When BA completes its inevitable blame-storming meeting over the recent Heathrow fiasco, there will inevitably be some casualties. How many human sacrifices will be offered to the Gods of the Media? Six would be too many, and four not enough. But who will be the Terminal Five, the men and women who pay for the failed systems with their careers?
Not the CEO or the financial directors, according to media pundits. As ex-Sun editor Kelvin MacKenzie quipped: “Deputy heads will roll.” In these circumstances, it would be no surprise if executives, including those in IT, carried the can.
Unfair? Yes, but that’s the risk you accept when you assume the high office of information chief. It’s not as if you haven’t been warned. These days, hardly an hour goes by without some publicity-hungry IT supplier issuing an urgent warning to CIOs. Google the term “CIOs warned” and you will find 1500 examples of how the nation’s most senior IT strategists are sleepwalking into a legal minefield.
Consider some of the dire warnings. For example, CIOs could face criminal prosecutions for indecency if they don’t prevent adult content being published on their networks. This is a typical argument made by security software manufacturers in marketing material that lands on your desk and pings into your email inbox.
Before you’ve had time to digest this claim, another sensational message aimed at CIOs will attempt to hijack your consciousness. “CIOs could face extradition to the US, and face jail time in an American penitentiary,” will claim a new briefing from a major consultancy, which warns that if you don’t spend your budget on their report, you may find yourself sharing a cell with an amorous armed robber.
While still reeling from this thought, yet another threat will be released to the nation’s IT chiefs. “CIOs might face extraordinary rendition, and two years of waterboarding torture at the hands of the CIA, if they fail to buy WatchDog’s new antivirus on a stick product,” will be the provocative heading on an invite to a seminar.
Sadly, this is no exaggeration. Only one of the three examples above was made up, although all names have been changed. There really are agencies out there making these hysterical claims in order to shift their products and services.
Life’s too short to take all these risks seriously. Your career is even shorter, and there’s strategic work to be done too. So how do you assess and prioritise your response to all these supposedly fatal compliance and regulatory threats?
The problem is, sometimes they’re right. Legal advisors have told CIO that many of the hyped threats to your freedom are without foundation. But many of them are genuinely threatening. To paraphrase the old maxim about IT marketing: “Half of my marketing threats are true. And half aren’t. If only CIOs knew which.” The IT security advertising industry would love it if you never found out which compliance regulations are worth losing sleep about, and which bossy directives can be safely filed away and forgotten.
Assess that risk: a cynic’s view
Here are three examples of risky situations, and how you could go about assessing the scale of the threat.
Situation: CIO at a bank.
Systems: Bespoke financial systems.
Users: An army of commission-hungry brokers.
Customers: The public.
Regulation: FSA rules say broker data must be held for six years.
Punishment: A fine of up to £500,000 and 10 years in prison.
Need to know: Less than one per cent chance of prison time .
Assessment: Cover yourself. If it all goes wrong, make sure you can prove someone else was negligent.
Situation: CIO at public sector organisation.
Systems: Distributed systems, consultants and outsourcers.
Users: Low-paid civil servants, highly paid consultants.
Customers: The public.
Regulation: Internal data must be secured for seven years.
Punishment: One sacking per 15 million records lost.
Need to know: If in doubt, deputy heads will roll.
Assessment: Low risk. Too many people to blame. Don’t worry, it’s not your job.
Situation: CIO at hedge fund company.
Systems: Bespoke proprietary systems making auditing tricky.
Users: Commission-hungry salesmen.
Customers: Assertive rich people.
Regulation: See Sarbanes-Oxley (data held for seven years).
Punishment: 10 years in prison. Million-dollar fine.
Need to Know: Possible class action suits from US clients
Assessment: Hedge fund trades are notoriously fluid and hard to record. The likelihood of hedge fund data being untraceable are massive, the punishments draconian.
The job of chief information officer is increasingly challenged by compliance issues. “Compliance is a black hole that an infinite amount of your time and money can never fill,” warns Kit Burden, head of the technology and safety department at legal firm DLA Piper..
