With data breaches coming to light in organisations of all sizes and calibres, it is encouraging to see that the Information Commissioner's Office (ICO) has launched an initiative to address data security, writes Mike Gillespie managing director at Advent IM.
The Personal Information Promise, a bid to encourage safer data handling practices, is a superb idea conceptually. This voluntary charter, which permits businesses and government departments to "demonstrate their organisation's senior level commitment to data protection", is very simple to display a commitment to.
Many companies, however, will arguably use this Personal Information Promise as a pure marketing mechanism. It also begs the question as to how much more an organisation can do voluntarily than it should already be committing to as part of its legislative obligations.
Although it might be perceived that security is high on the agenda for the CIO, it still does not gain the financial backing that is required to make strategies or 'Promises' work effectively. Security, information management and information risk management should stop being seen as a costly add-on and in some cases a 'perk'. Instead, they need to be seen as fundamental core business requirements.
To really raise security on the board level agenda, the ICO should lobby the government to set the example in the first instance, rather than approaching the end business as the solution to the ever frequent data loss threat.
By getting buy-in from the Government, the ICO can highlight this core business issue by first approaching blue chip companies before this message filters down through the business community.
Without the appropriate strategy in place, another large data loss is inevitable it will just be interesting to see with who or where the prosecution lies, if at all.
Further, businesses need to stop seeing technology as the answer to data protection. Technology is an enabler, not a solution. Instead, businesses need to deal with issues holistically and look at how security can be used as a business enabler to complement business practices, enable efficiency and flexibility, while keeping risks within tolerance.
They must attract key stakeholders to buy-in to security from the off, in order that any corporate security policies generated are received from the whole company. Failing that, even a statement acknowledging that security is an important part of any businesses success (proactive instead of reactive) is paramount.
All organisations must set business objectives that incorporate points from the security manager. By recognising this role as central to the business, guarantees that security sits as the backbone of the wider business plan, developing as safe and secure an environment as possible, both physically and virtually.
These business objectives should be linked to time, and time should be linked to threat, risk and ultimately counter measures. In hand with this, businesses need to understand that threat changes with time and therefore needs constant review.
The list of signatories thus far to the ICO Promise, is on the thin side and interestingly enough, to date does not contain any central government departments. Surely this should be supported at the highest level with, for example, all police forces, all councils and the entire NHS signing up, not just the odd few? With backing from the likes of the Cabinet Office, I am sure the ICO could 'promise' a bit more clout.