Let’s stick to the facts. The public sector has more data breaches. In the six months up to April 2008 there were 62 serious incidents in the public sector against 28 in the private sector (as reported here), and as commented, the private sector incidents are most often the result of sophisticated attacks while ithe public sector data breaches are almost always the result of a cock-up.
I dislike using the alleged youth of information security as an excuse. Take the following quote: Despite a growing awareness of computer vulnerability, the current status of computer security in most installations, when compared to the current level of technical sophistication, can most charitably be described as primitive. This actually comes from the very first issue of Computers & Security Journal published back in 1982. The same article (entitled “Computer Security, A Current Assessment” by Samantha Fordyce) , with its references to insider threats and the changing nature of computer vulnerabilities could easily have been taken to have been written more recently. So, if understanding of the issues was in it’s infancy 27 years ago, the continued lack of understanding certainly cannot be attributed to the excuse of an industry in its infancy here in the 21st century.
We can also refer to some more recent literature. The Coleman Report, for instance, an independant view of public sector security information security published in the middle of last year, stated that the government is “trying to address (information security) challenges” however “adequate mechanisms were not yet in place to support them in achieving this.” Much more disconcerting is the fact that the same report states that the government had still not signed off on a set of baseline security standards.
For all the “security theatre” of the private sector, the potential consequences of poor information security keep us on our toes. For my own part, a lack of foresight would be no excuse for poor hindsight in the eyes of the company board if the business were to suffer a serious incident. Information security is a process rather than a project: ongoing, continually evolving, but still with eyes firmly focused on the fundamentals of protecting electronic data that have been around now for the best part of half a century.
Until the public sector can get its head around this approach, it will forever be treating security as another project task that can be completed by setting a deadline, slinging the latest version of ITIL at another set of hapless civil servants, and another bucketload of cash at external consultants.
If security were cars, I’m in something modern, German, with lots of safety features designed in as standard, and good brakes so I can go faster. Duncan, you’re in an old Ford Anglia, it’s got wobbly wheels, a rusty exhaust, and you’d better hope you don’t have any steep hills to go down.