Given the pressures to tidy up the Internet and enable those responsible for victim support and redress to track and trace and “remove” trolls, the current Nominet consultation on the collection and publication of contact data for the WHOIS register for .UK is central to the rebuilding of trust in the on-line world.
Will .UK remain as untrustworthy as at present, offering neither reasonable confidence that you are dealing with an organisation or individual subject to UK law nor that your anonymity will be protected? Or will Nominet help lead the way in rebuilding trust in the on-line world? Those who believe the latter should join and take part in the policy discussions because subjects like this are far too important to be left to the introverted community of registrars and IPR lawyers who usually dominate discussion on such subjects.
But what is “reasonable confidence”? And how can it be better provided?
The article by Eleanor Bradley COO of Nominet summarises the context of the consultation. But the growth of registrars offering “privacy services” parallels the rising concerns over those who conceal their identities in order to abuse and prey on others. Hence my recent blogs on the need for such services, and the routines allowing otehrs to acces their files, to come under proper judicial oversight.
It is, however, worth remembering that those traditionally responsible for checking identity in the context of authenticating legal documents in the “real” world (Notaries and Scrivenors) come under divine oversight – the Faculty Office of the Archbishop of Canterbury . Hence also my long-standing interest in the tension between those who believe that the law are given by God and apply to the State and Rulers (as with Magna Carta) and those who believe that the State is God
In the early days of this blog, back in 2008, when I repeated the arguments that the Internet shold be seen as a cartel masquerading as anarchy it was relatively easy to find on-line references to the 1912 case that broke apart the US railroad cartel – just as it was seeking to leverage its market dominance to also control the embryonic road haulage industry. [There had been a spate of articles on the judgement when Microsoft was being investgated]
A couple of years ago the judgement became much harder to find amidst adverts irrelevant adverts triggered by the terms I used to try to find it – after the links I used the last time I referenced it no longer worked. Earlier today, having grown tired of wading through the paid entries that now preface any useful results from a Google search, I decided to try DuckDuckGo . A useful result came up instantly at the head of the list. Interestingly, when I then tried again using Google and Yahoo, having got the precise reference, I did get the same result. What I did not get was uncharged articles that put it into modern context, such as the Wikipaedia entry on Essential Facilities .
Why is this sopotentially important – including for UK discussions over the Digital Infrastructure on which modern sociaty now depends?
A couple of days ago, at an excellent Westminster eForum event on Priorities for Broadband I heard the Director of Group Inustry Policy for BT repeating the argument that Broadband was not a utility and should not be regulated as such. Is that sustainable now that US Federal Communications Commission has ruled, albeit subject to a probable appeal to the Supreme Court, that it is a utility and should be so regulated?
The landmark FCC judgement on Net Neutrality looks like a victory for the ISP community (Google et al) over the Infrastructure Community (Verizon et al) who want to charge premium rates for privileged access to that which consumes most bandwidth. However, the decision to regulate Internet Service Providers under the US regulations for telecoms providers has profound implications. Meanwhile Google has said it is not a monopoly because it has competitors like DuckDuck . Hmmmm …
Until today I was among those who thought that Google was an “Essential Facility” – and therefore potentially liable to serious anti-trust action to stop it from spreading its tentancles as the US railroad industry was doing, when brought to heel in 1912. Now I know that I can do many, perhaps most, of my own searches faster without it. But the world, and the FCC, appears to have caught up with the arguments I heard nearly a decade ago at the Oxford Internet Institute.
I suspect that Google, as an integrated entity, has passed its zenith. But when I said, nearly a year ago, that Christmas was creeping up on the Young Turks of yesterday , I also said that I expected the Googlettes to soon be collectively worth more than Google, just as the break up of Standard Oil made the Rockefeller family even richer. Are Apple and Microsoft at risk of similar break up pressures – or does their apparent head to head competition preserve them?
Meanwhile all three, any many others, are at risk as tax authorities around the world sharpen their knives and off-line businesses demand equality of tax treatment, on-line and off.
Politics is about to meet IT, whether IT likes or not.
I had forgotten quite how sharp Sir Michael Marshall, Charles Christian and myself were thirty years ago when similar arguments were in vogue. Amazon has now delivered a replacement for my last copy of what we wrote (loaned and never returned). Below is a scan of the first page of the text of “No End of Jobs”. Remember it was written in 1984, so for Japan you might read China. For West Germany you might read India.
