In search of better Information Governance

Lately I’ve had some interesting email exchanges with colleagues in Australia about press reports of increasing levels of citizen surveillance in the UK. This steady erosion of personal privacy is disturbing. But it is a natural and inevitable consequence of the rapid growth in networking and information processing capability. And the threat to privacy is not just from intelligence collecting platforms and CCTV cameras installed by local authorities. It’s also from citizens with camera phones and Internet access.

This year we’ll see attempts by governments to implement the most ambitious schemes yet for monitoring of Internet communications. There will, hopefully, be increasing public debate about the need for such schemes. But, in general, most attempts to hold back the growing tide of electronic surveillance systems are doomed to failure. There are simply too many requirements, opportunities, capabilities and stakeholders. Neo-Luddites might win the odd battle, but they’ll never win the overall war. 

That’s not to say, of course, that we shouldn’t challenge ill-conceived public policy, dangerous precedents and bad practices. A strong privacy lobby is essential to clip the wings of government excesses. But our main focus needs to shift more towards better information governance, because that’s an area that has been widely neglected. Too many systems are designed without adequate controls, too many databases are full of incorrect data, and too many users lack the training and incentives to behave correctly. 

We all know that a good slice of the population is corrupt, misguided or just plain clumsy, so simply demanding perfect behaviour from systems adminstrators and users will never be enough. Instead, we need to establish much better controls, education and incentives. But, in practice, this is far from easy. There’s a surprising lack of knowledge in how to go about it, as well as a growing shortage of professional skills. And the business case is not compelling, with most benefits being long-term, uncertain and unmeasurable.    

The solution is not to be found in ambitious visions, strategies or policies, which can be helpful, but by themselves achieve very little. Our objective, instead, should be to build the knowledge base, methods and technologies needed to achieve real results. There are far too many gaps in this area. My book “Managing the Human Factor in Information Security” which has just gone to print explains how we can tackle some of these challenges. But it’s only the start in constructing the new body of knowledge we need to manage the transition from securing corporate infrastructure from outsiders to protecting personal information from insiders.