There are compliance issues and petty regulations everywhere, some of which are fairly safe to ignore. Some high-profile cases have shed light on how lightly compliance regulations are taken in the UK.
If you work in HMRC, for example, you might be tempted to think you’ll never be held to account for any loss of confidential records. And who could forgive you for thinking that? If you worked in healthcare, on the other hand, you might put the security of patient records as a low priority as there’s an almighty government spin machine ready to cover up any mistakes in the NHS. And secondly, your departmental structure might be so confusing, with so many overlapping responsibilities and duty of care no-man’s lands, that you could always wriggle out of anything.
Don’t underestimate the threats to a public-sector CIO, warns Richard Steel, president of the Society of IT Managers (Socitm). Steel worked for banking giant Morgan Grenfell before transferring to the public sector as CIO of Newham Council. “At Morgan Grenfell, we had 2000 users, and a £47m budget to deliver one major service, moving money around. When I first got to Newham, we had a £2m budget, but 12,000 staff,” he says. And the range of services a council has to deliver – such as housing systems, benefits and disease information – are life-and-death issues.
One of Steel’s ambitions as the new president of Socitm is to relieve some of the pressures put on governmental CIOs. So if you want to secure your career, his advice is to join forces with Socitm.
A CIO’s experience
Derek is CIO for a hedge fund management company based in London. Although most clients are UK-based, many have homes in several countries. They’re rich enough to afford lawyers when denied the good fortune that eludes most of us.
Like all hedge fund management companies, Derek’s employers insert plenty of conditions in their contracts, warning of the volatility of markets. But one disgruntled client had deep enough pockets to contest the behaviour of the company.
The Financial Services Authority (FSA) normally investigates such disputes and is loath to go to court. At the time, however, the FSA’s limited resources were dedicated to investigating money laundering and terrorism.
The client, as was his legal right as a US resident, took his case to a civil court in the US. At the heart of the dispute was a disagreement over who said what to whom. Derek’s employers needed to prove that the client had been kept informed of all transactions. The client said he had been oblivious to this.
A simple matter to resolve: all the IT department needed to do was restore all records of emails, and all tapes of phone calls, between the client and his financial advisor, or with the secretary who was occasionally asked to pass messages on.
The client’s lawyers disputed the veracity of these records. And so Derek, as the CIO, found himself at the centre of a prolonged case that would last nearly two years.
“I wouldn’t mind, but I wasn’t directly responsible,” says Derek. “I was the lawyer’s choice.”
Two years of Derek’s life were about to be ruined, just because he was the man the lawyer wanted to see in the dock.
“The case just dragged on and on, and seemed to get progressively worse,” says Derek. “In terms of stress, it was like my marriage, my first mortgage and having a kid all in one.”
Derek was his company solicitor’s choice because, ironically, he had the least knowledge of the case. He looked the most plausible in denying any procedure had been neglected, mainly because he didn’t know what had happened. “Once you’re in a court case, its not about right or wrong. It’s about damage limitation,” says Derek.
Ignorance isn’t bliss
The solicitor for Derek’s firm felt he was the best person to exude plausible deniability. If the question of whether backup procedure hadn’t been rigorously followed came up, he could deny knowledge of that more convincingly. But only because he wasn’t around at the time. This ‘principle’ had been established in the early days of the civil proceedings, when Derek and his predecessor, Graham, had met the company’s legal advisors. Derek suffered a grilling at the hands of the firm’s solicitors, which he wasn’t too pleased about. Still, at least he hadn’t been drawn into an argument with his inquisitors, like his colleague Graham had.
As luck would have it, Graham’s reaction to questioning had got him off the hook. “The lawyers wanted to put someone in the dock who wouldn’t react,” says Derek. “My predecessor would argue back. They said my demeanour was more innocent, and came across better.”
In other words, by being polite, Derek had unwittingly consigned himself to being the whipping boy at the Dallas hearing.
