Knee-jerk Reactions Are Not the Answer

Today’s newspapers are full of finger-pointing and spin about the HMRC data breach. And the blogisphere continues to churn out mixed commentary and advice, some sensible and some ill-advised. Of course it’s human nature to respond in an emotional or political way to a major incident affecting tens of millions of citizens. But what’s needed now is a calm, patient analysis of the root causes of the problem and a well-thought-through solution for the longer term.

There are clearly systemic failings in the governance of security in the public sector. Some are historic, a result of a long-standing focus on national security, rather than prevention of fraud and theft. The focus of the former is very narrow. The latter is pervasive, requiring a rapid scaling up of specialist advice across the entire government sector. That’s one reason why the public sector is behind industry in its implementation of contemporary security. It will take years to build the necessary knowledge, skills and awareness across central and local government organisations.

A further constraint is operating within a political governance system designed to minimise central interference, other than through policy, targets, finance and selection of senior staff. Security requires strong, central monitoring and intervention to maintain standards. In Industry you can draw on the authority of the Executive Board or CEO to get things done. You can’t play this card as effectively in the public sector.

We need solutions that encourage security standards to be more effectively deployed and business units more accountable. The former requires investment in central security agencies to develop stronger direction, support and monitoring. The latter can only be addressed through mandatory accredited certification. Just making a Board member responsible is not good enough. It helps but it doesn’t fully close the loop.

What’s certainly not needed is an ill-advised knee-jerk reaction, such as the bizarre call by Ross Anderson at Cambridge University to scrap CESG and replace it with a “civilian agency staffed by competent people” to give better advice to ministers. They already are a civilian organisation and, like the newly formed CPNI, they need boosting not shooting.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Delighted to see your title including the words "knee jerk" as I've just used them myself in another posting on this subject!! There's no shortage of guidance available nor knowledge of how to assist in resolving or reducing the probability, likelihood or impact of these kind of situations. Sadly not enough people have listened to those of us in the know in the past - perhaps our time will now come :)
Here, here. It is good to read David's comments, and have a sensible, considered response. Yes it is a terrible example of data loss, but we need to be working to improve security generally. HMRC are not the only people to lose data. How many organisations have lost back-up tapes out of the back of vans? And there are many other examples of data going missing accidentally. IT Security is not "sexy". It has always been hard to give a real Return on Investment. For this reason spending on IT security tends to be based upon shutting the door after the horse has bolted. Maybe, just maybe, with the HMRC's horse having bolted, and already resulted in one high profile job lost, directors and senior managers will recognise the need to invest in security. Spending on security has been around 3%-4% of IT budget and needs to grow to 8%+. This budget, spent correctly on security - including security awareness training for staff - should ensure a better, safer environment.
very informative details thanks for that, nice article