Yet another security breach

My in-tray has been hot today with questions about the reported EDS Ministry of Defence data breach. In fact, there’s nothing here that’s either new or unexpected. It’s just a regular security incident demonstrating, yet again, that our information security falls way behind the business and consumer expectations.

And this trend will continue because of several factors. Firstly, the protection we give to personal information does not reflect its current value. That’s essentially a legacy, catch-up problem. We’ll all get there eventually, as we gradually recognise that personal data is like hard cash. But don’t expect it to be resolved in the next year. These lessons take a long time to learn. 
Secondly, the solutions space is much more complex than it seems. Moving to a regime of encryption, rights management and data leakage prevention as a standard practice is far from easy. It requires considerable planning, policy and technology. We can’t implement these solutions overnight. They require, for example, major adjustments to security classification systems (if you actually have one) and security architectures (again, if you actually have any of them).

And, thirdly, we have no significant budgets and very little idea about how to deal with the “layer eight”, “wet ware”, people issues: how to respond to the mass of personal mistakes, accidents, lies and frauds that continuously occur in all organisations. These are the events that we fail to see them, or perhaps turn a blind eye to. This problem, of course, will all be addressed in detail in my new book on “Managing the Human Factor in Information Security” due out in January 2009. Amazingly it’s the first major book on the subject. That says a lot for a subject area that’s been around for several decades.

Back in the early 90s, in Shell, for example, we employed behavioral psychologists and creative teams to help address this area. Unfortunately, this seems to have been the peak of effort in this area. The state of the art has stood still since then. I’ve long been advising organisations to spend at least 10% of their security budget on security education. But they don’t. And if you look at the agenda for forthcoming conferences, such as RSA 2009, you’ll find not a mention of the subject. Our thought leaders are failing to provide the guidance we all need in this area.

So expect this problem to get increasingly worse until organisations realise they have serious policy, governance and implementation weaknesses in this area. And don’t expect a quick fix. It’s a complex problem space, and an even more difficult solutions space.  

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Mr. Lacey's analysis of the situation is spot on!
These data breaches and thefts are due to a lagging business culture. As CIO, I'm always looking for ways to help my team, business teams, and ad hoc measures of various vendors, contractors and interal team members. A book that is required reading (specific chapters, depending on nature of projects and teams) is "I.T. Wars: Managing the Business-Technology Weave in the New Millennium." It has a great chapter regarding security (among others). We keep a few copies kicking around - it would be a bit much to expect outside agencies to purchase it on our say-so. But, particularly when entertaining bids for projects, we ask potential solutions partners to review relevant parts of the book, and it ensures that these agencies understand our values and practices. The author, David Scott, has an interview here that is a great exposure: The book came to us as a tip from one of our interns who attended a course at University of Wisconsin, where the book is in use; I like to pass along things that work, in the hope that good ideas continue to make their way to me. I hope you can make use of this info...