Most of the forecasts have come true, or are well on the to coming true – save that we have imported immigrants to look after our elderly in overcrowded NHS hospitals, instead of making use of technology to enable them to live at home. One of the themes was the job creation effects of “prolonged active life”: resulting from automating records and administration to enable clinicians to spend time with patients instead of on paperwork, from the manufacture and installation of “robotics for rheumatics” to enable independent living for longer, as well as from all the telecare and telemedicine technologies that we are still talking about but not deploying.
The obstacles to do with the organisation of funding that we identified then have still not been addressed. Indeed they may now be worse. The overheads and waste resulting from the centralisation, bureaucratisation and outsourcing of our health and welfare systems, with funding fragmented for distribution down leaky silo’d drainpipes, means we are commonly spending more to achieve less, or at least to achieve far less than recent advances in knowledge and technology should have enabled us to achieve.
I plan to scan the rest of the paper.
“One of the messages from President Obama’s recent cybersecurity summit was summarised by an American Banker as “We have to protect the trust of the consumer or its game over“. The latest PWC Global Economic Crime survey indicates that over half of all global CEOs are aware of the cyber problem – but more are concerned over bribery and corruption. They are right to be so concerned. Other studies show that over half of major incidents, whether fraud or “cyber” involve insiders – whether careless or malicious. And when it comes to malice the CPNI study of the Insider Theat shows that it is disproportionately men who are the risk.
Most CEOs are already only too well aware of the risks. They have no need for yet another patronising awareness campaign. But what should they actually do?
I have already blogged on part of the answer: select and retrain those you already trust rather than hire short stay compliance officers and security staff of unknown probity. Hence also my recurrent calls for inputs to my exercise with the Tech Partnership on the skills with which they need to be retrained. I am now coming to the end of that exercise and am due next week (inputs still welcome) to report on who should be trusted to help specify and deliver the training modules neeeded – particularly for those planning, developing, installing and running the organisations Identity and Access Management processes and technologies: the key point of vulnerability.
However, another message has come through at many of the meetings I have been attending. And it does not appear to be at all popular when I point it out.
Men are usually at the heart of the problem. Women are usually at the heart of the answer.
Yes there are some female hackers and fraudsters but almost all malicious leaks and attacks involve men, as do most of the accidental leakages and system failures. More-over the proportions are not explained simply by the proportion of men and women in roles where they can undermine or bypass systems, make mistakes or take unnecessary risks.
When it comes to non-malicious risk, the story of Bletchley Park is apposite. It was 80% female, including some of the top code breakers but we only know what was done there because some of the men craved public recognition.
We now have the “Turing industry” (from films to institutes). I commend the wikipaedia entry for a summary of the real achievements of Alan Turing (as opposed to the pastiche in the Imitation Game). Meanwhile we still know almost nothing of the contribution of his fiance, Joan Clarke who became deputy head of Hut 8 when he left for the United States and went into GCHQ after the war. We know nothing of the work of Rosalind Hudson, the other named female cryptographer in Hut 8, who died in 2013 having never spoken of her work at Bletchley, save that she is named than in the list of code breakers, as opposed to the approximately 150 support staff.
That female ability to maintain security while also fighting and winning a cyberwar can also be seen with regard to the team which broke the Abwehr enigma codes, thus enabling the Double Cross operations without which the “relatively bloodless” D-Day landings might have been impossible.
Mavis Batey was only 19 when she helped save a British Supply convoy and kill 3,000 of the Italian sailors involved in the failed ambush three days (three days!!!) after she had broken the Italian Enigma code, thanks to the carelessness of a male operator who had simply pressed the letter “L” to encrypt a test transmission. Meanwhile we know nothing of her colleague, Margaret Rock save for her letters to her brother and that she, like Joan Clarke, joined GCHQ after the war. We still know almost nothing about the other members of Dillys Fillies the (almost) all female cryptography team which assisted Bletchey’s top (better than Turing but died in 1943) codebreaker, Dilly Knox. We do know, however, why he recruited them: better lateral thinking, teamwork and temperament.
There is a message here. I wonder who will decypher it.”
