Please no - not another security inquiry

Tory MP Grant Shapps has used the Freedom of Information Act to discover that the government lost 53 computers over the last year, and is demanding an inquiry. If this claim is to be believed, then it works out at one computer a week. And I don’t believe a word of that.

The FoIA responses also revealed the loss of 36 Blackberries, 30 mobile phones and 4 memory sticks. The Department of Health apparently had the highest loss rate, with 14 PCs going missing. However, they claim that all the machines were encrypted and marked with invisible dye, and that only one incident involved the loss of personal information.

But let’s think about this for a moment – how many government employees work across the whole of central government, and at how many locations? How many PCs, laptops, blackberries and memory sticks are in use? I don’t know either, but I’ll bet it’s tens or even hundreds of thousands of items. And we’re asked to believe that just 53 have been lost? Sorry, I’m not buying that for a minute. There’s a distinctly unpleasant smell about that statistic. Interestingly, the broad media response seems to have been shock that as many as 53 have gone, but if I were the CISO of a massive and distributed organisation that had lost just 53 machines, I’d be damned pleased with that statistic. And if I were a politician releasing that data, I’d be damned pleased that nobody had noticed that it was completely unrealistic.

So, let’s assume that Mr Shapps gets his wish and there’s another inquiry into the 53 lost PCs (rather than a promotion for the CISO who only lost 53 of his thousands of PCs), what exactly would that achieve? We’ve been inquired to death over the past twelve months: Thomas/Walport, Burton, Hannigan, O’Donnell, Coleman, to name but a few. These are all good investigations that have come up with insightful and worthy recommendations, but what has become of those recommendations? Where are all the Privacy Impact Assessments we were promised? When are all the government systems going to have Accreditation Document Sets and appropriate security controls? When, in fact, will we see any culture of respect for personal information at all?

If we’re going to hold an inquiry, I’d like to see one into how HM Government has been so successful in protecting its PC hardware assets, so that industry can learn from this incredible commitment to security and get its own loss levels down to the same scale. That would be an inquiry worth having…

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

But how right you are either way - NO MORE INQUIRIES - the public purse CLEARLY cannot finance them and there is absolutely NO NEED. The government just need to apply the JFDI school of delivery, given that all the tools, hints, tips, guidance, policy, procedure, strategy - you name it, the whole kit and caboodle - have all been made available to those who need to know. All that appears to be missing is the requisite mind probe - aligned only with a significantly more ethical and professional approach to fulfilling the role of SIRO or equivalent - that means a full understanding of what is required and an adherence to the above delivers the required culture change and improved security best practice.