External directors have the opposite problem to journalists. Under “fin de siecle capitalism” and in public sector “quangoland” they are sacrificial goats: little or no power to effect change but expected to share responsibility for failure. The time has come to butt back.
One obvious area is with regard to data protection and information governance where almost no organisation, public or private, has received value for what it has spent on legal advice and consultancy, let alone on “compliance”, over the past decade or so. But a whole army of advisors is queuing up to sell the Board (and HMG) yet more expensive snake-oil
Meanwhile the core problems are:
– no-one knows what the policy is, if there is one, let alone what it means to them
– no-one has checked its compatibility with mainstream operational practice
– no-one has exercised the disaster recovery and/or damage limitation routines
This has happened because the “experts”, all-too-often commisioned by those who can be spared rather than those concerned with operational performance or business benefit, have produced vast tomes of unreadable, legalistic, bureaucratic, gobbledeygook.
As readers of my past blogs will be aware, ISSA, have agreed to produce a guide for directors, hopefully based on updating and simplifying that produced by IAAC in the past. In the mean time material designed for Chief Information Officers (and readable by ordinary human beings) is available from the National Computing Centre and the British Computer Society. It is actually very inexpensive but you do need to go via your NCC membership contact or a BCS professional member.
While you are working out how to do that, I would suggest ten simple questions for external directors to ask themselves before the next Board meeting:
– Have you ever seen, let alone read, the organisation’s information risk (or information security, data protection or similar title), policy?
– How long did it take you to read?
– Could you understand it?
– Did it complement the mainstream business operations and help achieve the objectives of the organisation – or did it get in the way?
– Are all staff in the company informed of the policy, why it is important and what it means for them?
– Are all staff trained/assessed in their understanding of the policy and how to follow it in their day-to-day jobs?
– Do all staff (at all levels) know who to contact when faced with a problem that is not covered by the policy?
– What are the company’s routines in the event of a serious problem and when were they last tested?
– Are you content with the answers to the above?
Astute readers will realise that there are only nine questions (albeit some are multiple).
That is because the economy is in recession and most budgets will be decimated (and every tenth member of staff will be fired, unless you can slash the external spend by even more).
But a £5,000 saving has now cost HMRC well over £2.25 million, before allowing for reimbursing police and other external costs. Before you agree to any cuts in the security budget, suggest that existing staff be given a modest allowance (cost and time) to network professionally with their peers, update their skills and then present a “headlines only” business risk assessment to the board.
My speach and presentation to the ISSA pre-Christmas reception indicates some of what I personally think they will find and how you might then task them to get rather better value for money in the future.
P.S. After posting this I was reminded that I have left out by far the cheapest and most authoritative source of good advice: the Information Commisioner’s website. You will then discover that much of what you have been expensively told is unnecessary or actually wrong. I have yet to find anything that makes good business sense that is forbidden – provided you give a “plain english” explanation of what you are doing and why.