We are bombarded with messages to promote new security technologies when most organisations the lack skills to make effective use of existing products and services to protect themselves and their customers against fraud and abuse. Too many compete for supposedly competant and experienced experts, rather than retrain those who already know the business. In consequence, turnover among those who can tick the boxes of the certifications in current demand and have a gift of the gab is spiralling up and actual security is spiralling down. The problems are being compounded by layers of regulation that reward bad practice and open up more vulnerabilities than they address.
The biggest security risk now faced by employers is not outside hackers. It is compliance experts who stay just long enough to help you tick the latest regulatory boxes, having acquired the necesary understanding of your systems and security credentials necessary to do so. The drive by the European Commission to address supposed “data protection” problems, supported by the US obsession with “Data Breach Notification”, could not have done a better job in opening up opportunities for serious fraud (both high value and mass market) if they had been actively planned by organised crime.
Autumn 2014 saw an explosion in recruitment effort for supposedly permanent compliance officers, well ahead of cybersecurity specialists and other assorted digerati. The average length of stay is now under 18 months. A quick scan of applicants shows that many have not stayed anywhere for more than a year since before the banking crash.
Next year will probably see the nadir of trust in the on-line world.
Part of the solution is for those who are serious about security to stop recruiting external staff of uncertain provenance (beyond the certification of their technical knowledge) for roles which should never be entrusted to those whose loyalty to the organisation is untested. Instead they should retrain long stay staff, particularly who might otherwise be made redundant or otherwise become disaffected after being passed over. This requires the organisation, however, to be serious about trying to rebuild the reciprocal loyalty that has been put a risk by a decade or more of outsourcing.
They should also start investing for the future by using the growing number of modular degree, apprenticeship and internship programmes to recruit and train the next generation, using the Tech Partnership Funding available and training contracts to enable them to claim exemption from national insurance at the same time as reinforcing loyalty by providing serious CPD training for existing staff. The combination of changes and launches over the past month has dramatically change the cost/risk calculations that should underpin the choice between retraining and recruitment. Add in the need to reinforce staff loyalty and competance to reduce the dangers of insider assisted fraud and it should be a no-brainer. Change does, however, require the Head of Information Security to stop talking cyberbabble and FUD and start talking business cases and staff development programmes with the Finance and HR Directors before putting plans to the Board.
I started writing on the need for programmes to address our mounting e-crime problems in 2004. In 2011 I blogged on the need to ACT “before the shit hits the fan” . Earlier this year I warned the crisis was about to come to a head with an accelerating merry-go-round for those claiming relevant skills and experience. I then agreed to help e-Skills (now the Tech Partnership) look for employers to help identify gaps in the new cybersecurity learning pathways supply of training. My subsequent report was accepted and I am currently helping the Tech Partnership identify those training providers trusted by major employers to help them fill skills gaps. I say “trusted” because training providers, like compliance officers, are among those able to work across security barriers without raising eyebrows.
When prioritising the security skills gaps the technology employers identified “Big Data” (including its use to detect fraud as well as its own vulnerabilities), “Cloud” (from access devices and networks to the hosting centres) and “Mobile” (including “Bring Your Own Device“) as their top three. Financial Services commonly have a different, but not necessarily incompatible, perspective. Their focus is on “Identity and Access Management” in all its dimensions. These range from registering, identifying and locating the devices (often BYOD) allowed access to services (often cloud based), to the use of Big Data to analyse digital footprints to decide who should be given access and to monitor their subsequent behaviour (Vetting and Monitoring), including good practice in the use of those services already offering precognition reports based on on-line behaviour: where financial services employers have mixed views.
But the biggest issues are less to do with the technologies that the people processes they should be supporting. What is legal, let alone good, practice in the vetting and monitoring of potential recruits, employees and current or would-be customers? Hence also the critical nature of my recent blogs on the Government Verify system and the obsession with trying to remove any face-to-face element in the creation of new digital credentials to replace those in which trust has been lost – in order to meet yet another deeply flawed EU initiative to address the problems of the last century.
The world has moved on. As part of my work with the Tech Partnership I am helping organise round tables in the New Year to bring together employers, recruitment agencies, training providers and members of relevant professional bodies and interest groups (including CIPD, CPHC, IAAC and SASIG) to identify those willing to work together on training needs analyses and the provision of relevant courses and material to meet the needs of t oday and tomorrow.