The stick of dynamite is labelled “Publicity Japanese Style”. The tube of sweets is labelled “First Rate Teachers”. I had no say in the cartoon and did not see it till afterwards.
The House of Lords Report on Digital skills gave me a curious feeling of “deja view” (see the date at the foot of the cartoon above) with its statement that millions of jobs are at risk from automation and its subsequent calls for digital skills for everyone and the Internet as a utility.
Back in In 1981 the late Donald Michie had been invited to organise the annual Sperry seminar for the UK Technical Press. His theme was “Intelligent systems: the unprecedented opportunity“. The Micros in School Programe was in train and, in return for first class travel for myself and my wife to the South of France, plus a week of incredibly stimulating company, I was tasked to not only give the thinking behind it, but also think through the likely consequences. The abstract for my contribution to the resultant book read as follows:
“Most of the basic skills needed over the next hundred years can be predicted with reasonable certainty but many of the precise trades and professions cannot. “Age related careers” is an employment strategy which can handle such uncertainty. Fundamental changes to the education system are necessary. Information Technology makes these possible at affordable cost. Encouragement and favourable publicity are more effective weapons of persuasion than coercion.”
The cartoon, with which I was presented, relates to my comments, (not all recorded for posterity in either the book or the separately published political version, available on-line courtesy of Blogzilla), on the need to give average teachers the confidence to become coaches, using the new technology to help their pupils acquire skills and understanding which they did not themselves have. In other words, on the need to give priority to the “leading out” roots of education, as opposed to passing on the skills and mores of previous generations – as per the wikipaedia definition (which accurately described, then as now, the mainstream).
The report of the House of Lords Enquiry indicates very clearly how little progress we have made in meeting that challenge. On March 12th the Real Time Club (45 years young and still reinventing itself), hosted in Houe of Lords by a member of the enquiry team, will hear from those who appear to have found out how to make a profitable and fast growing business from doing so. I look forward to hearing whether I believe their solution. My own experience in the 1980s, with organising IT awareness courses for older generations (including taking apart Apple Computers to insert graphics boards to play silly games and do basic coding, prior to playing global corporate politics over a pastiche teleconferencing network), indicates that it should be possible do so today at much lower cost than we used to charge the main boards of the companies we were helping prepare for difficult discussions on IT policy.
Yesterday I took the opportunity to take another look at “Cashing in on the Chips” published in 1979 (containing the original call for a Micros in Schools programme), the New Scientist review of “No End of Jobs” (*) published in 1984 and my own submission to the House of Lords Enquiry.
So how do YOU, “dear reader” help us all to break out from Goundhog day and deliver the aspirations in the House of Lords report?
1) Respond to the Ofcom Draft Annual Plan for 2015/16 by 6pm on 26th February
As I said in my previous blog, the good news is that this is first time Ofcom has indicated that it is planning to take the needs of business users (particularly SMEs who cannot afford lesed lines) seriously [see page 26 of the Draft Plan for details).
Ofcom is also planning to take a good look at fixed and mobile Not Spots (see page 32).
The plans for work on Online Child Safety are interesting (see Page 35 ) but the critical path is Age Verification. Here the Digital Policy Alliance appears to have already made good progress in assembling a team that will lead the drive for practical and credible answers – because the participants need them for marketing and moral, as well as regulatory, reasons.
Page 43 refers obliquely to the need for more work on performance measures, not just quality of service but even more interesting is the reference in the section on “Protecting onsumers from harm” (starting page 44) on the need to work with groups like the Internet Engineering Task Force on removing the vulnerabilities that enable spoofing.
I also recommend reading the rest of the “Protecting Consumers from harm” and thinking not only how Ofcom could and should and should address the issues it raises but the roles of others in doing so.
2) Take a look at the House of Lords report, consider how the recommendations might be implemented, then consider how you think they should be and what youc can do to help.
There is a lot of worthy comment and generic material in the report, but when it comes to action on skills the devil is in the detail, usually in the funding and incentive mechanisms, including the performance measures and league tables used reward and recognise those meeting centrally set objectives (with which the report is peppered).