The lawyers prepped him on tactics. He was coached in how to field a question; how to avoid his natural tendency to be helpful; how to stonewall a line of enquiry; why he should never get drawn into answering a question where he didn’t have the full facts; how to explain why he didn’t know the answer to a particular question. They stressed how important it was to keep his composure and how the other legal team would try to unsettle him, and get him to say something damaging.
“They basically told me I was going to get beaten up in court, and I mustn’t get drawn into an argument,” says Derek. “They [the opposition’s plaintiff] wanted me to say something off-message. Even if what I said wasn’t true, or I didn’t mean in it that context, it would be out there and there’d be no taking it back.”
Having had a taste of what he could expect, Derek then had to wait a year before he was summoned. “It was agony having that hanging over my head. My life was in limbo.”
Eventually, a date was set for the hearing, and Derek had to fly out to the US for his day in court. He ended up living out of his suitcase for two weeks. “I’d like to say it got easier once the case started and the adrenaline kicked in, but it was actually worse,” he says. “The other guy’s lawyer had an amazing memory for detail. He could remember exactly what I’d said to him three days earlier and picked me up on it. I couldn’t, and I was drawing on my own experience.”
Having emerged through the two-week hearing unscathed, if mentally scarred, Derek was horrified to discover that he may be called back again at some stage. And, six months later, he found himself going over all the evidence again, and spending another two weeks away from his family.
“Looking back, the worst that could happen is that the bank would have been fined, but I kept getting these images of me being dragged away in an orange jumpsuit,” says Derek.
Derek’s advice on going to court? CIOs have a natural tendency to be helpful and to explain. Suppress that tendency. Keep answers short. Limit the information you give away. Stonewall. Don’t get drawn into an argument. Don’t allow yourself to get unsettled. Don’t speculate or theorise, don’t offer an opinion. The aim is to establish plausible deniability.
But most importantly of all, avoid going to court in the first place. So if, during your first meeting with your company’s legal team, they begin to fire questions at you, remember one thing. Don’t let them think you’d be a good witness.
However, it is the finance industry that, arguably, has the most exacting regulations on how comprehensively information should be revealed and recorded. And yet, when Peter Mandelson, a senior member of the Cabinet, was found to have lied on his mortgage application form there was never any question of criminal charges being brought. And neither was Piers Morgan, former editor of the Daily Mirror, prosecuted when he appeared to be in breach of financial regulations. Clearly, these compliance rules don’t matter. So why should the rest of us worry about backing up data?
In short because CIOs are not celebrity-class people, and they will be hauled over the coals without compunction. One IT director, who was part of a department that failed to provide a backup record of a banking trade that became the subject of a dispute, says you should take these regulations very seriously.
“When I had to give my sworn deposition to a hearing, it was the most stressful thing I’ve ever had to go through in 20 years of being in IT,” he says. “The case was hanging over me for months. I was briefed by barristers half a year before the case came to court. From that moment it was impressed on me how serious the case was going to be. But I never knew it would take so long to get to court. I became a nervous wreck.”
Unfortunately for him, the case was repeated six months later. Our anonymous IT director may have left the hearing “without a stain on his character”, but the trial is actually worse than the sentence in many cases.
Even if you don’t actually get prosecuted, or your employers fined, you will still pay a heavy penalty just for being a suspect. It puts massive strain on your working life, which inevitably carries over in your personal life, advises one top lawyer.
There are more CIOs being hauled over the coals than we’ll ever know of, says DLA Piper’s Burden. “There’s a lot more going on than you get to hear about. Fines are being issued to companies, which somehow feeds back to the CIO. It’s going to hit his budget or his bonus. Fines are issued by the regulators for financial risk, and these are widespread. They have to be in the financial services sector as it affects the integrity of the market as a whole.”
While there may possibly be some laxity in the UK, any CIO for a firm that trades globally needs to be very careful, Burden suggests. “The US is the place to fear. Look at the NatWest Three. No charges were brought against them over here,” he says.
