How do we rebuild boardroom confidence in on-line security after the PRISM controversy?

Whatever you believe were Edward Snowden’s “real” reasons for passing his files to the Guardian, or theirs in publishing them, the result has been a sharp rise in Boardroom concerns over the security or otherwise of their organisations’ on-line operations. The past week has done more than anything since the lost HMRC discs to get main board directors looking at whether they are getting value for their spend on information security and whether the objective should be mere “compliance” or genuine “protection” against the threats of today. This should be good news for heads of Risk and of Information Security but most are too bogged down with data protection, breach notification and ISO 27000 to make use of the unique window of opportunity that has been presented to them. Meanwhile the suppliers, salesmen and lobbyists still engaged in hyping Big Data, Cloud, Off-shoring and Outsourcing, without seriously considering the implications for security and resilience, let alone flexibility, face an even bigger challenge.

It is now nearly a fortnight since I tried to put the realities behind PRISM into perspective. Why is the revelation that the security services are doing that for which we pay them seen as a bigger threat to confidence in the on-line world than the rising tide of fraud, impersonation and abuse, or the implosion of our communications and energy infrastructures?

Whatever the answer, there is a profound collective challenge to those who really do want their customers to believe they are serious about security, as opposed to mere compliance.

It is almost exactly a year since the City Values Forum asked the Ethical and Spritual and Security Panels of the Worshipful Company of Information Technologists to look at the issues of applying traditional standards of conducts, such as “My Word is my Bond”, to the on-line world. We quickly came to the conclusion that, while there is much good material, including with regard to community policing for the on-line world (from the ground-breaking eurim-IPPR study onwards), little would help bring about the changes of attitude necessary to ensure that the wetware (people processes) are in place to make effective use of the hardware and software already available. Hence the original idea for a competition to enlist the talents of the thought leaders of the future, who will have to live with our failures.

There was massive initial enthusiasm for the idea but less so when it came to putting up funds and seconding staff to organise a high profile exercise. Therefore what was announced at the end of May is a scalable pilot, using the resources available and the framework of the Cyber Security Challenge to reduce cost and risk and cross-fertilise contacts. Even so the potential is profound: fifteen universities, (now sixteen and more coming on board), working together and with their industry partners to get their students to look at the issues of cyber-security through the other end of the telescope: how do we rebuild trust?

The Earl of Erroll has agreed to chair the panel of Judges: his family has been involved in the trust business since his ancestor guarded the back of Robert the Bruce during the darkest days before the Battle of Loudoun Hill. the Rt Hon David Blunkett  MP has agreed to be a Patron: his experience and interest with regard to the issues is profound. The exercise is intended to grow over next three years as success breeds success: with the success of the pilot being measured by:

  • enhanced Universities – Industry partnerships leading to apprenticeships, internships and jobs
  • Ideas that also improve UK/EU competitiveness as a location for globally trusted operations
  •  Supporters achieving their objectives (including corporate social responsibility and publicity) and willing to work together build on success in years two and three

There are already ideas for extending the scope to include awards for companies and organisations that help improve confidence but those are for next year.

Meanwhile, however, the controversy stirred up by PRISM adds an urgency that was not there when we were originally trying to turn interest into commitment.

If you are serious about wanting wanting to improve the confidence of your board, let alone your customers, in doing business on-line, the time has come to “put up, shut up”. Use the e-mail link on the competition page to offer support to Malcolm John or contact me via my old eurim e-mail, (which still works although I am now only an honorary advisor to its successor, the DPA) and I will forward as necessary.

The Digital Policy Alliance , which the earl of Errol also chairs, hopes to harvest ideas for input to policy discussion. In the mean time it already has sub-groups looking at some of the more obvious ways of improving trust, such as using the “trusted computing” hardware components in most android phones to help ensure that those running a supposedly secure systems knows which devices are talking to it, from where and, hopefully, who is using them.

I have recently attended several meetings scrutinising current proposals and organising responses to consultations. These commonly show an increasing (not decreasing) gulf between policy aspirations and current reality. Except for those organised via the DPA they also tend to be dominated by lawyers and consultants looking for compliance business. They are part of the problem, not the solution.

I therefore also remind readers that DPA still has the old EURIM routine for individual membership (originally designed for members of the CW500 Club) which can be credited against corporate membership once an organisation has come to appreciate  not only what is at stake but the value of working in partnership with its peers to halt that most dangerous of threats: “ignorance in motion“.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

This was an interesting Article and while there are some valid points make about users and firms should be more pro-active.

I feel the author missed some of the main points.

1. PRISM (meta data collection) and the GCUK (tapping of Fiber lines leaving/entering the UK just outside the UK border before the data is protected by UK law)

These are completely different step-change to security than asking companies (CEO/Boards) to better protect the data they have.

The internet has effectivly been compromised and not by the expected hackers, but by ill-advised and poorly thought out ethics of how to capture the data needed by governments.

2. IT Industry (vendors/professionals) have been selling that the Internet is reasonable safe as long as users/companies take what they call reasonable care with the data. ie anti-virus/malware and understand social-engieering etc.

Unfortunatly point 1, undermines this whole issue. The very points of communication or servers storing the data that should be secure have been compromised.

Board's/CEO's should look at the internet and now see the following:

a. Why Cloud services? What is the reputational risk my company will receive if customers information is released. (now that it is not just hackers that I have to worry about, but the suppliers of the services could be forced to provide this information without my knowledge.)

b. Will my company now be in breach of the data protection act? (or US/national equivalent). i.e. I have private customer information stored on a server in the US, I now know could be being share without my companies consent?

c. If I am transferring data between different countries? Ie UK and Germany, and I have satisfied the German Auditors and regulators of the security of the data. Now that the GCUK have tapped the fiberlines and collecting this data, is my company now in breach of Germany law.

So again the whole point of the shock of PRISM and the GCUK was not that governements were collecting data but the level, detail and retention periods of that data and the use of loop-holes to get this data.

While we can all agree, no one can blame governements for collecting the data to protect it citizens (in fact I for one would expect this) it is this breach of the expected ethical spirit we as individuals hold our public sectors too that creates the problem.

The additional ethical dilemas that CEO's/Boards are now in are that they are potentially in breach of different national laws and regulations through no actions of their own, but by the very governments who create these laws and enforce them.

Do take a look at my other "competition" and also my orginal attempt to put PRISM into perspective The internet is indeed thoroughly compromised but not just by PRISM. One of the better results of the PRISM controversy is the realisation of just how compromised it is - and the need to take effective action. Read the press cover on the compromises of US security and defence contractors, certification authorities and payment services. PRISM is almost the least of the corporate insecurity problems. Note also the legal minefields faced by anyone seeking to base a trustworthy on-line business outside the UK (where RIPA, incluidng the "lawful interception of business communications" appears to be, in practice a very much more robust regime than FISA and its equivalents in Germany, France, China etc.)