How to stop your kids swearing (or how to deal with BYOD)

Last week was the UK&I McAfee Customer summit, where 400 odd customers turned out at Chelsea Football Club to hear the great, the good and the unpronouncable from McAfee discussing what the future looks like if you sign on the red dotted line. It was, by any standards, a belting event and the two guest speakers Gyles Brandreth and Dame Stella Rimmington both had the place either roaring with laughter or wondering really if this was who ‘M’ was based on. I’ll leave you to decide which way around that worked.

I was running one of the breakout sessions, and for my sessions, I looked at a future strategy for McAfee Public Sector, and the environmental issues we face in our world

As usual, I tried to chuck a few controversial statements into my talk, mainly to make sure people were paying attention. And as usual, one phrase caused more discussion than most

I had in bold “if you can’t secure it, you shouldn’t use it’. Obstensively this refers to BYOD, but more generally, any kind of technology where corporate data resides or where it is at risk of interception or leakage. We discussed various real cases where Security staff are put in a position of being coerced into letting staff use unsuitable machines on a network.

And so the question is – how do we stop it? Its a bit like trying to stop your kids swearing. We all know your average 13 year old schoolkid uses bad language in the school playground that would put Malcolm Tucker to shame. We know this to be true because we’ve all been there, and enjoyed the thrill of naughty words. The trick as responsible parents is, what to do about it? Do we ignore it, and hope they don’t bring it home and use it front of Aunty Lyn? Or do we deal with it head on? Those of you with a more discplinarian streak will feel that head on is the best approach, but honestly, when they are out and about, will they care that you’ve given them the third degree at the dinner table? Alternatively, the more libertarian amongst you may decide that telling them not to do it and hoping they grow out of it is a good approach (they won’t – go to a football match or the pub to hear grown ups swearing en masse).

Similarly, in a simple world, telling staff that using their iPad is dangerous for infosec reasons will generate a lightbulb moment and staff downing their tablets. Sadly, as Nadine Doris is about to find out, the world is not simple, and a simplistic outlook may well backfire

In our discussions at the Summit we did reach a consensus, in that we might as well be trying to hold back the wind holding back BYOD. So the trick appears to be, secure the data, not the device. At least if you can do this, as well as making a good attempt to secure the device too, you can give yourself a fighting chance.

The solution appears to be layering technology to deal with the different threats: user-bought devices need to be identified and tagged, data needs to be moved around securely and probably encrypted, DLP needs to be deployed to control access, and as Dame Stella said, acknowledge people are your weakest link and work on them. Anything less than sensible measures deployed will mean you will lose control of your data. A positive approach, accepting you cant stop BYOD happening, including some emphasis on staff understanding the risk (if not the specifics of the technology) and giving informed consent appears to be the only approach that has a hope of working.

Otherwise you are going to end up with a whole pile of missing data, and all of us doing our best impression of a 15 year school kid’s swearathon

Posted in Bring your Own Device, BYOD, Consumerisation, Cyber, Information Security, InfoSec, McAfee | Tagged , , , | 1 Comment

Austerity and Agility (or, Soap Gets in Your Eyes)

I live in a very pretty village in the Cotswolds. The cottage where I live is over 200 years old, and has all sorts of things which Estage Agent types would describe as ‘period features’. In English, this includes mice, gaps around the doors and drafts.

One of the other downsides of living in a small village is the water pressure. When I’m in the shower, if someone else in the village goes to fill their kettle to make a cup of tea, the water flow in the shower drops and I am scalded or sprayed with freezing water. Cue cursing and yelling until the water pressure comes back up and I can frantically wash the soap out of my eyes.

Its a pain, but its a pain I can put up with as I love my little cottage and a price worth paying

This morning as I hopped about cursing my neighbours, it struck me is mildly analogous to the situation faced across many Public bodies right now

The reality is, there is only so much money to go around to be spent on cyber defence. Austerity is biting, and biting hard, and its going to be a while before we can all metaphorically wash the soap from our eyes.

So how can we deal with the reality of this? The answer to my mind is to be utterly clear. Austerity means headcount reductions. From Localism in Local Government to continued need for deployment in theatre by our Armed Forces with smaller troop numbers, headcount reductions means two sets of outcomes: firstly, a need to maintain BAU (business as usual) and the second, a clear focus on service delivery needs. Nothing else matters.

