One of the joys of this blogging lark is that I get to do one of my favourite things, which is be a bit grumpy, or more formally, challenge orthodoxy
Challenging orthodoxy is something of a hobby of mine, and it does quite often get me into trouble or irritates colleagues. From sitting in meetings and asking people to relay what they’ve said to me in English, as opposed to industry gibberish, to staring at policy types in Government and asking ‘why?’ repeatedly, there is actually a point to me being awkward. The point is quite often in our world, the bureaucratic process obscures the often good intention and renders process at best painful, at worst counter-productive.
I have a myriad of stories I could relate of experiences across various bits of the Public Sector where Compliance to various things has actually made matters worse. One of my favourite relates to a time a few years back where a Local Authority blatantly fibbed to its auditors on GCSX compliance to achieve its rubber-stamp. It was only a little white lie, based predominantly on a desperate need to achieve the connectivity and an IT section starved of resources. Nobody was hurt, and to my knowledge, that Authority has not had a (reported) breach. But the raft of impending regulations from the EU, the changes in the legislative landscape in the US (and therefore coming to a European legislature near you soon) and the continuing drip drip drip of ICO rulings on people breaching in the country makes me wonder.
Is it possible that a culture of Compliance is counterproductive? Off the top of my head there are: PSN, GCF, GCSX, N3, GSi, PNN, CPA, CAPS, PCI DSS and a library’s worth of stuff from CESG. A veritable flood of three letter acronyms, all of which have whopping great documents, with controls that need to be adhered to. And IT/Security sections spend a huge amount of time diligently working through them, writing things and buying stuff to prove they are meeting the criteria. Could it be that the very act of doing this means they are forced to take their eye off the ball, ignoring issues in the real world? Much like learning to drive, where you go to driving school to learn how to pass your test, is it possible that the large collection of standards, connectivity controls, best practice* and advisories merely obscure the real world set of requirements? Could it be that there is simply just too much of this stuff?
I know several ITSOs (IT Security Officers) that do huge long-suffering sighs at the merest mention of new guidelines. All these new guidelines do is create extra work and extra bureaucracy, most of the time writing weaselly words as to why what they have (that suits them and their business) fits into the latest and greatest thinking from those in the know. And by in the know, I mean looking at security as a single topic, rather than an in-the-round enabler for business to happen.
I’m not saying don’t have regulatory controls and good practice, I’m just saying that the volume of it means quite often it’s a tick box exercise, divorced from the realities, which cost time and money to do, and can distract from actually ensuring that the organisation is fundamentally secure.
*I hate the phrase best practice. How can something be best practice be ‘best’ when at most its informed opinion? Let’s call it good practice and stop pretending eh? To be fair to CESG, at least they call their stuff Good Practice Guides