How do we rebuild boardroom confidence in on-line security after the PRISM controversy?

Whatever you believe were Edward Snowden’s “real” reasons for passing his files to the Guardian, or theirs in publishing them, the result has been a sharp rise in Boardroom concerns over the security or otherwise of their organisations’ on-line operations. The past week has done more than anything since the lost HMRC discs to get main board directors looking at whether they are getting value for their spend on information security and whether the objective should be mere “compliance” or genuine “protection” against the threats of today. This should be good news for heads of Risk and of Information Security but most are too bogged down with data protection, breach notification and ISO 27000 to make use of the unique window of opportunity that has been presented to them. Meanwhile the suppliers, salesmen and lobbyists still engaged in hyping Big Data, Cloud, Off-shoring and Outsourcing, without seriously considering the implications for security and resilience, let alone flexibility, face an even bigger challenge.

It is now nearly a fortnight since I tried to put the realities behind PRISM into perspective. Why is the revelation that the security services are doing that for which we pay them seen as a bigger threat to confidence in the on-line world than the rising tide of fraud, impersonation and abuse, or the implosion of our communications and energy infrastructures?

Whatever the answer, there is a profound collective challenge to those who really do want their customers to believe they are serious about security, as opposed to mere compliance.

It is almost exactly a year since the City Values Forum asked the Ethical and Spritual and Security Panels of the Worshipful Company of Information Technologists to look at the issues of applying traditional standards of conducts, such as “My Word is my Bond”, to the on-line world. We quickly came to the conclusion that, while there is much good material, including with regard to community policing for the on-line world (from the ground-breaking eurim-IPPR study onwards), little would help bring about the changes of attitude necessary to ensure that the wetware (people processes) are in place to make effective use of the hardware and software already available. Hence the original idea for a competition to enlist the talents of the thought leaders of the future, who will have to live with our failures.

There was massive initial enthusiasm for the idea but less so when it came to putting up funds and seconding staff to organise a high profile exercise. Therefore what was announced at the end of May is a scalable pilot, using the resources available and the framework of the Cyber Security Challenge to reduce cost and risk and cross-fertilise contacts. Even so the potential is profound: fifteen universities, (now sixteen and more coming on board), working together and with their industry partners to get their students to look at the issues of cyber-security through the other end of the telescope: how do we rebuild trust?

The Earl of Erroll has agreed to chair the panel of Judges: his family has been involved in the trust business since his ancestor guarded the back of Robert the Bruce during the darkest days before the Battle of Loudoun Hill. the Rt Hon David Blunkett  MP has agreed to be a Patron: his experience and interest with regard to the issues is profound. The exercise is intended to grow over next three years as success breeds success: with the success of the pilot being measured by:

  • enhanced Universities – Industry partnerships leading to apprenticeships, internships and jobs
  • Ideas that also improve UK/EU competitiveness as a location for globally trusted operations
  •  Supporters achieving their objectives (including corporate social responsibility and publicity) and willing to work together build on success in years two and three

There are already ideas for extending the scope to include awards for companies and organisations that help improve confidence but those are for next year.

Meanwhile, however, the controversy stirred up by PRISM adds an urgency that was not there when we were originally trying to turn interest into commitment.

If you are serious about wanting wanting to improve the confidence of your board, let alone your customers, in doing business on-line, the time has come to “put up, shut up”. Use the e-mail link on the competition page to offer support to Malcolm John or contact me via my old eurim e-mail, (which still works although I am now only an honorary advisor to its successor, the DPA) and I will forward as necessary.

The Digital Policy Alliance , which the earl of Errol also chairs, hopes to harvest ideas for input to policy discussion. In the mean time it already has sub-groups looking at some of the more obvious ways of improving trust, such as using the “trusted computing” hardware components in most android phones to help ensure that those running a supposedly secure systems knows which devices are talking to it, from where and, hopefully, who is using them.

I have recently attended several meetings scrutinising current proposals and organising responses to consultations. These commonly show an increasing (not decreasing) gulf between policy aspirations and current reality. Except for those organised via the DPA they also tend to be dominated by lawyers and consultants looking for compliance business. They are part of the problem, not the solution.

I therefore also remind readers that DPA still has the old EURIM routine for individual membership (originally designed for members of the CW500 Club) which can be credited against corporate membership once an organisation has come to appreciate  not only what is at stake but the value of working in partnership with its peers to halt that most dangerous of threats: “ignorance in motion“.