Death by Data Protection

Those who believe in the benefits of the on-line world must act rapidly and effectively to turn the current backlash against its perceived insecurity into well-informed votes of customer confidence in those who practice, not just preach, secure information sharing.

Suppliers and users, both public and private sector, have to work together to rebuild confidence that the proper use of ICT to support good “people systems” really does enable improvements in customer service and patient care at the same time as reducing opportunities for abuse. It will cost them all of them (and their shareholder and taxpayers) dear if they fail to do so

Which causes you more concern? that fragmented public sector systems would still not pick up children at risk like Victoria Climbie, that insecure centralised systems could put even more children at risk or that major organisations appear incapable of applying decades of experience in using ICT to help trusted professionals who have never met to securely share information?

On Wednesday evening a group convened by the ISSA (with representatives from the BCS, CMA, IAAC, IISP, IMIS, ISC2 , the Jericho Forum and WCIT agreed to try to produce a short: “External Directors Guide to Information Risk Management” (or similar title).

Why “External Directors”?

Because they are commonly the only ones in a position to put security policies into overall business and social perspective before they are agreed. They are also, of course, also personally liable for the consequences if they do not check that the policies are indeed implemented, followed and updated as necessary, over time.

We are about to hear the sound of regulatory and compliance stable doors being closed and bolted across the country, followed by the slow starvation of those horses which have not already escaped, as the naysayers move into overkill.

The economic and social consequences could be profound if we do not use the opportunity to move rapidly to establish the ground rules for secure information sharing.

There is plenty of good and relevant material around covering Information Assurance, including that produced over the years by IAAC. The need is to put it into overall business context: “the exploitation of opportunities to improve profitability, competitiveness and efficiency while ensuring that these are not put at unnecessary risk.”

If you know of other good material in this space please let me know and I will pass it on – or post a comment with the necessary references.

The ISSA group would like to hear from anyone who will bring relevant experience and/or resources to the table. The representives of the professional bodies already include the Chief Information Security Officers of a couple of large UK London-based multinationals whose own systems are trusted by users around the world but which have long had concerns over the security of their customers and suppliers – let alone of the end-users with whom they increasingly wish to transact on-line.

On Monday afternoon I am due to meet with the chairman of the EURIM Personal Identity and Data Sharing Group to discuss his business plans for the year ahead. The EURIM group already includes representatives from most of the suppliers of secure information and identity management systems to both governments and private sector in the western world as well as from most of the professional organisation in the ISSA group.

Ten days ago one of the EURIM Corporate members hosted a small brainstorming to discuss the need to promote holistic approaches to data protection and identity information management which build on all that has been learned by the private and “voluntary” sectors in over a thousand years of organising trusted transactions between those who have never met: incluidng the Knights Templar (remember the Da Vinci Code) who were indeed trained (quite brutally) to be able to lie under torture rather than reveal the shared secrets on which their correspondence banking network depended.

That EURIM programme has acquired a new urgency and a new objective – to restore trust.