Since the autumn of 2007, information security has been an even more major issue for businesses and CIOs. When the chancellor Alistair Darling announced to the House of Commons that the file containing the records of almost all child benefit claimants in the UK had been lost, information security became headline news. But as organisations struggle in the new recessionary economic climate and public-sector CIOs discover that their funding levels are being slashed will the issue slide into the background. CIO UK discussed the continued importance of information security with Richard Thomas, the outgoing information commissioner and Mike Payne, CTO at the Ministry of Justice.
The personal details of 25 million British people were lost in 2007 when HM Revenue and Customs (HMRC) lost two CDs containing the records. It was described as a systematic failure and "woefully inadequate" by the Poynter report. For the last two years, HMRC's name could not be uttered without being instantly connected with the biggest loss of personal information in British history. Poynter discovered that the IT systems at the newly merged HMRC organisation were too complex and too fragmented. As a result, Poynter advised HMRC to upgrade its IT systems, which the organisation then committed to spending £155m on IT renewal projects.
HMRC was the first sighting of a major problem within the public sector and private companies. Like the periscope of an enemy submarine emerging first, as more and more details arose, the submarine surfaced, revealing itself to be the U-boat set to sink the information fleet. Prison staff details were lost, while banks and building societies also revealed failures in records keeping.
Richard Thomas steps down as the Information Commissioner in June after six years in the post. He has been by far and away the most effective and prolific campaigner for good information practices. His department is responsible for ensuring the Freedom of Information Act and Data Protection Acts are upheld. The Information Commissioner is an entirely independent role and is appointed by the Queen.
"The technology has demonstrably changed and that has been the major driver," Thomas says of the internet and his time as Commissioner. Since taking over the department, Thomas has been the public face and voice of information security, he told CIO UK at an event organised by Dtex, an information security specialist. The department he inherited was poorly funded and had just one PC and no internet connection. Today, C-level management, insurance companies and across the government have respect for the department Thomas has honed. Thomas himself says the big-ticket disasters have also driven up the interest and prioritisation of information security.
"It was seen as a nerdy role and we were seen as remote from reality," he says. We worked very hard to make it more relevant." Thomas says this was achieved through "language, pragmatism and common sense". "We put a lot of emphasis on communications and this has transformed our relationship with businesses."
Mike Payne, CTO at the Ministry of Justice, concurs: "The powerful thing is that it's [information security] gone from being very arcane to one that is now using a language that the business understands."
Thomas is stepping down just as the Justice Secretary Jack Straw aims to give the Information Commissioner more powers, including the ability to impose fines directly on individual data controllers within a business for what is described as "deliberate or reckless loss of data". Spot checks on central and local government for compliance will also be introduced.
Straw said of the proposals: "As new technologies have developed, the secure storage and careful sharing of personal information held by both the public and private sectors has become paramount."
Some experts have called for mandatory public naming of organisations that fail to comply, but Thomas is not a fan of this proposal. In the US there are laws that require those affected by breaches to be notified, which Thomas does see the value in, but he describes mandatory public notices as "burdensome on organisations and then there will be breach fatigue from the public."
Payne joined the Ministry of Justice from the private sector where he had worked with Cisco Systems and EDS. He explains how organizations are beginning to see the value in implementing strong information security policies and technology. "There is no major gap between the public and private sector, the issue for both is the size of their technology."
As a CTO, Payne says the key thing is to force staff and organisations to question do they need that amount of information. This question and cultural development is very valuable, especially to a CTO, as a lot of the technology and information he would "like to lock down" can't be done.
Also, training can introduce new cultural awareness, but as Payne says, "There are pockets in organisations that are a law unto themselves. So we are saying that they have to accept personal responsibility for what they are doing." This may sound like dodging a difficult scenario, but Payne explains: "Risk management has to be owned by the business. IT is only part of the entire information service."
Thomas adds, "Organisations have ground to a halt from trying to tie stuff down too much. There are 1700 judges, all with laptops; locking all them down will not work."
The justice world is a clear example of this: our courts still rely heavily on paper and ship tons of about, which comes with its own security risks. "It is important that the CIO is a participant, not the owner of information security, as it will be seen as an IT problem, and it is not," Thomas says.