I have said (above) why those of you who are interested in remotivating staff (or teachers) for the Digital Age should try to attend the next meeting of the Real Time Club and then consider just how much (or little) this should cost using the the technologies and techniques now available – although there may still be places available for those of you near Huddersfield to get a view from the grass roots this Wednesday at the presentation of the survey on the results of the first Digichampz exercise.
I personally think that by far the most important recommendation in the House of Lords report is that the Tech Partnership be tasked to lead an employer-driven review of the offers of the Further Education sector with a view to improving the apprenticeship packages on offer (Parag 314 onwards). The weakness of this recommendation is that a growing number of apprenticeships are graduate and post graduate level, linked to the High Education sector. The review should therefore encompass the actions listed in the following paragraphs on High Educations and Careers Guidance, albeit not necessarily inside the first six months
There is a lot in the report on Women in Technology and on Cybersecurity (page 36 onwards). I have commented in the past, albeit mainly en passant, on why you should employ women rather than men if you are serious about information security. I plan to return to this theme in my next blog.
3) If you are actively in trying to get socially and geographically inclusive Broadband to those in your Parliamentary Constituency ask your MP if he can get you an invitation,on his or her say so, to the event on “Broadband for ALL” being planning by the All Party Space Group and Digital Policy Alliance, in the House of Commons on the afternoon of 10th March. The aim is to cover the current state of play with regard to the availablity of the full range of technologies – from fibre, wifi and mobile (for social housing and inner city commercial centres) to satellite (for hill farms, rural businesses and disaster recovery – e.g. fire or flood taking out terrestrial networks). Advance notices have been sent to DPA members but the details are not yet on the website because some of the industry speakers have yet to be confirmed.
(*) Unfortunately “No End of Jobs” is not itself on-line (I have just paid ten times the original price for a copy to supply to anyone willing to scan or digitise it). Interestingly what looked to New Scientist to be the “silliest predictions” might already have come true – but for the failure to compete “the recabling of Britain” by 2002. That was, of course, Government policy until 1997 and the introduction of Local Loop unbundling to save US bondholders, who then owned NTL and Telewest, “from taking a haircut” with a distress sale to Sky
P.S. Now received a copy of “No End of Jobs” via Amazon and made time to scan the first page. Remember it was written in 1984, so for Japan read China. For West Germany read India. What has changed since: apart from importing immigrants to look after our elderly in overcrowded NHS hospitals, instead of making use of technology to enable them to live at home. One of the theme was the job creation effects of “Prolonged active life”: enabling clinicians to spend time with patients instead of on paperwork and deploying “robotics for rheumatics” as well as all the telecare and telemedicine technologies that we are still talking about but not deploying and enabling.
I recently signed up to the HMRC advisory service and this morning received the e-mail below. Being a trusting individual I did NOT click on anything. Instead I visited the HMRC site on how to check whether a communication from them is genuine. I was none the wiser. However, being both paranoid and interested, I tried to find another way of getting the details. Eventually I found my way in via the “Business is Great” website although the Broadband Voucher scheme is not among those promoted on the home page.
I still do not now whether the original e-mail from HMRC was genuine but, it if was, I deduce that HMRC is more concerned to help SMEs get good broadband access than Gov.UK is concerned to promote either good security practice or the voucher scheme.
Rant over. This is a great scheme. It needs to be extended so that every rural business stuck with crapband (not just those in Wales) can use it to pay for a satellite service. Meanwhile inner city businesses in the areas covered should use it to apply for for a fibre connection: there is a routine for vouchers to be collated by alternative suppliers if BT or Virgin will not offer you anything other than a prohibitively expensive leased line. Those in areas that are not yet covered, where businesses are stuck with a choice between crapband and expensive leased lines, should be contacting their constituency MP and parliamentary candidates to lobby either for access or to work to make it easier for alternative suppliers to compete to meet your needs.
But be warned, the budget is fixed and its first come first served. We also need to get action on opening up the supply of business broadband to all. I therfore take this opportunity to remind you that the deadline for the consultation on the Ofcom Draft Annual Plan is next Thursday. The good news is that Ofcom has finally guiven priority to looking at the business broadband. There is much to do and you have to get into the appendices, with references to the work of the IETF on inter-operability standards, to realise that Ofcom is now serious about looking at UK telecoms in global context.