In some of the most critical areas the first task is to identify what good practice is.
For example one of the areas is reporting: to whom should you report what, how and what should you expect to happen? Here the training needs analysis has to begin by “negotiating” the answers with law enforcement and major ISPs because the answers are not at all clear. The situation is equally unclear with regard to checking the CVs of potential recruits and assessing the probity, not just technical competence of those who could destroy the security of the organisation. Then there is the confusion over what is good practice in monitoring staff behaviour over time, given that signs of stress are more likely to be to do with health, finances or family issues leading to the propensity for mistakes and bad judgement rather than fraud.
However, the exercise will be of little value unless we also address the reasons why employers are not retraining existing staff and the support for apprentice programmes is poor and may even have been falling . Hence also the importance of the work with which I have also agreed to help the Digital Policy Alliance (I remain a member of the unpaid advisory committee) on why so few employers invest in training. The DPA Skills working group suspended activity for the duration of the House of Lords Digital Skills Select Committee. Instead we urged members to submit evidence. The Committee has received over a thousand pages of evidence and those who have followed the oral hearings will have noticed a number of themes emerging. The DPA Skills group therefore plans to reconvene in February, after the Committee has reported, to discuss how to help implement the recommendations. That will probably entail focussing how to help make the break out from Groundhog Day : the 50 Year long, (to date), cycle of Skills Reports that have never yet lead to action.
The Chancellor made a great start this month by exempting apprentices aged under 25 from National Insurance and funding some excellent Tech Partnership programmes but that will not be in time address the compliance-created cybersecurity crisis of 2015 as short-stay insiders help loot those organisation which place no value on corporate loyalty – unless employers make good use of the funding available for CPD programmes.
The pledge by the mobile operators to spend £5 billion tackling mobile not spots helps explain the speed of the EE (with £2 billion of its debts) sale to BT and the latter’s plans for a £2billion rights issues plus £3 billion of extra debt
The City appears to have welcomed BT plans but they appear to take it to within a £billion of risking its current Baa2 debt rating. That the mobile operators pledge is only for 90% of the UK adds further confirmation for the need for a new approach to addressing the needs of the final 10%. Meanwhile the pressures to improve mobile cover for those in “rural” Inner London (where BT often claims it has no business case for improving fixed broadband) are increasing with exercises like Syed Kamall‘s “No Bars” campaign backed by the Evening Standard .
The good news is that the cost of tackling not spots can be cut by up to 80% by organising practical co-operation in making available shared mast sites and wayleaves. The issues (including both economics and politics!) are different in urban areas to those in the countryside but shortly after Christmas I expect to be able to invite members of the all-party Digital Policy Alliance to a round table to pool practical experience regarding addressing inner city and business park “not spots”, including model agreements, early in the New Year. This is part of the promised follow up to the meeting I organised on 12th September to help drum up inputs to the consultation on Digital Infrastructure Investment.
The economic value of work addressing notspots to enabling initiatives like Microsoft’s support for Retail Week to have serious impact on mainstream UK business cannot be overstated. In the blog on my Digbeth experience, (when I learned why our forecasts of demand are so wrong). I referred, albeit in disguised form, to the transformation of a transport business at the heart of the local retail supply chain, from voice messages and paperwork to text and images between the smart phones of the boss and his drivers and customers, stored in a cloud.
The reason was nothing to do with awareness campaigns or consultancy advice. It was that the fibre to every tenant on the business park was accompanied by high speed, high reliability, secure, wifi. The boss could be confident in relying on sending photos of paperwork to his drivers. They could respond in kind, equally confidently. Both could rely on GPS positioning to show where everyone, including at the collection and delvery points, was.
It was not rocket science. It did not require clever teenagers or apps.
But it did require confidence that the technology, partiucarly mobile and wifi, would be reliablw.
Now think of all those high street retailers and inner city businesses whose wifi and mobile cover is, at best, flakey. The deal made between the Secretary of State and the Mobile operators should help 90% of UK business. But think also of all those farmers and rural SMEs (including much of our tourist industry) whose choice is, realistically, between satellite and wet string. Hence my Christmas greetings to you all.
