My in-tray has been hot today with questions about the reported EDS Ministry of Defence data breach. In fact, there’s nothing here that’s either new or unexpected. It’s just a regular security incident demonstrating, yet again, that our information security falls way behind the business and consumer expectations.
And this trend will continue because of several factors. Firstly, the protection we give to personal information does not reflect its current value. That’s essentially a legacy, catch-up problem. We’ll all get there eventually, as we gradually recognise that personal data is like hard cash. But don’t expect it to be resolved in the next year. These lessons take a long time to learn.
Secondly, the solutions space is much more complex than it seems. Moving to a regime of encryption, rights management and data leakage prevention as a standard practice is far from easy. It requires considerable planning, policy and technology. We can’t implement these solutions overnight. They require, for example, major adjustments to security classification systems (if you actually have one) and security architectures (again, if you actually have any of them).
And, thirdly, we have no significant budgets and very little idea about how to deal with the “layer eight”, “wet ware”, people issues: how to respond to the mass of personal mistakes, accidents, lies and frauds that continuously occur in all organisations. These are the events that we fail to see them, or perhaps turn a blind eye to. This problem, of course, will all be addressed in detail in my new book on “Managing the Human Factor in Information Security” due out in January 2009. Amazingly it’s the first major book on the subject. That says a lot for a subject area that’s been around for several decades.
Back in the early 90s, in Shell, for example, we employed behavioral psychologists and creative teams to help address this area. Unfortunately, this seems to have been the peak of effort in this area. The state of the art has stood still since then. I’ve long been advising organisations to spend at least 10% of their security budget on security education. But they don’t. And if you look at the agenda for forthcoming conferences, such as RSA 2009, you’ll find not a mention of the subject. Our thought leaders are failing to provide the guidance we all need in this area.
So expect this problem to get increasingly worse until organisations realise they have serious policy, governance and implementation weaknesses in this area. And don’t expect a quick fix. It’s a complex problem space, and an even more difficult solutions space.