Death by Data Protection III: paralysis from the top.

Yesterday at Infosec the Information Commisioner said that the Cabinet Secretary’s Review was expected to be focussed on “issues of accountability and governance”, indicating that the heads of departments would be personally responsible in the event of serious data breaches. But where is the guidance on how to share information securily going to come from?

At a recent conference of CIOs and their teams John Suffolk said that they had found over 200 ways of connecting Blackberries to the Government Secure Network, but there was only one approved way. Meanwhile organisation with very limited IT budgets like the Citizens Advice Bureaux and Salvation Army routinely encrypt all laptops to civilian versions of the standard to which the lost MoD laptops should have been encrypted.

Today I am due to chair the session on “The Case for a Police Central Co-ordinating Unit” and expect to pass a few comments of my own on the need for users to put a fraction of what they spend with the snake-oil salesmen into co-operation to track, trace and remove those whose malpractice has created the £3 billion e-security industry whose success is such that Infosec is bursting at the seams while the cost of e-Crime rises inexorably.

So what is missing?

On June 10th EURIM will be organising a showcase for politicains and officials on experience to date with secure identity management and information sharing: building on the experience of organisations that have doing this electronically for twenty and thirty years and more – without a leak.

We are also looking at organising an event later this year to test whether the ICT professional bodies have the will and support to move from vague and incomprehensible “guidance” (of value to consultants, lawyers and bureaucrats only) towards “practice notes” – breach of which is prima facie evidence of misconduct.

Twenty five years ago, when I was running the NCC Microsystems Centre, I circulated check lists of do’s and don’ts produced by my staff for peer review and published the results as our “guidelines”. Five years later I was delighted to see one of these used in court by an expert witness as “evidence” of what would have been good practice at the time. The other side capitulated two days later.

In parallel, however, those trying to use the mommentum after the BCS acquiried it Royal Charter to establish a regulated ICT profession backed off when the defendannt in a hearing for professional misconduct hired legal counsel. In today’s “no win, no fee” climate the consequences could be even worse.

Nonetheless, the time has come to try again.

But is there the will, including the backing from reputable employers who will provide the necessary legal muscle for to back up attempts at enforcement?

Because the professional bodies cannot do this on there own?

The cost of doing nothing, however, will amost certainly be the imposition of irrational and bureaucratic prohibiotions that those seeking to meet business and customer needs will have work around – the worst of all scenarios.