Security is about people, not technology
Wednesday, January 02, 2008
Was 2007 a red-letter year for the outsourcing industry? For a great many industry insiders, yes, and we should celebrate that, but let’s be realistic. In the minds of the public, and in particular the British public, it was a red-letter year in the sense of the heat generated by piles of irate correspondence on tabloid maildesks.
Successful outsourcing is inconspicuous to the wider world – and so it should be; it’s about creating a seamless, efficient experience – while the press and public will always remember and discuss conspicuous failures, especially those resulting from human frailties – such as the employee who downloaded data from a multimillion-pound computer system, and then lost it in the post. What does this tell us about major public databases? Not that they are insecure from hackers or malicious fraudsters; rather, that many staff using them do not have even a basic understanding of how to handle electronic data securely. This is where security fails: not at the firewall, but in the mailroom, or on a cluttered desk.
No-one notices joined-up public service, because the successfully outsourced experience is a forgettable one; while everyone remembers being asked by a call centre worker where the major city you are calling from is located, especially when it is the location of their company’s head office. They will forever associate that experience with the company, brand, or organisation it represents. This is especially true of public services, such as the NHS, the Inland Revenue, and so on.
The Blair government looked favourably on technology as it saw it as an exemplar of ‘modernity’, and Blair’s catholic (i.e. universal) quest for modernity – preached from his ever-present invisible pulpit – was perhaps the defining idea of his premiership, alongside compassionate smartbombing in the approximate direction of democracy. Gordon Brown has maintained a dignified silence on the pursuit of modernity, but largely because he bankrolled it for more than a decade with mixed degrees of success.
This year is the time to accept that technology in isolation driven by the ‘need to be modern’ is a recipe for disaster. 2008 needs to be the year in which public servants stop talking about technology as though they are dealers in an arms race, and start talking about people. It must also be the year when the government finally recognises the clear, repeating patterns in the failure of many large-scale projects.
The massive loss of data and public confidence from a number of government services, including the child benefit system and several NHS trusts illustrate this all too well. The NHS IT project, the ID card scheme, and other major strategic projects are all being discussed as technology solutions to technology problems, all flaws or security concerns within which will be fixed by throwing yet more, world-beating, gold-standard technology at them. This is nonsense.
Minister after minister has been wheeled before the cameras to say that the ID card scheme will succeed because it will be backed by the very best in security technologies, just as the overarching NHS IT system will be when it finally goes live. This, I’m afraid, is completely, supremely, almost ludicrously irrelevant.
The truth is that technology, databases, networks, and communications systems are nothing more than high-tech representations of an organisation’s management structure and corporate policy. They connect human beings together, in accordance with rules set out by the management, and merely facilitated by wires, routers, hubs, servers, optical communications, and so on.
These systems either succeed or fail because of people, policies, and management, and they usually fail not because the people at the top have actively screwed up, but because the people at the bottom have never even been considered, and perhaps know nothing about electronic data, let alone data security and privacy laws. And it’s not just the people at the bottom: just ask the Qualcomm executive who several years ago attended a conference on IT security. He left his laptop there; the equivalent of leaving an entire company in a suitcase.
Take either the ID card scheme or the oft-delayed NHS IT project.
Question: Who enters data into computer systems? Who sits and manually types record after record into a computer terminal? Who will have the time to check the veracity of data? Who will interpret and update and standardise reams upon reams of data stored in filing cabinets, in ringbinders, on outdated databases, on thousands of computer disks (some of them probably long-outmoded)?
Answer number one: Highly qualified professionals who mysteriously have months of free working hours to plough through millions of records, cast their professional eye over the contents, check with the person who the data represents, and then correct the information?
Or answer number two: poorly qualified, poorly paid, or relatively low-skilled workers; people on minimum wage; people with little more than basic secretarial skills; early school leavers; undergraduates in holiday jobs; people whose second language may be English; and people in far-flung parts of the world working for remote corporations?
This is the flaw in the system: not the system itself, nor the firewalls and encryption protocols; nor black-hat hackers waging cyber-warfare from a bunker in North Korea. It’s the normal, everyday working people who do the manual labour, many in outsourced locations. All of them may be trustworthy and intelligent, but most of them have never even been factored in to the management’s thinking.
We all know that the only person who can read your doctor’s handwriting is your local pharmacist, so perhaps we should employ a few thousand pharmacists!
Let’s hope as we plough forward into 2008 as an industry, and as customers of an industry, that we learn one vital lesson about major, multibillion dollar contracts established on behalf of the public: technology, and large-scale public technology implementations are primarily about three things: people; corporate policy; and corporate social responsibility.
A peaceful and prosperous 2008 to one and all.