If you have not yet read any of the arguments over what the new pan-EU VAT regime means for UK-based on-line retailers (large, small or micro) or are wondering how it will be implemented and enforced I recommend you do not do so over Christmas.
It will merely give you a mix of apoplexy and indigestion leading potentially to rancorous arguments with any relatives who work outside the community of internationalist digerati.
I would, however, remind you that ehat has happened is all your fault.
When I was Secretary General of EURIM (now the Digital Policy Alliance“), I used to regularly warn of the dangers of Euro Ping-Pong during meetings on the e-Commerce Directive and allied initiatives,hosted for us by then Electronic Commerce Association (now GS1), rapporteured for me by Will Roebuck while the Commission was consulting (and it did) before it gave up on trying to the right thing (whatever that might have been) and “harmonised” on Brussels fudge. And I gave up and focussed on UK-centric issues where I could make a difference.
Those who are serious about wanting to sort out the resultant mess should give rather more support to our successors, particularly the DPA plans to “support” (including inserting the necessary corporate, political and social “rockets”) exercises to turn the current “reform” programme into the action plans needed for the EU to survive the next decade. I have great respect for the rapporteurs who are ready to support the DPA plans (I chose most of them and they have turned out even better than I expected) but they can only help produce balanced and representative results if those who will be affected by the chaos that is to come actually join, to help cover the overhead costs, and are then active in making their views known and working together on that which they can agree.
We now face the consequences of past compromises as governments world wide (not just within the EU) scramble for tax revenues while the world economy spirals downwards. Governments face a triple fiscal whammy as the growing impact of the Ukraine dispute and associated sanctions coincides with the decision of Saudi Arabia to cripple its political enemies and erstwhile competitors and the US decision to rein in its budget deficit. One “side effect” is that the on-line world will, in future, have to compete with the high street on efficiency and convenience, not just tax avoidance.
Press cover for the latest phase of the Government Online Identity framework is beginning to emerge. The invitation to tender to become one of up to ten suppliers for the Government Verify Framework was dated on Friday 12th December and published on 17th with a deadline for submission of 6th February. On 12th December the Government Identify Assurance blog carried a reminder that the deadline for submissions of interest in the pilot accreditation programme for suppliers was Monday 15th December. The UKAS notice was issued on November 24th giving three week notice, but UKAS is one of those quangoes of which no-one has ever heard until they learn that they cannot do something because it has not been accredited. I therefore suspect the reminder was either because no-one had responded or because just one response looks like a ‘fix’.
Do read the invitation to tender because it is the first time that the scale and nature of what is intended for this programme will have become clear to many.
Insomniacs will also need the supporting documentation on the CCS Agreements . Two documents have parts redacted. There is provision for changes to reference documents, but it’s not clear which version is to be used for the bid, and some of those currently linked to from the Government Direct blogs have been stated as being well out of date.
Jugglers or Zen experts may be needed to sort out the limitations on how many times subcontractors can be used, but the risk of delay from challenges from lawyers must also be of interest as the contract mechanism is designed to ensure there’s a loser. If someone comes 6th, say, and is then excluded, but would have been included, with exactly the same bid, if there had happened to have been a 7th, they would seem to have a very strong case for complaint on a restriction to trade.
It is also the first time that 3.5 million businesses, let alone those providing their accounting and payroll software, will have an opportunity to appreciate the changes they would have to make in order to play, allowing for the scope of the unanswered questions on the business model and therefore the uncertainty of take-up by anyone other than those parts of the public sector which are given no option.
That leads to a core question. What is the business case, apart from a questionable interpretation of the European Union Regulation on Electronic Identities and Electronic Trust Services?
The good news is that final draft of the regulation was watered down from that which the Digital Policy Alliance described as a “Massive European Own Goal” after it had consulted its members and called for inputs from others and after my own attempt to draw attention to the ticking time bomb, including for DWP and the Universal Credit.
It is, however, a moot point as to whether the UK needs do anything beyond stating which existing identity and trust services it will accept for on-line authentication.
It is not as though this is a new market. As I have pointed out before the issues are not new either. UK and US law on electronic signatures has been clear since 1867 (Supreme Court of New Hampshire judgement on whether a cable authentication is a signature) and we have nearly as many government departments and agencies with fingers in the idenity and autnentication policy pots as we have commercial offerings in what is better viewed as the “Identity and Access Management” market. Other governments, not part of the self-appointed D5 have quietly just done it: Roman Law countries also have a variety of solutions, usually based on “Electronic Notary” services.