Meanwhile, if you are among those stuck with crapband – do take a look at the voucher scheme. If you are not covered, take a look at how many others, locally, are in the same position. If there are enough of you, one of the new generation of the alternative network providers (see the list of those participating in the scheme) might be able to serve you at an attractive cost anyway.
Few outside the community of those obsessed with digital identity will keep up to date with postings and comments on the Gov.UK Identity Assurance Blog but a regular reader recently drew my attention to a recent posting, on “User research – asking better questions” . He asked why they were relying on feedback from current trials and had not looked at the market research conducted by others, such as Experian – although he did not say which research they should have looked at.
found his question interesting. My work with the Tech Partnership (formerly e-Skills) on the training modules needed to help organsiations survive the impending cybersecurity skills crisis is largely focussed on identity and access management: IAM.
The skills involved in IAM range from “authenticating and authorising transactions over smart phones”, through “bring your own device” to “multi-level access and authorisation in complex organisations with large numbers of customers, contractors and staff with different permissions in different locations” (e.g. airports or global banks). A cross-cutting issue is the vetting and monitoring of those to be given which access permissions. The processes are complicated by regulatory issues (including data protection), with compliance officers themselves a significant point of weakness, because so many are in post for 18 months or less.
Most discussion of IAM is focussed on the digital components but workable systems are nearly always underpinned by rigorous people processes – except when the organisation is confident that it will not be put a significant risk from insider assisted fraud or unauthorised physical access to safety critical or secure facilities. Where that risk is significant the systems always embed inputs from those who have done physical checks as to the identify of those to whom they have have given electronic credentials.
I am therefore unconvinced that any identity based purely on digital footprint (whether or not it includes on-line financial records) merits my trust, let alone that of those looking after my savings or of the critical national infrastructure. I am therefore not impressed by requests to provide feedback over the precise wording of a requirement to make personal financial information available in order to obtain a digital identity that is more acceptable to government that those it currently requires us to use to pay our taxes or claim benefits.
One of the problems with the original attempt to require farmers to use “Verify” for inter-actions with the Rural Payment Agency was the belated discovery that nearly 20% have no digital footprint – or at least no footprint discernible to the identity providers. More-over those who have never had to borrow money and have always paid cash see no reason to provide their financial information so some-one with whom they have had no previous dealings for unknown transmission and storage. That is not to say they are digitally illiterate. They may well use mobile or satellite services to keep abreast of prices for livestock or crop or to access on-line auction sites but because of not-spots and crapband* have to do so from wherever they can get a signal or via their own choice of trusted intermediaries. They are also often well aware of the risk of fraud and impersonation.
Now let us look at those most reliant on public services, including those stuck on sink estates or transient between bedsits or caravan sites, including those who share their identities which whichever member of their “extended family” they trust to collect their benefits and do their shopping. Hence my expectation of an all-party backlash against the “digital by default” agenda because there is a very big difference between using technology support to provide better services at lower cost and “herding the sheep on-line to be fleeced” . .
I am particularly concerned at the potential risk of those dependent on benefits having their identities registered on-line by fraudsters and their being unaware until left destitute.
This survey is unusual in that it is based on a high response from on-line users in a poorly served (connectivity, let alone support) rural community. I do recommend looking at the actual report not just the headlines. Despite the editors comment security and child protection were of low concern compared to getting a reliable connection at all, around half the respondents were concerned about security and a third about on-line child safety.
Now back to “Verify” – if I ever get round to applying for an identity, because I am forced to in order to (for example) do my VAT or tax returns, I will probably use the Experian service – but to call this a “digital by default” service would be a misnomer. Experian will be comparing what it is told on-line with what it has collected on me over several decades from those who would not serve me in a department store or mobile phone shop until I had signed a form permitting me to check with Experian as well as giving other proof of identity.
That is not, however, possible for a couple of my “legal” identities (as a trustee or director) because the organisations concerned have never had reason to borrow or purchase anything on credit. I therefore expect those selling to them to require me to use a variety of rather more secure IAM systems, including those that are global and do not reply on local political agendas. I have no problem with this – provided their services are securely firewalled from each other, with my liabilities governed by UK consumer credit and unfair contracts legislation.
