Here’s hoping for a quiet summer – Parliament’s in recess, Europe is heading for the beach/campsite/Centerparcs. Maybe it will quieten down for a month? Fat chance I reckon…
Three things are making the world of PS InfoSec look quite dark right now.
2011 has been the year when it’s all got really serious in public sector InfoSec. The hacks keep coming (the Italian Police and CNI group being the most recent one and governments keep announcing policies and conferences to deal with it. (Bored? Nothing to do? Have a conference…)
Factor in the fact that spending cuts are really starting to bite. For a long time there was a mild sensation of the phoney war about this, but now it’s really hurting. One of the ways this is manifesting itself in our world is real and sustained conversations about channel-shift. Digital by default as a method of Public Service delivery is here to stay by the look of it. Last October I saw a brilliant presentation on how a Local Authority was doing it, and it’s now everywhere as the preferred delivery mechanism.
And the mobility issue has gone from being hype to reality as, for example, ITV announces it’s going down the Apple/Google Apps route, and organisations across the country start looking seriously at iPads as business tools. This is interesting, but speaking as someone involved in one of these projects, securing the ubiquitous machines to make them useful is actually not as easy as one might think.
So, here is my manifesto for a happy summer holiday in Public Sector InfoSec
1. Business case, Business case, Business case. All that glitters is not gold, or even brushed aluminium. Just because the UI rocks, doesn’t mean you can use it in your business. Ask yourself the golden question… So what? So what happens if we do use them? What benefit do we actually derive? Does it improve productivity? Does it drive down costs? IS IT SECURE? Properly secure, I mean, not, erm… kind of. You are just as likely to leave one in the back of a taxi at the end of an evening when you are tired and emotional as a laptop. Perhaps more so because you don’t have to lug it about in a bag. You didn’t go out and replace all the company vehicles with Toyota Prius’s when they had their 15 minutes of fame (mainly because Brad Pitt had one). Don’t replace securable laptops just because these new things do that swooshy thing.
2. Think about the maturity of technology. Talk to your Security and Legal teams first. If they say it’s probably not a good idea, it’s probably not a good idea. Not because they are miserable old farts that don’t get it, but because it’s probably not a good idea. Certain areas in the security and mobility space are very mature, and by mature I mean reliable and predictable. Ask yourself, is now the time to be risking it on immature technology?
3. Get the basics right. Anti-Virus. Firewalls. Securing systems. USB ports. Application control. Intrusion detection and prevention. Simple stuff that allows you to have confidence in your systems. Oh, and don’t assume non-IT staff are interested in security. Because they aren’t. So don’t go too far the other way. A 28 character logon is very secure in theory, but in reality will just result in your organisation’s post-it note bill tripling.
4. To paraphrase, make do and mend. The best projects I am aware of are attempting to reuse what organisations already have in more productive ways. A beautiful exemplar of this going wrong comes from outside our immediate remit. ID cards/Passports? If you have something already that is secure, works and people are comfortable with, don’t try and build afresh something similar to do a similar job. Use what you have, extend its remit. It will be cheaper to develop and procure, and because people are already familiar with it, you probably will reduce your training and deployment costs.
5. Fundamentally, we should be risk adverse in our new technology adoption, because we simply can’t afford to get it wrong. If the business case is there, the technology mature, the legal and security people are happy and it allows us to use what we have in a better manner, then do it. But the bad boys aren’t going to stop attacking and the budgets aren’t getting bigger.
What we all want is a holiday where we can relax and worry about sun cream rather than network defences, for at least a while. My suggestion is that we all take a bottle of pragmatism away with us and mix it in with the inexpensive local plonk we bought at the market.