Only the digerati who wish to treat our personal information as their oil have a clear “business case” for change and they should be aware that the price of oil can come crashing down after the cartel collapses.
That said, it would be good if Cabinet Office were to have some sensible bids for recognition under the Government Verify programme from organisations that really do merit our trust. In my own case, I would trust Experian but would not wish to provide them with any information about me that they do not already have, in order to check my identity. Also I personally would not wish to have to trust any organisation based outside the UK to authenticate my dealings with HMG. I should add that while it might have some value over current processes, I have little faith that Verify will be much, if at all, more secure than the South Korean National Identity system or those of any of the other ‘D5 leaders‘.
I also await an explanation of the downward trend of ‘live performance’ but am delighted to report that the new system is stated as being required to work in Welsh (albeit in a parenthetical remark).
Merry Christmas and a Happy New Year to all festive-season bidders.
A Christmas Message for the Digerati on why we need to give priority to social inclusion not to “digital by default”. : Luke 2.7 “… because there was no room for them in the inn“.
Joseph to Innkeeper: “But I can show you the confirmation from the “Inns’R US” App on my tablet”
Have an off-line Christmas and a user-friendly New Year
For nearly forty years most IT employers have declined to take on trainees or retrain older staff but have queued up to employ those with two years of more of supposed experience. Only the skills in demand have changed. There is no shortage of talent, only of employers who will work with local schools, colleges and universities to identify and train that which is not being properly harnessed – including that in their own work force!
I have regularly talked of the need for Tax Free Training since exempting trainees from National Insurance and PAYE was identified by the National Computing Centre members (“The IT Skills Crisis: A Prescription for Action – 1987, based on 215 responses from 1420 IT employers) as the only Government skills initiative that would make a real difference.
I was therefore delighted with the news in the Autumn Statement that apprentices aged under 25 will be exempted from National Insurance, thus effectively cut their employment cost by around 20%. The other great advantage of putting trainees (whether school leavers, graduates or post graduates) onto formal training contracts is that costs (as per the test case of Sthraclyde Regional Council v. Neal) can be recovered if they leave prematurely – thus giving a “guaranteed” return to the employer.
But what about all those older staff whose skills need updating, or those who being cross-trained from other disciplines for all those roles that need hybrids?
The 50% aid (up to £500) from the Tech Partnership (new name of e-Skills) is per module, per person and is not age-related. Thus an organisation running a programme of half a dozen modules to train a couple of users in those information security tasks which should never be contracted out could claim £6,000 towards the cost
I would like to think that this is the start of a progress towards a level playing field for employers seeking to give world-class skills to their UK workforces to compete against those who import skills or off-shore jobs. My full evidence to the House of Lords Select Committee is now available on-line and I would also like to think that it (and perhaps more importantly the reaction to it) helped secure the announcement in the Autumn Statement.
Yesterday I attended the excellent INCA Super Connected Cities seminar in Birmingham at which two contrasting examples of the effect of providing fibre services to commercial centres and business parks were presented. A light switched on in my head. Neither analysis has yet been published and I plan to blog again with links when they are. One illustrated the effect of providing a high reliability 100mbs service to all tenants, without charging seperately. The other illustrated the effect of separate charging, according to speed, with the fastest service priced akin to the previous leased lines.
One of the users of the first service, the boss of a very traditional SME, had seen no need for computerisation but been perpetually complaining about the poor fixed and mobile phone service and was drowning in paper. He started using his smart phone to photograph orders and dispatch notes. He now photographs all documentation and files it digitally. Another user, a media distribution company, had been planning to relocate. it is now able to handle its business on-line instead of by courier and has been able to grow dramtically. An IT firm was able to cut timescales for quoting for new business from weeks to days by video-conferencing with users in major clients over details. The transformations did not, however, lead to average traffic volumes using more than a fraction of the new capacity (although this had gone up by a factor or 2 to 5 fold). It was the reliability of service when needed – with sudden short-lived bursts of traffic not leading to service degradation – that had led to the changes in user behaviour. Traffic often spiked to around 50% of capacity even though the daily average was under 5%.
