I’ve been giving some thought as to how our world of Public Sector InfoSec is going to look in 24 months time. The last few weeks have seen a huge shift in the landscape and I am trying to figure out where this is going.
The wider situation is likely to be dominated by two main constituent parts: mobility and increased use of web-based services (I am hoping that the awful Cloud word will have disappeared back into the West Coast vendors marketing cupboards by then) PLUS hacking in the mainstream. I’m not professing to be a soothsayer on these two arenas at a technical level, but it seems reasonable to assume that Android and IoS will dominate the mobile space. Commerce will have adopted mobile en masse. Across the Public Sector they will be in increasing use as the PSN framework dictates what can and cannot be connected. Business cases will harden and this approach will drive adoption of web-based services. The disintegration of boundaries, the final death rattle of de-perimiterisation, will affect the labour and skill requirements for IT.
The other piece here is the mainstreaming of hacking. Hacking for years has been a shadowy occupation, but much as computing has moved from the office to the mainstream, so will hacking. The effect of Moore’s Law will naturally be felt by the bad guys too, and coupled with the new boundary-less computing environment, it will be easier for them to do their nefarious deeds.
So the outcome for commerce is easy to postulate. Custom and cash will drive adoption of security best practice and security products. If your bank keeps losing customer details, customers will vote with their feet. It is reasonable to assert that in the old days corporations tolerated some forms of losses resulting from the use IT as a cost of doing business. Since customers didn’t really understand what was going on, it wasn’t a huge problem. In two years time when e-commerce has gone totally mobile and mainstream and even my Mum will understand what hacking and data breaches are, failure will not be an option.
In the Public Sector however, we have a different issue. The economics of running Government will not be much different from today. And also, because I don’t have a choice about where I do my tax return, who I order my wheelie bin from, whether I deal with my Local Constabulary or move my ‘business’ to another Police force, I have to carry on dealing with institutions who may had inadvertently hosed my personal details all over the internet. No bottom line, y’see?
The Public Sector has two options for the future. Doomsday scenario is that things stay as they are. If that’s the case, there is only one outcome: we will get regulated. The Finance industry came in for regulation when losses incurred from problems were an inconvenience for them, but a nightmare for customers who had little leverage over the institution that wronged them. Some could argue we have had a taste of that now in the shape of the ICO, but I don’t mean them. I mean Regulation that’s mean, brutal and swingeing. Take a look at the number of people employed in the regulatory bits of banks, insurance companies and the like. Now weave that into the public sector workforce, and suddenly whole departments spring up. And what do people make? Cost. So all of our efforts to reduce costs, bump up efficiency, cut this, cut that are wiped out.
Think this is scaremongering? Have a look at the breach notification legislation coming down the line from the EU. Have a look at the sons and daughters of SB1386 in the US. This is entirely reasonable, especially if the general public get on the case and the topic becomes a political football. Three years ago, Facebook was an irritating toy. Now it’s such a core communication tool for the Western World (and beyond) that whole families run christenings and suchlike on it. Can you imagine the howls of anguish if something happened to Facebook?
Best case scenario is that we stop pretending that the rest of the world is interested in our geeky domain. CIOs rarely give a hoot how stuff works: all they care about is the outcome. It’s like cheese. If someone told you that they were going to feed you something made from rotten milk covered in mould that had festered on a shelf for 2 years, you’d decline it with a shudder. Don’t tell me how it works. Don’t sell me a gizmo, sell me an outcome that makes me faster, leaner and cheaper. And then work on the procedures. And this is key. If I read another blog or article about how we must engage the end user, I will probably be ill. The end user doesn’t care. Not because they are bad. Not because they are inept. But because they are a teacher, a social worker, a policeman. Shoving my security policy under their nose is an impediment to their working day, and they will nod, smile and then get on with worrying about their job.
So Mr Know-it-all-security bloke, how do we stop ourselves getting regulated and incurring the cost, while at the same time dealing with a world that is boundary-less, mobile and full of bad guys with serious computing muscle?
As I have written before, we need to take the Health and Safety approach. We need to explain to our Boards and Senior stakeholders that if we don’t change our approach at a strategic level and bake this into everything we do, we are all going to get regulated. Teachers and doctors don’t think about Health and Safety, they just do it. Security needs to get this approach, and industry needs to get behind it.
I’m not claiming to have all the answers in detail, but I do know it involves a mature discourse between industry and the public sector. Our work needs to focus on our freedom not to be regulated, and we can do this by adopting Health and Safety methodology.