Today’s newspapers are full of finger-pointing and spin about the HMRC data breach. And the blogisphere continues to churn out mixed commentary and advice, some sensible and some ill-advised. Of course it’s human nature to respond in an emotional or political way to a major incident affecting tens of millions of citizens. But what’s needed now is a calm, patient analysis of the root causes of the problem and a well-thought-through solution for the longer term.
There are clearly systemic failings in the governance of security in the public sector. Some are historic, a result of a long-standing focus on national security, rather than prevention of fraud and theft. The focus of the former is very narrow. The latter is pervasive, requiring a rapid scaling up of specialist advice across the entire government sector. That’s one reason why the public sector is behind industry in its implementation of contemporary security. It will take years to build the necessary knowledge, skills and awareness across central and local government organisations.
A further constraint is operating within a political governance system designed to minimise central interference, other than through policy, targets, finance and selection of senior staff. Security requires strong, central monitoring and intervention to maintain standards. In Industry you can draw on the authority of the Executive Board or CEO to get things done. You can’t play this card as effectively in the public sector.
We need solutions that encourage security standards to be more effectively deployed and business units more accountable. The former requires investment in central security agencies to develop stronger direction, support and monitoring. The latter can only be addressed through mandatory accredited certification. Just making a Board member responsible is not good enough. It helps but it doesn’t fully close the loop.
What’s certainly not needed is an ill-advised knee-jerk reaction, such as the bizarre call by Ross Anderson at Cambridge University to scrap CESG and replace it with a “civilian agency staffed by competent people” to give better advice to ministers. They already are a civilian organisation and, like the newly formed CPNI, they need boosting not shooting.