For many years now our focus in public sector ICT has been hugely on securing the information which we’re responsible for. There are good reasons for this, and plenty of examples which demonstrate the importance of taking care of the information people trust us with (not that they always do this by choice of course!).
But are we seeing the full picture? In my view there’s a real risk that some other equally important considerations get lost if we only look at technical security measures:
- Behaviour matters as much as technology: a quick review of fines from the Information Commissioner’s Office shows that a disproportionate number of breaches are due to people’s behaviours with email, faxes and online information.
- Paper can be as much (or even more) of a risk as electronic information: again, significant fines have been levied in response to lost paper records (which can’t be password protected, encrypted or wiped remotely in the event that they’re lost).
- We risk focusing on security at the expense of productivity: with a result that business performance is held back and customers lose out in terms of the timeliness and quality of services they receive.
- We need to be sensible about where we draw the line: there’s a significant difference in my view between critical business information and ‘user-generated information’ such as meeting notes etc. The latter have historically been kept in notebooks and loose paper, and if these haven’t been subject to strict controls before we need to think carefully before we lock them down simply because they’re being taken electronically.
The right approach will depend on what the information is and the context (it’s easy to forget that many private enterprises are every bit as concerned to protect intellectual property and trade secrets as government organisations are to protect public information).
Technology can play a part in changing the balance though, and I’m very drawn to the concept (put forward by Brian Katz and others) that we look afresh at security and move to an approach where we can reliably and securely work with untrusted devices, and instead focus on securing apps and information. My light summer reading has included the useful book APIs: a Strategy Guide, and this has really got me thinking about the potential for successfully using APIs to enforce business controls, and securely unlock information to balance the needs of a productive workforce with our responsibility to keep information safe.