To manage this, Agility is the keyword. How can we do things that allow us to meet BAU and service delivery? In the world of security, I believe our time has come to join the party. We are a maturing sector, and can offer a renewed vigour in meeting these needs. We MUST focus on intelligent, automated and integrated systems that offer our customers minimum fuss, maximum intel and do not get in the way of, and indeed promote, Service Delivery.

Similarly, customers must stop being prescriptive, and position their requirements against BAU/Service delivery needs, rather than what they think they might want product-wise

I am going to be talking about these issues at McAfee Summit and IA12, and I’d very much welcome your views

And until the flow of money returns, we will have to work a bit smarter and a bit harder to ensure what flow there is used to best effect. And make sure there is no soap in our eyes

Posted in Bring your Own Device, BYOD, Cloud, Cloud Computing, Cyber, G Cloud, Govt ICT Strategy, Information Security, InfoSec, McAfee, Security | Leave a comment

Sleeping with the Enemy

So I’ve changed jobs. This is not an unusual phenomema. Happens all the time, especially in supply-side ICT – and even more so in Sales.

However, this has been a rather odd sensation, in that I moved from a company I loved working for (Sophos), to the dreaded enemy of Sophos, McAfee. I’ve spent the last two and half years fighting my new employers tooth and nail, skirmishing and working to outflank them. And now I’m working for them.

There are two questions you may have right now. The first is ‘Why did you do it?’ And the second is, ‘How can you be credible?’

Both questions can be answered in the same way if I’m honest. And sorry to disappoint, I won’t be dishing the gossip or dirt. Even as a reconstructed sales person, I still have some morals. Buy me a glass of wine though. That should cure that.

The backdrop to the answer is around the ability to execute in the current Cyber defence scenario. In the older, simpler, days, security was pretty much about delivering AV and a bit of encryption. The problem now is that the threat vectors are myriad, the threat actors more cunning (and lets be truthful, in many cases, State sponsored). Managing security has spiraled into major full time occupations. How many people have you met with ‘Cyber’ in their job title compared to this time last year? Loads is the answer

The reality is that as more and more of our lives are delivered online, the need for security that is integrated, automated and covers loads of different areas is paramount. This isn’t going to turn into an advert for my new employers – you can go here and wallow in Gartner reports, Exec briefings from Americans with improbable haircuts and nicely shot videos for that.

But given my views on security that I have posted here in my times blogging; summarised that it should be less intrusive, take more of an all-encompassing Health and Safety type approach and be an enabler, rather than barrier to life in general, when the offer came along to work for an organisation that meets my views, it seems churlish to say no.

And let’s be honest, with a UK HQ in Slough, it’s not like I’m going for the scenery is it?

And so now my feet are under the desk, I have worked out who the important people are (IT, receptionists, the chap that does payroll and the nice PA to the boss) I’m going to get back on it. I look very much to seeing you all back out on the stump.

And mines a nice glass of something dry French and white please

Posted in Uncategorized | Leave a comment

All quiet on the East end front

It’s the summer season. Queues on the M5 as people pile down to Devon or Cornwall, chaos at airports, and normally, rubbish on the Television. But not this year of course with the Olympics, or Sportsday as some of my friends in the Whitehall village have taken to calling it.

It’s also unseasonably quiet on the Security front. Like the footfall figures for Oxford Street, its all a bit less than we thought it would be. Chatting to a few chums in organisations you’d expect to be busy, they profess to being happy at the way things are going.

Two things have struck me about the scenario as described.

The first is that there a bit of Y2K about all of this. Those of you (like me) old enough to remember watching the Rockford Files before bed on a Saturday will have been working when the Millennium Bug fast approached. The thinking ran that lots of IT kit wasn’t capable of dealing with the tick over to ‘2000’ because it could only cope with two year digits. So everyone went mad, buying new kit, upgrading software and generally busying themselves taking precautions. Then when December 31st 1999 turned into January 1st 2000… nothing happened. The papers cried foul, lots of people complained that the whole thing was a fix and that it was just a money-spinning idea by the IT industry. Ummmm. Or maybe it didn’t happen because everyone sorted out their kit and upgraded their software. It’s a bit like complaining that after getting your family to the tornado shelter, you’re a bit disappointed that a whirling mooing cow doesn’t land on and squash grandma. You’ve done the hard work, and now you are safe. So could it be that the reason there hasn’t been a major incident is because we all took it seriously and prepped properly?

