This morning I was trying to find a way of checking whether a message that purported to come from my ISP telling me my mailbox was full was genuine. It quickly became apparent that their security guidance was directly akin to that mix of patronising platitudes and incomprehensible detail which so infuriated my staff at the NCC Microsystems Centre in the 1980s when we were evaluating products and services intended for use by end-user professionals (such as doctors, lawyers and accountants) or by small and medium sized firms with no professional in-house IT staff.
In those days over half of what we tested failed on some very simple tests:
- did the documentation say what it did in language the customer could understand?
- did it do it correctly (including any legal/fiscal requirements e.g. tax calculations etc.) ?
- did it do it reliably (including graceful degradation and restore in the event of power cut) ?
One of the exceptions was a small company called Sage. They were one of the first to be tested. They took the process much more seriously than most of their larger competitors. Today they are one of the few UK-owned IT suppliers left. Who even remembers most of the others from a time when the UK supposedly led the world?
Recently in the wake of the EURIM study on Security by Design and the emergence of a whole new generation of products and services to help secure communications and transactions in a deperimeterised world, I have been looking at how vendors sell and support these today. Not much has changed. Those seeking to implement the recommendations in the strategy announced on Friday for "kite-marking" will face the same excuses. Those seeking to educate and train their staff to make systems secure by design will find little on techniques that have been around for a decade or more. For example, where are the courses or materials on how to specify, procure and deploy the "trusted computing" techniques that enable a rapid, low cost check that the person you think is making the transaction is using a physical device (e.g. desk top or mobile phone) that has been registered to them?
It is as though the supply side has no wish to actually improve the security of their customers. It appears only concerned to sell more "stuff", whether or not the customers know how to use it. If that is correct, it is because that is how they are rewarded.
"How do we change that motivation ?" is, however, the wrong question.
We need to begin with "Who really wants to change that motivation ?"
This is where things may have changed. Until the recession and the transfer of economic power from West to East it was possible to off-load the losses onto customers and taxpowers. That is no longer the case.
In a couple of days the Chancellor is expected to announce the biggest cuts in government spending since the 1920s. If he does not then we probably face hyperstagflation and worse. If he does, the need to cut the tens of £billions being lost to fraud and waste becomes imperative. That will entail making much better use of existing budgets - not spending more money that we have not got.
Hence my pre-occupation (both as Chairman of the Conservative Technology Forum and as Chairman of the Security Panel of the IT Livery Company) with taking a top-down look how to to bridge the gulf of understanding between the professionals and those above them - who have to take a holistic view of the business case. Bridging the gaps between the computing, communications, security and marketing professionals is important - but is not sufficient.
P.S. I am pleased to note that under my successor, an Information Society Alliance sub-group will be drafting guidance on how to procure trusted computing products - with the aim of having this available in March, i.e. in time for the next round of contracts. The group aims to move fast but joining (via the mainstream membership routine) is still ridiculously cheap (my fault for setting it too low in the first place) for the benefits the exercise will give to those wish to strip out cost, waste and fraud by deploying effective solutions in this space - whether for themselves or their customers. If you are joining simply to take part in this group do remember to say so when you apply.