But this links back to the current cyber security skills crisis. Those selling to me have to manage and insure their risks, integrating the various IAM systems already on the market in support of their people processes, from physical access to customer and transaction authorisation (both on-line and off-line). I do not yet see the business case for them to regard “Verify” as anything more than an interesting experiment.
P.S. The issues get even more interesting when we consider controlling access to the systems controlling smart cities and those along supply chains. There is still remarkably little attention to this area so I was delighted to learn of an event being organised at the Institute of Chartered Accountants on 25th March
*Crapband = “Copper, Rust And other Pollutants” between the fibre (cabinet or exchange) and the premises (home, workshop, office etc.) or the wireless aerial (for mobile or wifi connectivity).
I have received a number of e-mails asking me to blog on the issues or “do something”, but none from those actually engaged in running the businesses supposedly affected. More-over, all the lobbying appears to be behind closed doors. The guidance on Gov.Uk indicates that those who are already registered for VAT and use a payment service need do very little. That from the FSB reinforces this message.
Is it correct, however, that even micro-businesses which use the same “legal identity” for sales of on-line products and services in the UK as for overseas, will now have to register and charge VAT to their domestic customers, thus putting prices up by 20%?
If so, will this lead to halting off-shore sales, a flight off-shore or guidance from the suppliers of accounting and payment services on how to legally and cheaply split the business?
In other words, is this attempt to reduce VAT avoidance a serious obstacle to the UK future as a location for innovative on-line start-ups or will it simply lead to more work for tax advisors and a rash of competing “VAT apps” for teenagers (and sub-teenagers) aspiring to sell their own games instead of pirating those of others?
I have no idea – hence the question?
I would, however, also comment on the timescale.
When my team at the NCC Microsystems Centre invented and defined the term “vapourware” (back in 1983), I had in mind a timescale of barely five years from birth to death of most “buzzword technologies”.
Despite the efforts of US copyright and patent trolls to slow the pace of innovation, I think that 35 years is a bit long for the life cycle of a terminology.
P.S. I have just done some “research”.
The pace of change in the early 1980s with regard to micro-computer products was unusually rapid and the life cycles of even market leaders were much shorter (e.g. the raise and fall of Visicalc ,Concurrent CPM and the Amstrad PCW) than today.
Taking a longer view, it took about a decade for the term “Agile” to replace the acronym DSDM which, in turn, had taken about a decade to replace RAD (Rapid Application development), which was a reinvention of approach behind Filetab (alias RPG, alias FPL etc.).
Filetab did indeed last 35 years before the name finally vanished from the market – with the Java version, to handle applications inter-operability within mobile phones, hidden from view.
Meanwhile Windows and Word are both approaching their 35th birthdays.
I therefore thank Mr Wardley for his insight and leave readers to ponder for themselves what determines the life cycle of the products, services, technologies (and terminologies) of today.
– entrepreneurs finding new ways to meet user needs?
– investment in research and development? public or private?
-,government supported technology (and transfer) programmes?
– corporate spend on IPR lawyers?
January usually sees a sharp rise in recruitment effort across the financial services industry, to replace those leaving at year end or who hand in their notice after the Christmas break. This year recruitment effort is down because of the uncertainties caused by the crash in oil prices and the expected cost to the EU of preventing Grexit. Except for risk and compliance staff – where staff turnover continues to spiral upwards as supply falls ever further behind demand. According to Alex on 9th February (that most authoritative of sources on CIty developments) there are now 17,000 compliance officers getting in the way of doing business.
Those who have not yet taken action to secure their staff must therefore do something different – now . GCHQ has shown the way by announcing 50 cybersecurity apprenticeships for school leavers applying by 15th March. Meanwhile the Tech Partnership cybersecurity internship programme has had an impressive take-up. E-mail Howard Skidmore if you wish to bid for some of those not yet matched (believed to be less than 20) or to offer placements for the next intake.
The rest of you also have to consider who you will trust to retrain your existing staff, including users, to handle those roles which you cannot afford to contract to those you do not know.
Before Christmas I blogged on the expectation that 2015 will be the year of the compliance created collapse in cyberconfidence .
Over 60% of significant security incidents (data breaches, fraud, network collapse etc.) involve insiders, albeit digititis (e.g. mistakes with maintaining legacy systems overlaid with fashionable vapourware) and ignorance (linked to equally vulnerable identity and access control processes) remains a more common cause than malice or criminal behaviour.