Of course the other side of this line of thought is slightly more sinister. This line says, there has been an attack, it’s quite bad, in fact so bad, it’s not being talked about. And we’ll find out soon what’s happened. But then again, if we don’t know about it, then there’s no point worrying, especially if the lights are still on about the place.

So my message for today? Enjoy the sport, celebrate the successes and keep your fingers crossed that all of us, in whatever small way, have done our bit for a secure Summer.

Posted in Cyber, Data Breach, Government ICT strategy, Govt ICT Strategy, ICO, Information Security, InfoSec, Security, Sophos | Tagged , , | Leave a comment

Bad tempered blog – the bad business case

I read this article last week and it irritated me enough to make me curse out loud whilst sat in one of our German offices, causing consternation amongst my Teutonic colleagues.

It reports on a speech given by a bloke who works for a company that spells its name funny (starts with small letters, capitals in the wrong places, my English teacher would have fainted at such grammatical terrorism), who was reported as saying something like ‘councils don’t have websites, they ARE websites’. He points to Amazon, identifying that the global retailer of ‘just-about-everything’ employs more people in the warehouse alone than most councils, yet most people only think of Amazon as a website, not a huge workforce of people in beige warehouse coats.

It is hard to describe just how damaging this sort of rubbish is. But I’m going to have a go anyway.

The Council website is a means of communication and purveyor of some transactional tasks. It does not protect vulnerable children. It does not ensure little old ladies get their meals. It does not work out why mortality rates are different on one side of a city compared to another. It may help out, but it’s by no means the sole solution, and frankly, if it goes down, the aforementioned services take precedence.

Putting your Council on an App (an idea I have heard floated) so people can instantaneously report a damaged wheelie bin is a ludicrous idea, because the App will get used a few times and then deleted. Most people interact as little as possible with their local authorities because, frankly, they are doing other more interesting things.

The point I’m trying to make is that ICT departments can enable change, can reduce costs, and can help make staff mobile and more productive. But let’s get some perspective here. The business case for ICT spend is always, always, always about reducing costs or improving service delivery. It can’t replace vital services and staff relied upon by vulnerable members of the community. Some perspective is called for when making grand sweeping statements, and care taken when setting expectations.

The final point I noted is that the chap talking at this conference got a rousing response. Of course he did. He was talking to the people that run the websites. They were who attended the conference, because that was what the conference was about. I wonder if he had delivered the speech to a load of Chief Execs, they would have given him the same rousing reception, or instead been as rude as those funny looking business types off Dragons Den? Preaching to the crowd achieves nothing. Go down to any house of religion and tell them how much their God loves them and you will be very popular. Send Richard Dawkins down and you have a much more thought provoking discussion.

Doesn’t matter who’s right on these topics, I’m just saying that telling people what they want to hear isn’t good enough. At a time like this we need to be challenging assumptions at every turn, not getting silly about business cases.

Posted in Efficiency, Government App Store, Government ICT strategy, Govt ICT Strategy, Information Security, InfoSec | Tagged , , | 3 Comments

How do we put Public Sector ICT back onto the front foot?

Depending on the figures you use, and ignoring some of the odd mathematics employed by Cabinet Office to demonstrate savings, we spend about £20bn a year on ICT in the Public Sector. Ranging from giving small children computer access, weird and wonderful stuff in Universities to sinister stuff we may-not-speak-of in places-that don’t-appear-on-Google-Maps, Public Sector ICT comes in all shapes and sizes.

Public Sector IT Security also comes in similarly broad colours, and many organisations have deployed security that ranges from great to data-breach-tastique.

And yet, I still get the feeling all is not right. I shall explain

I have over the years met people in our industry whom I trust and few that I call friends, that are for want of a better word, demand side. And chatting with some of them over the last few weeks, I have become struck by the fact that creeping back into our world are two things: technology being deployed without solid business cases, and saving money over productivity.

The two are interlinked. Every time a dustman gets an iPad or a copper gets a Blackberry, people sneer. Why do they need these shiny gizmos? Isn’t it just silly Councils spending cash they could be spending on old people or schools or nurses or playgrounds? Why do coppers need email? How about a whistle and the right to give a hoodie a clip around the ear? One imagines these would be the same people who complained that Policemen did OK on bicycles and didn’t need cars or that writing on blackboards is preferable to interactive whiteboards. The rose-tinted view of some Eden-like England (or whichever country you are resident in) is just that, rubbish. Policemen catch bad guys more quickly and safely if properly equipped, and teaching is more effective and inclusive if everyone can share learning materials.

