For about two months we’ve navel-gazed and considered every possible outcome around what the public sector cuts might mean for Local Government. Well, eyes front everyone, because they are here at last. The Localism Bill will today offer a new vision of how Local Government should behave, engage, and crucially, spend.
It appears that Eric Pickles, Minister at DCLG (Department for Communities and Local Government) has front-loaded the cuts being handed out to Local Government, with the first year’s budget reduction coming in at an average 10.7%. Factor in a mandated Council Tax freeze, and things start to look bleak at Town Hall. We can expect to see libraries, sports centres and other state-provided facilities being closed, no doubt re-emerging phoenix-like as supermarkets/retail parks, replete with their own special brand of traffic jams, litter and irritable parents. Even Mr Pickles himself has said he expects authorities to be able to deliver ‘reasonable’ services after the cuts. Who wants ‘reasonable’? I want ‘exceptional’, and to do this, authorities are going to have to get clever about how they do things.
The cuts will drive local authorities further down the line of merging services and outsourcing arrangements. At the most cynical level, this means TUPE-ing staff off the payroll to make some skin-deep cuts but keep people in their jobs. Merging back-office functions across local authorities has been happening for a while, but we can expect to see this go mainstream now. The inevitability of this has set me thinking about the impact of all of this on our world of Information Security.
For example, merging the management teams of small authorities makes complete sense: having two chief executives each running small district authorities no more than 20 miles apart now seems like an expensive luxury. Likewise, merging the core back-office functions – payroll, HR, some IT systems – of two or three authorities also makes sense. All of these are homogenised functions that would benefit from economies of scale. However, there is a catch. If you extrapolate, this line of argument continues and continues until you end up at … something like the NHS IT systems, which have so far performed dismally. Somebody needs to identify the point at which merging ceases to deliver benefits, and instead throws up problems. The NHS loses so much information because it holds so much information, and trying to control it is clearly an issue. Small, focused teams dealing with data handling, data security and the like makes sense because it gives them the scope to keep a grip on things.
The situation is also unhappy in an outsourced environment. Information Security is all about mitigation. Losing data does not affect the bottom line immediately, which is why it has to be legislated for, rather than letting the market dictate the level of security. For example, if a bank makes £1 million a day profit, why would they care if a data breach loses them a customer who only contributes £1 profit per day, when it might cost them £10 a day to stop it? So can you ever realistically outsource the SIRO (Senior Information Risk Owner) role? The actions of the SIRO within a local authority rarely make processes simpler or cheaper, and pressures to reduce costs mean that outsourcers may not be best placed to take on this role; indeed there may well be a conflict of interest.
My point is that security may well end up being an area of activity that is outsourced or merged. In the merged case, care must be taken not to merge too far, lest the size of the task is too much and breaches start to slip through the security team’s fingers. In an outsourced environment, I would urge retaining the security function (at the very least the SIRO and appointed deputies carrying big sticks) in-house to separate the strategic and tactical from the operational, lest a conflict of interest renders the process blunt and ineffective.