The Information Commissioner’s Office is pretty tame in the UK and it’s the same across most of Europe. But beware of falling foul of Spanish regulators: they have a financial incentive to enforce the law, and readily dish out fines. “They actually use the fine revenue to generate income for their department,” says Burden.
The hype around IT marketing does create a false impression of the omnipotence of the financial regulators, however. “It’s technically correct that you could go to prison for a misdemeanour, but in reality, that’s never going to happen. You will only ever go to prison for knowingly making an incorrect statement,” says Burden.
The threat of prosecution for indecency is similarly overplayed. If some security vendors are to be believed, CIOs and their IT managers could face prosecution for finding pornographic images stored on their own networks. But this fear is scotched by a Metropolitan Police Computer Crime Unit forensics officer, who says, “We can tell if someone has been drawn into a site, and if they’ve been actively involved in it. We wouldn’t prosecute someone for looking at a porn site, unless there was substantial evidence we could produce for the court,” he says. The massive range of computer crimes a police unit has to cover, with scant resources, make it unlikely any CIO will be prosecuted because an employee has brought something offensive onto the network.
There are two ways to stay out of trouble over IT and compliance regulations. You could stick to the letter of the law and make sure everything is locked down. In which case, in the words of Capgemini chief technology officer, Andy Mulholland: “You’ve become little more than a glorified datacentre manager.”
Or you could stay out of trouble by making sure nothing sticks to you. “You should always remember that shit flows downhill,” says Burden. “Always make sure you have told someone else about taking adequate protection.”
Burden advises clients on how to take adequate measures to keep themselves on the right side of industrial regulations and protect themselves against prosecution. In theory, briefings on compliance should come from the top down, but in practice most users think that the only people who apply regulations are busybodies who like inventing reasons to push them around.
A CIO at a major high street bank outlined why meetings with other heads of department can be a waste of time. “I was due to meet with one of the trading team one Friday afternoon,” he recalls. “The idea was that I’d tell him how IT could support his business and he’d listen to me about the compliance issues and financial regulations. There was loads of stuff I wanted to explain to him, but my boss advised me to keep it simple and pick one point I wanted to get across. So I decided I was going to make him understand that we’re all culpable if the bank gets fined.”
Sadly though, the meeting didn’t go as planned, and our CIO didn’t even get his one point across.
“The head of trading didn’t stop talking,” he explains. “One sentence ran into the other. He repeated himself quite a lot. He kept insisting how he wanted more of everything. More screens, more news feeds, more laptops, more gadgets. He seemed to think that a fine by the regulators was some kind of admin fee that he’d lend me the money for, out of his bonus. I never got a word in.”
The session wouldn’t have been totally pointless, however. By formally calling a meeting, at which he tried to outline his concerns, the representative of IT has done enough to be seen to be carrying out his duties. If the stuff does hit the fan later on, and it’s found that proper records weren’t kept, at least the CIO has documents to prove he or she tried to meet their compliance responsibilities.
You have to cherry pick which issues you make a priority. You can’t possibly cover all bases, so you must choose the most dangerous. So which liability do you tackle first? Which vulnerability should be the priority? Which open window needs closing down before all others?
It all depends on today’s trends, according to Neil O’Connor, a principal consultant to the Ministry of Defence with IT security consultancy Activity.
“The reality is that security follows fashion, and this spring’s hot number is personal data,” he says. “Household names like HMRC, Marks and Spencer and Nationwide will testify to that.”
Any CIO that doesn’t secure personal data adequately is going to have a severely limited career, he argues. The right approach is to analyse, identify any high-risk areas and focus efforts there. “There really is no substitute for a proper risk assessment – you need to know which aspects you have already covered and which you need to work upon,” he says.
Understanding and prioritising security and governance issues goes with the territory. “But given the current fashion for naming, shaming and fining companies that have had personal data breaches, that’s what would be keep me awake at night,” says O’Connor.