In the case of the second service the effects had been far less dramatic. Many tenants used the opportunity to cut their communications bills instead of taking advantage of improved connetivity and reliability for the same cost. The speaker presenting this service ended by calling for action to educate users as to the benefits of faster, more reliable services. He words echoed the call for such action that I have heard at meetings of the Broadband Stakeholders Group.
A light switched on. I realised that forecasting capacity requirements by talking of average traffic volumes is like planning a new railway network based on average traffic volumes. Most of the railway lines into London are empty for most of the time, save for the queues at junctions or into the terminals during rush hour.
One of the speakers in the following session (on ways of looking at the investment case) had to drop out and I found myself taking his place after that light-bulb moment. It may be helpful if I reprise what I said, bearing in the mind that the INCA seminar took place in Digbeth, one of the areas that Birmingham sought to rejuvenate on the back of a shared dark fibre network.
“Good afternoon, I would like to go fast backwards to 1845. We are guests of the Digbeth Chamber of Commerce and the Birmingham Small Arms Trade Association. We are at the heart of the global defence trade. Their factories around us are working flat out, connected by canal to every major port and thus the world, producing the guns to enable all races and nations to more efficiently kill each other. We have been asked by DCNS (the department for canals, newspapers and sport) and OfCom, their regulator, whose remit has just been extended to cover railways and postal services, for forecasts of the scale and nature of demand for freight and passenger traffic over the next decade – to help plan the switch from canals to railways.
I pick 1845 because Thomas Cook agreed a permanent arrangement with the Midland Counties Railway Company in 1844. And in 1846 he was bankrupted when the costs of a tour of Scotland for 350 people from Leicester ran ahead of their willingness to pay for extras. But within six years, he had arranged travel and accomodation for over 165,000 visitors to the Great Exhibition of 1851. In total over 6 million people, a third of the population of the UK, made that journey, an average of a million a month… ”
I went to ask whether anyone had actually made any money from Quadplay over the past twenty years, as opposed to destroying tens of $billions of shareholder value, trying to invade market with different cultures, disciplines and business models, as opposed to making partnership deals with those who understood them…
I then called for action to remove the regulatory barriers to business models which are attractive to investors looking for opportunities underpinned by 3 – 5 year service contracts with those who stand to benefit most – such as those whose homes, hotels, workshops or business parks will increase in value if better connected or those whose £billions in off-shore profit (from the advertising funded services that are clogging our current networks with monitoring and surveillance bloatware) are now at risk.
My fellow panelists took radically approaches in looking at the problems of funding new services. We agreed that this was a “two bottle” problem and we were standing between delegates and the reception. I would, however, like to congratulate INCA for organising another excellent event, introducing players who had not previously met and helping progress action and not just informed debate. I now have to follow up on the actions I promissed, regarding the removal of obstacles which add to the cost and delay of network upgades and new build.
I have been very business over the last week but hope to make time over the week-end to blog my responses to the Autumn statement, particularly a welcome for:
- the exemption of apprentices aged under 25 from national insurance (should help transform the UK IT skills scene by providing a less unequal playing field with our overseas competitors),
- the reform of business rates (to also be exploited for communications infrastructure) and
- the less unequal tax playing field for UK-based and overseas on-line players (to make the latter compete on quality of service instead of tax avoidance).
- the extension of the BDUK voucher scheme
I plan to also respond to the recent Labour party Digital Government submission, beginning with those recommendations with which, as a tribal Tory, I strongly agree – such as the need to:
- give priority for public service delivery to those in most need and
- to take a good look at which is ethical with regard to digital by default and big, open, data, particularly that which should belong to you and me.
and to say that BDUK has actually done a rather good job, given the situation that ministers inherited in 2010. Read my comments on the Computer Weekly interview with Ed Vaizey on Broadband Progress before you faint.
However, more immediately, I ecommend that all digital by default enthusiasts watch the recent evidence session of the EFRA Select Committee enquiry on the ability of farmers to use the new on-line claims services by the spring 2015 deadline.
The first witness was Sean Williams who effectively said that everything was going according to plan and that the plans had agreed with Local Authorities did not include priority for those with the worst current connections, let alone helping them meet Rural Payments Agency timescales. Those affected should therefore use satellite. We also learned that most of the 90 submissions to the Committee called for “Digital Community Hubs”. I had not realised just how strong the support was already for these when I referred to the trend towards the local digital interconnection hubs in my submission to the Digital Communications Infrastructure Strategy consultation. Sean Williams said that BT would connect anyone who made a good business case. Watch this space because the key to their sustainable and future-proof success is “any-to-any” connectivity.
