As a sales trainer once said to me (adopts west coast accent and slight dodgy moustache*) ‘So, Graeme, whats the learning here?’ There are three questions to my mind:
• What are HCC going to do about it?
• What are the wider Government/Public Sector going to do about it?
• What are we in industry going to go about it?
The answer is actually not too hard, if you follow some logic. It runs something like this
1. Post CSR, everyone is strapped for cash. This means improving business processes and getting as much online as you can. This reduces transaction cost (ie the cost of doing business), delivering some cashable savings and operational efficiency, releasing cash back to the business
2. Take a long, damn hard look at the data you are handling. If you would release it under an FoI request, take a look at the Open Data projects such as Warwickshire County Council did, and get it out into the public domain
3. Identify the data you wouldn’t release under FoI and put some controls on it. And I don’t mean spray some software at it. Use some of the precious cash saved in point 1 and put a process in. Identify the risks, appoint a SIRO** with balls, and accept nothing less than total adherence internally. Treat it like you would Health and Safety. Nobody accepts live wires next to buckets of water any more do they?
4. Once you’ve identified all of these, Do It. Discipline people who don’t adhere to it. This stuff is not your data – its OUR data. Treat it like its your own
5. Once you’ve got all this in place, then put appropriate software in place to rigorously back up your processes and procedures from people too stupid or lazy to follow them.
6. And discipline the aforementioned people
7. This software needs to cover the usual AV/Anti-Malware angle, but also some mild DLP (Data loss/leak prevention), NAC to stop people with their own i-thingys connecting willy-nilly and some decent port control to stop data leaking out via USB sticks and such like. But ask your vendor. They’ve done this loads of times for other people, and there is little point you re-inventing the wheel is there?
8. Stop making excuses. See point 4
The irritating bit here is that I know there are many good, talented and hardworking InfoSec people in UK Public Sector. Many of them I know chew their fists in frustration at the actions of procurement departments and finance departments refusing to engage in these conversations, looking to save money over looking to properly back Data Security initiatives. Well, to my many friends out there in this space, maybe your time has come. Maybe if the ICO hands out a few more fines, maybe dishes up a few more searing lectures like he gave at IA10, just maybe you won’t get your requests for people internally to work with you and a few quid extra turned down. Your task will be to then get your processes right, get your procedures right and get the right tools in for the job. Fingers crossed eh?
*apologies if you dont get this. If you worked at the sadly now defunct PGP ever, you’ll get this
**SIRO = Senior Information Risk officer