Debate on how to improve the security of businesses or their customers is almost entirely driven by those selling technology or outsource services and processes to help tick compliance boxes. But the travelling compliance “expert”, who stays long enough to help you tick the latest regulatory boxes and collect the understanding and credentials to open the trapdoors in your security firewalls, is now by far the biggest single risk. He, it is usually a “he”, is an even greater (and more unnecessary) risk than short stay security “consultants”, help desk staff or cleaners. Albeit the “over-ambitious chief executive” who ditches due diligence in his (it is nearly always a he) dash for growth remains a greater absolute danger.
I recollect conversations with those then in charge of “risk” at BP when they came to try to audit safety and security systems along the supply chains of the organisations they had acquired in the US as the basis for their entry into the Gulf of Mexico. Their worst fears came true with the incident which came close to destroying the entire business while enriching a whole generation of Southern lawyers. I recollect similar conversations after the Chief Executive of RBS cut short due diligence with regard to his US acquisitions, before embarking on the take-over too far which did destroy the business.
Due diligence along the security (including risk and resilience) supply chains of organisations being considered for take-over is now big business for the law and audit practices of the City of London and their demand for the skills necessary is helping fuel the current salary spiral and staff merry-go-round which threaten to destroy the security of those who cannot ensure the loyalty of those who manage risk on their behalf.
A couple of weeks ago I thoroughly enjoyed an evening with the Management Consultants Livery Company when I helped open a discussion of the impact of “Big Data” (which I view as a subset of the current state of “Management Science“) on the Management Consultancy profession. I was interested to learn that the market leaders all have a very strong focus on training their own staff, rather than outside recruitment, even though they expect to lose more half with 2 – 3 years. The following morning I attended an excellent NED Forum on the current state of the Dark Market and the analysis and intelligence services now available. I was interested to learn that, once again, the market leaders train their own analysts because the necessary Information Science disciplines are missing among the many recruits available from law enforcement or the military.
It is perhaps as well to remember that the cryptography operations of Bletchley Park were quite small compared to the Sigint (alias data analytics, or “Information Science”) operations which also maintained the symbiotic German Order of Battle (even down to the level of working out that two radio operators shared a girlfriend called Rosa) . The Sigint operation was entirely female and some of the techniques used have not yet been declassified – because they underlie that which even Snowden did not discover and leak.
Hence the importance of ensuring that update training in Management Science, alias the disciplines behind “Big Data” is available, when and where needed, to give existing security staff the skills they need to help organise intelligence-led security. It also makes good sense to trawl existing user staff, particularly female staff, for the necessary aptitudes before going outside for new recruits. When I ran the original Women into IT Campaign (1988 – 92) one of the surprises (at least to me) was the discovery that, on average, women stayed significantly longer than men, especially if offered flexible working conditions and other support to cope with family responsibilities (including elderly relatives, not just children).
Most compliance roles do not need cryptographic aptitudes or big data training but, if the exercise is to be more than just ticking the regulatory boxes, they do need an understanding of the business so as to ensure the compliance routines reinforce good customer service and do not get in the way of profitable business. The current demand for compliance staff and the rate of turnover among those who have no good reason for loyalty, means that is often both cheaper and quicker to retrain long stay user staff, particularly those who might otherwise become expensively redundant, than to recruit externally. The exercise also gives an opportunity to screen for those who might be brought into the main security team to help supervise those to whom those technical operations and support operations which do not need to be in-house are contracted.
But who do you trust to deliver that training? This is not a trivial question of “competence”.
Trainers, like compliance officers, can make trusted contacts across your Chinese walls. I have therefore agreed to help the Tech Partnership identify those who are trusted to deliver training in other sensitive areas so that they can be asked if they ar e interested in helping specify and deliver modular update training in some of the areas identified as being in critical shortage, such as Identity and Access management (from customer mobiles and bring your own device to tiered access to complex systems and multiple locations, such as a global financial institution or an international airport) or the use of big data (alias management science) techniques to identify risk. Then there as the skills needed by compliance staff, the selection and training of whom should also be used to identify your next generation of security staff. I gave a longer list last year of the skills gaps based on my work for e-Skills, but we have prioritised since.