competing products would work better together, like Piranha Fish.
I also want more Bloodhound services, to find out who was wasting my time or trying to defraud me, so I can join a class action against them - perhaps hiring a wolf pack, like that working to ensure that McColo and its malware customers never get back on-line.
But threats are evolving. We need not only horses for courses but reliable and trustworthy partners with whom we can work over time - do read Machiavelli on the use of mercenaries, the outsourced security services employed by the princes of renaissance Italy as they openly fought or quietly assassinated each other.
Secure technology without secure people processes is lethal. The enemy within is the most dangerous - but people processes need the intelligent use of technology to support security by default, embedded in efficient processes which remove the need or temptation to work round the system in order to meet legitimate business objectives.
Hence the importance of the work of Cybersecurity Knowledge Transfer Network and of today's event.
At this point it gives me great pleasure to call on the Earl of Errol. It is interesting comment on our political system that the hereditary Lord High Constable of Scotland is the only member of either House who not only worked in the IT industry but understands the emerging technologies rather more than most of the salesmen and PR professionals lobbying us. When he became a Director of EURIM my deputy, Dr David Wright who is expert on such things, checked him out and discovered that he is also the only person genetically cleared to draw his sword in the presence of the Monarch.