Get systems right first

BCS president calls for improved systems development rather than increased powers to prosecute when systems fail. John Kavanagh...

BCS president calls for improved systems development rather than increased powers to prosecute when systems fail. John Kavanagh reports

IT staff are facing a tricky balance between maintaining professional standards and meeting demands for fast development when producing e-commerce systems. So says BCS president David Hartley in a message to people in the field.

And, he says, emphasis must be on getting systems right in the first place rather than on stronger prosecution powers to help customers after things go wrong.

In a message to members and others in the BCS membership magazine, published this week, Hartley, a senior IT director, points to recent security breaches at Barclays Bank and Powergen which enabled some customers to see information about other people's accounts.

These cases brought calls for more powers for the Data Protection Commissioner - but Hartley says attention should mainly be directed elsewhere.

"Prevention must be better than prosecution," he says. "The Data Protection Commissioner has identified the need for more resources to carry out her statutory role, and it is important that this issue should be addressed - but building public confidence in the technology requires more than this.

"We need to know why security breaches occur when they do. There are stories of new e-commerce systems being developed to remarkably tight deadlines. Does this imply that less than professional standards have been used? I would hazard a guess that these applications have been developed by staff under great competitive pressure," Hartley says.

He suggests such pressure is almost inevitable as companies try to outdo or even just keep up with each other on the Internet. "We should recognise that e-commerce is being introduced in an era of escalating rate of change and great emphasis on time to market," Hartley says.

"Traditional long lead times for development and implementation will not be tolerated in such a fast-moving environment."

He continues, "The need for e-commerce applications to be at the same time user friendly and secure means that ease of use must not necessarily be coupled, for example, with cumbersome encryption processes which could deter customers from using the technology and thus deny businesses - particularly small and medium sized companies - the competitive edge they require."

But this does not mean traditional development values are ignored, Hartley says.

"What should we as professionals be doing about this?" he asks. "Certainly we have a responsibility to ensure that the public has the means to be confident that their personal data is kept secure, and, where it is not, that the resources are available to impose sanctions. But we must endeavour to ensure high professional standards in both the development and operational process.

"This will include the traditional virtues of good project management, use of proven methodologies, and adequate testing."

Read more on IT risk management