Tag Archives: information risk management

Investigatory Powers : I submit

I made a submission to the House of Commons ‘Science and Technology Committee’ tonight, about my opinion on the (Draft) Investigatory Powers Bill. Here it is:

I was Information Security Officer for the trading floor of a ‘Big Six’ energy company. I spent a year investigating best-practice and defining departmental information security policy. I aimed to learn from the mistakes of others, to avoid making them and hope it will be useful if I pass on what I discovered.

  1. Technology is not the issue
    The most common error is to treat organisational risk as ‘an IT issue’ and to spend as much money as can be found on whatever technical controls are presented, to mitigate each newly identified threat. The effect of such an approach is that rather than managing risk economically, one has an ever-increasing set of controls that have a negative, invasive effect on normal operation and morale, yet a determined attacker still only has to find one weak point to break through (it is usually a person, not technology.) This approach eventually collapses when the organisation realises it is spending more on security than remains of the culture it was trying to defend. I see evidence of such escalation in the measures in The Investigatory Powers Bill. Believing information security is a set of technology controls has repeatedly failed to deliver adequate value for money in private enterprise.
  2. Manage risk, not controls
    A far better approach is to identify the most valuable resources, identified threats and probable attack vectors, then to spend in a highly targeted way, defending what really matters. To me, that looks to be the communications around a very small number of known terrorist suspects and criminals. It does not include wasting resources on mass surveillance of all British citizens or all secure legal transactions with UK businesses; annoying them in the process and losing their support.
  3. The Bill is a weapon, not defence. It will be used against us
    In this instance, the security services’ real aim is to manage the UK’s physical security, not information risk. The changes proposed seek to make it easier for the security services and police forces to attack the information resources of terrorists and criminals. Sadly, we no longer live in a world where that is possible in isolation. We are all defended by the same technologies. Anything that undermines the information security of terrorists has exactly the same effect on all UK citizens. The Bill seeks to erode our traditional British values of individual freedom, fairness, the right to privacy, equal opportunity, and assumption of innocence under the law. It will also open us up to new methods of attack from our countries’ enemies. I hope that you will decide that this price is too high.

You can do the same but today is the deadline. The technical controls are very open to technical criticism too.


Afterwards, please tell your MP if you have any concerns. If you don’t, read it again, imagining your most feared extremist government having the same  potential to access to your private information.


Power and Lust

I’ve spent a few days attaching solid-wall insulating lining-paper to the walls of my home office. To stop me climbing up said walls and hopefully to drown out most of the swearing, I’ve been listening to the ‘Business Shift’ podcasts by Megan Murray and Euan Semple. I started with #19 after seeing @Euan tweet about it, then listened to #6 on “Power”, largely because I feel a recent victim of its abuse. Since then, I’ve gone back to the beginning and forward, so far, to #10 “Security”.

Megan and Euan are interested in some of my many obsessions and we seem to share similar values but they come at everything from a slightly different angle, which is always interesting. Listening quickly to several podcasts, recorded over months, allows you to see recurring themes: change, corporate culture, process, networks, complexity, infinite shades of gr(e/a)y (including ball-gags), relationships, anarchism, agility and “IT”.

Their distrust of ‘IT’ is very similar to my distrust of ‘Management’ and they blame it for exactly the same things I blame managers. I see IT from below, where well-meaning and knowledgeable techies propose great ideas that get watered down and corrupted by ‘IT Management’ who feel the need to simplify everything, and then blame the resultant crass decisions on other managers ‘in the business’ (I’ve never quite understood why IT isn’t .) Where I hear “the business won’t pay for it”, I guess Megan and Euan are told, “IT say we can’t do that.” A quick comparison with science and politicians is alarming.

I’ve finally been pushed over the edge into responding by the suggestion that information ‘Security’ is an IT issue. I spent a year of my life telling IT managers that they may own the ‘Technology’ but that the ‘Information’ belonged to the business; that IT controls were only an answer after you had helped the business identify information resources and analysed value and risk. My attempt to change culture was countered by making my post redundant, centralising IT Security and appointing someone who didn’t want to mess with the borders of power. I’m sure my customers were told that I’d wasted a year but now they’d bought in someone who knew what he was doing and they got a single desk-top with automatically updating anti-virus software and fire-walls, whether we needed it or not.

Megan and Murray talk around the way in which the world of work is being ‘Shift’ed by Internet-enabled networks of (hopefully) intelligent humans. A world where people in the business who are trying to do useful things can connect directly to people who have expert knowledge of the tools they need, bypassing the layers of power-hungry or frightened people who corrupt the signal to further their own selfish interests.

You should have a listen and decide whether you want to take back the world from the people who think they own it http://business-shift.com/. I particularly recommend http://business-shift.com/podcast/2013/4/25/shift-episode-006