When Henry Robinson and Charles Trotman of Country Land and Business gave evidence we learned that 12,000 farmers (11%) have no digital footprint at all and four exchanges are still on dial-up, with no upgrade plans in sight. They reiterated the CLAB call for a Universal Service obligation and reminded us that, thanks to contention and other issues, “up to 2 mbs” is nothing like the same as the reliable delivery of at least 2 mbs.
As the session politely progressed, with all participants maintaining straight faces, the dry comedy continued with some splendidly polite “understatements”:
– from “as the broadband meanders” (for those next to a cabinet who are being served from one 4 kilometres away)
– to “and what have you learned [from the customer feedback via three pilot assisted digital centres] other than swearwords”.
Mark Grimshaw, chief executive of the Rural Payments Agency, described how the Rural Payment Agency had re-learned both customer services and agile methodology. It now has a three week software upgrade cycle in response to feedback and the discovery of the need to structure services and the “customer journey” round the way that farmers, as opposed to the expert consultants think they need. He wryly contrasted that with nearly a decade of “delayed big bang“, waiting years to discover what should have been discovered with pilot systems before confirming the specification for roll out.
The new services have been tested to work at 500 kbs but even that may not be reliably delivered over circuits supposedly running at “up to 2 mbs” because of contention. They are therefore being restructured to save automatically whenever the service goes down. Meanwhile the approach behind the first Government Verify service to be accredited did not work with those who inherited their farms and have never had to borrow or request credit. The RPA has therefore had to reinstate a routine to bypass Verify and allow farmers to register direct.[I seem to recollect that this tallies with a court case which found that citizens have a legal right to be able to deal direct with government departments and not have to do so via intermediaries].
Finally Jonathan Owen, chief executive of the National Association of Local Councils described, among a series of other splendid points, how the provision of 100 mbps services had led to 20% improvements in “business efficiency”, e.g. hotel bookings and orders for rural businesses.
I do look forward to the report of the EFRA Select Committee.
Further to my recent blog on why the possible BT – O2 or EE merger is born of weakness or strength, one of my readers has drawn my attention to Benoit Felten’s recent analysis of the pan-european attempts to shut out competition from new network operators and create a new generation of monopolies to protect the past from the future. It is well worth reading for its demolition of the idea that competition is bad for investment because it depresses prices.
A contrast between the history of the railways in Britain, the Continent and the United States also illustrates that while competition may not always be good for investors, it appears to encourage rather than deter overall investment. It also leads to faster, better cheaper and more reliable services and pulls through economic growth. Has the time come for some trust-busters, akin to those who broke up the US railroad cartels before the First World War?
The news that BT is in talks with both O2 and EE in order to re-enter the mobile market should come as no great surprise but is it good?
BT spun-off what was then Cellnet and mortgaged its exchanges when it was faced with £30 billion of debt after local loop unbundling destroyed the business case for its plans to deliver broadcast quality video to the home by 2002.
BT’s recent capital spend on communications infrastructure, as opposed to that funded by government, has been little more than that necessary to cover preventive maintenence, replacing obsolete equipment so that can now make use of the fibre to within a mile of most UK homes that it already had over a decade ago.
Meanwhile O2 and EE have struggled to fund the upgrading of their networks to overcome notspots and bottlenecks as traffic volumes rise faster than revenues, let alone to to meet their obligations and promises for 4G. Hence their desire to offer infrastructure sharing rather than roaming.
Meanwhile global infrastructure funds are said to have tens of £billions looking for opportunities to build 21st century hybrid networks providing gigabit services at a fraction (said by some to be as low as 20 -25%) of the costs currently being quoted for new build, let alone operation.
Is a “mere” share swop between market dominant but financially weak players good for the UK plc, or will it serve to deter the new investment that is needed?
A more positive view is, however, that the merged operations will be so “financially challenged” that, like the Swedish incumbent, it will have no realistic alternative to joining its current competitors in becoming “lead tenants” for the new generation of infrastructure only utilities, akin to Stokab, that are beginning to sprout around the UK .
I look forward to readers comments.