I blame the old men

So, last week we had the latest in a long line of data loss incidents: a member of Atos Origin’s staff left user and password data for the Government Gateway in a pub car park. I look forward to hearing confirmation that both the individual concerned and the individual responsible for management of the project have both been asked to revise their career aspirations. But this was in the same week that the Minister responsible – Work and Pensions Secretary James Purnell MP – had to apologise for leaving confidential documents on a train. Are the two cases really so different, and can future incidents be avoided using the same controls?

There’s little doubt that the technology age has simplified the process of losing vast amounts of personal data – after all, you try losing 25 million paper records. You’re going to notice them missing pretty quickly, and will probably be rather easy to find again. But when CDs and memory sticks go missing, it’s often blamed on ‘junior clerical staff’ or ‘junior officers’ – easy whipping boys who can be given the blame for either a) making a genuine mistake, b) making a stupid mistake whilst under the influence, or c) acting under orders. Our problem here is that the shabby compliance regimes that allow these incidents to happen are invariably established and run by much older people, and in the case of the IT industry, it’s a sad fact that they’re too often male (not a desirable state of affairs, since things would probably run much better with more senior female managers – but that’s another blog).

The old men mandate the systems and the processes around them. They control the governance and audit regimes. They claim to be responsible for overall management, although they rarely accept accountability. But all too many of them don’t actually understand the technology they’re responsible for.

After all, how many of us have to provide IT support for our elderly relatives? My father, for example, is an accomplished and highly skilled engineer who has designed brakes on racing Ferraris, managed the build of massive cement works, and rebuilt a pre-war sports car from the ground up, manufacturing many of the components from scratch in his workshop. He’s an intelligent, practical and capable man. But put him in front of a computer, and he’s almost immediately reduced to a burbling wreck who phones me regularly with complaints such as “where’s the thingy, the number thingy, you know, where’s that gone?”.

I’ve had several bosses over the past fifteen years who have their secretaries print out all their emails. They hand write a response on the bottom. Then the secretary types it in. And these are people who claim to be masters of technology, with responsibility for huge technology projects. I appreciate that their experience and detachment from the day-to-day minutiae is invaluable, but how are they meant to understand what the risks are, and what the appropriate controls might be, if they can’t master Outlook?

So, the real decisions that affect the security and integrity of our personal information are being made by people who struggle to programme a VCR and don’t really understand what technology can or cannot do (a case in point is ContactPoint – the Children’s Index – where the solution to security problems dictated by these old men to their secretaries is “don’t put our kids’ data in it”). We desperately need to refocus our efforts on training and supporting the most senior levels of management, whilst simultaneously holding them accountable for their decisions.

And I have a solution that will make it happen. Send them on a training course to give them a proper grounding in modern technology, and whilst they’re out of the office, take away their secretaries. Take away their pens, and their paper. And swap them out for laptops (properly encrypted and protected in accordance with best practice, of course). Make them live in the real world of technology, make them understand what it can do, and make them suffer when it fails, just as the rest of us do. And make sure their personal information is the first to be entered into every sensitive database out there, so that they can be sure to be the first to suffer if they get it wrong. That should focus their attention on what matters.

Oh, and every once in a while we’ll swap their laptops for Etch-a-Sketches. Anyone who fails to notice should get the sack immediately – they can stand in line behind the Atos employee…

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Well Said.....
Do you really think age is the issue. I'm really quite old but I can still understand the importance of data security whether it be in paper form or computer files. Is it not the fact that the government over many years have developed the art of employing stupid people, which is why they then have to spend a fortune bringing highly trained consultants.
Heh I used to work for an old man for a large event ticketing company (think TicketMaster) who REFUSED to pay for an antivirus for the 100 or so computers on the network... And company internet traffic security was (sit down for this one) a modified hosts file! Then there's the old men that refuse to upgrade their hardware, and complain at you when you have to come back every month or so to perform CPR on their ancient servers. To Rob... The blurb doesn't state ALL old men are fuddy duddies! :)
And was it an old man, or a dishonest young chancer, who picked up the memory stick, took it away (ie STOLE IT), found out what was on it, and took it to the papers for a few quid that have probably all been spent on trashy games ?