The problem is of spending that genuinely does not match requirements. And I don’t mean IT’s requirements, I mean the business requirements. IT staff are not as portable as one might think, particularly in the Public Sector. Being a Network Manager for a Council is different from being a Network Manager at a manufacturing company. Or it SHOULD be. Plugging a router into a firewall or configuring a switch can be done by most 17 year olds these days. Understanding the business implications of configuring a firewall in a certain way because you are running a digital by default ethos takes situational awareness. A friend of mine who works for a substantial public sector organisation was last week fuming as he related story after story where security-led changes were made that actually stopped some citizen centric services working. If a public body is stopping citizen centric services, one has to ask, what’s the bloody point? The entire raison-d’etre of that organisation is to provide such services. Security should be there to enable them to work, not to block them.

IT Departments are hard pressed right now, but complaining about reductions in tech spend doesn’t cut it to my mind. A typical Local Authority spends about 4-7% of its budget on ICT, so 20% cuts sent down from Whitehall across the whole Authority are only going to be achieved through cutting staff. And it’s here where ICT can offset these changes by spending on tech that enables organizational goals to be achieved. And the only way this works is by ICT staff working with frontline staff to see what really goes on. Watching a Police officer frantically trying to make calls on an Airwave that suddenly loses reception or a Social Worker buried in case work because everything needs to be keyed in twice because the VPN is not man enough will suddenly focus ICT teams on the real business requirements.

Real business requirements may well need iPads, but how will you know unless you see it for yourself? Situational awareness should be the mantra of all Public Sector ICT staff, and everything should be about the business. Its time to look again at the business reasons for ICT and remember why the organisation exists in the first place

Posted in BYOD, Consumerisation, Consumerization, Cyber, Data Breach, Efficiency, Information Security, InfoSec, Police ICT, Security, Sophos | Tagged , , | 1 Comment

Public Sector Security vs Public Security vs Outsourcing

Is outsourcing Police back office a good idea?

All across the Public Sector right now, there are announcements about shared services arrangements springing up. Local Authorities in Gloucestershire and Oxfordshire are joining up to share back office functions and whilst the devil in the detail doesn’t look as good as the headlines trumpet, it certainly is the shape of things to come.

I’m curious (as a Gloucestershire resident) why all/more of the District Authorities haven’t joined in if the savings are that good, and why we (Gloucestershire) are allowing our posh neighbours from Oxfordshire to join in. I wonder how much of my Council Tax is paying for their system?

Off my normal topic, BUT it’s interesting to note that this also is also ‘Unitary by osmosis’. Many County Councils have formally gone unitary (e.g. Shropshire), absorbing in their districts, and this shared services process is effectively creating ‘a mini Unitary’ by the back door. Is there a democratic implication here?

Anyway, the reason I raise all of this is down to another article I read, about three Police Forces wanting to go down the shared/ outsourced services route . We in industry typically like this kind of thing, as it allows us to bid for nice new contracts as either prime or subcontractors. However, at the weekend I was chatting to some friends of mine who, in addition to being thoroughly nice people with two adorable small children, are both serving police officers. And making the cardinal sin of asking one of them about outsourcing, they made an interesting point which hadn’t occurred to me before.

If you outsource staff, probably TUPEing them from civilian officer roles into private sector roles, you lose them from the Police Force (natch). The upside here is they are off the police pay and pension roll (although you still have to pay for them somehow). The downside is, as my friend pointed out, if the merde hits the fan, you can’t pull them into more front line duties. Gloucestershire isn’t really a hotbed for riots and civil disobedience (unless you count the Frocester Beer Festival which can get a bit rowdy), but it’s a useful point.

It’s a rare thing that matters get out of hand to such an extent that riot gear is used, but as last summer illustrated, it’s not unlikely, especially as the world economy looks shakier by the day. So is Public Security in jeopardy? If police forces cannot pull staff onto front line duties (or even just-behind-frontline services to support officers getting bricks thrown at them) because they aren’t police staff any more we ALL suffer.

I don’t know what the answer is, but when serving officers who patently give a hoot about their roles are concerned about such things, I think we should be worried.

Posted in Cyber, Govt ICT Strategy, ICT Skills shortage, Information Security, InfoSec, Police ICT, Security, Sophos | Tagged , , , | Leave a comment