Alan Calder on IT Governance, information security & ISO 27001

The new Information Commissioner, Christopher Graham, has recognised that current penalties for breaching the UK Data Protection Act are derisory and has called for the introduction of prison sentences for reckless breaches.

Excellent.

But not enough - the ICO is only responding to pathetic sentences given to private investigators and others who actively and deliberately breached the DPA. As I have said on previous occasions, we need to go much further. The only way that we will develop a real culture of compliance is if directors of companies that breach the DPA are personally liable for fines and prison sentences for failing to ensure that their companies took adequate steps to comply with the DPA.

After all, if larger organisations took appropriate steps to protect personal data, it would be that much harder for the unscrupulous smaller operators to breach their security to illegally obtain data, wouldn’t it?

While I’m probably more interested in governance than the average person, I do sometimes worry that contextualising information and compliance challenges as governance issues can delay organisations from taking the obvious, common-sense action.

This intelligent article on mobile security governance, for instance, identifies all the steps that organisations should take in considering risks to data posed by the mobile network. See how far you have to read through it before you find guidance to apply encryption to key mobile devices - all laptops and any USB sticks or PDAs that carry sensitive information. The sensible approach is to first apply encryption, which deals with the largest number of mobile device-related risks while keeping you within regulatory requirements, and then to stop and consider what other risks might need mitigation.

You don’t want to have to tell 1,000s or millions of customers or members of staff why someone leaving a laptop at the busstop has exposed all their personal details to fraud and identity theft. Explaining that you were considering the range of risks before deciding what action to take is likely to elicit the same sort of response as a UK MP explaining that their inappropriate expense claims were ‘within the rules’.

It’s great that Hector Sants has said that “delivery of supervision has to be done in partnership with responsible firms, shareholders and auditors.” (It’s a pity that Sants is inconsistent, but that’s another matter.)
The thing is, he’s not exactly saying anything new. I summarised the current position last year in my book on Corporate Governance (the square brackets are my current interpolations):

Institutional Shareholders

The Combined Code [UK Combined Code on Corporate Governance – in place for 10 years] also requires institutional shareholders to interact proactively and objectively with the companies in which they are invested. There are three main principles for institutional shareholders to observe: 

1. Institutional shareholders should enter into a dialogue with companies based on the mutual understanding of objectives. (E.1)
2. When evaluating companies’ governance arrangements, particularly those relating to board structure and composition, institutional shareholders should give due weight to all relevant factors drawn to their attention. (E.2)
3. Institutional shareholders have a responsibility to make considered use of their votes. (E.3)

The Combined Code explicitly recommends that institutional investors should not accept a ‘box-ticking’ approach to corporate governance, and that their consideration of disclosures made by the company in relation to the Code should take into account the “size and complexity of the company and the nature of the risks and challenges it faces” (supporting principle to E.2)

The Combined Code recommends (supporting principle to E.1) that City [ie investing] institutions should follow “The Responsibilities of Institutional Shareholders and Agents – Statement of Principles”, which were drawn up by the Institutional Shareholders’ Committee (ISC)^[1], whose associations represent virtually all UK institutional investors.

The principles were the first comprehensive statement of best practice governing the responsibilities of institutional shareholders and investment managers in relation to the companies in which they invest. 

“They aim to secure value for ultimate beneficiaries – pension scheme members and individual savers – through consistent monitoring of the performance of those companies. This is to be backed up by direct engagement where appropriate.  The principles make it clear that if companies persistently fail to respond to concerns, institutional shareholders and investment managers, ISC members will vote against the Board at general meetings.

The principles set out best practice for institutional shareholders and investment managers, under which they will:

· Maintain and publish statements of their policies in respect of active engagement with the companies in which they invest;
· Monitor the performance of and maintain an appropriate dialogue with those companies;
· Intervene where necessary;
· Evaluate the impact of their policies; and
· In the case of investment managers, report back to the clients on whose behalf they invest.”^[2]

What’s the reality? 

The reality is that active shareholder engagement has – in both London and New York - been extremely limited; after all, the management fees they were earning from ignoring the real risks being run by the companies in which they were invested supported an exciting personal life style. The real victims are the ordinary folk who fell for the polished pitch of the fund managers, who sold so effectively the idea that managing cash is so difficult and complex that ordinary people can’t do it. (An ordinary person said, on a panel interview programme here a couple of weeks ago: ‘I can’t run a bank; can I get a £695k pa pension?’). It’s all very well asking the institutional investors to exercise their governance responsibilities responsibly, but they too have their fingers in the till.

So, isn’t it time we taught basic financial risk management to ordinary people? I know this might require breaking the centuries-old link between financiers and politicians, but perhaps that might start a move toward a society in which those who produce the cash don’t have it conned out of them…..sorry, that’s a bit hopeful…

The essential difference between the US and the UK models of corporate governance is that, in the UK, there is a clear understanding of how board rooms work combined with a flexible, principles-based approach while, in the US, corporate governance is essentially an expensive compliance activity that gives CEOs a level of autonomy that allows them, sooner or later to wreck their companies - and the economy.

The usual situation, in a US-listed company, is that the CEO is also the Chairman of the Board; in the UK, this is highly unusual and, whenever it happens, there is a furore amongst investors and in the press.

The usual practice, in the UK, is that the board is chaired by an independent director, who is usually non-executive and who is genuinely independent - and it is recognised that, once a Chairman has been in situ for too long, he (or she) ceases to be independent. The CEO - however mighty, however well-rewarded - reports to the Chairman and, when the CEO fails in his role, the Chairman is responsible for ensuring that appropriate action is taken to ‘drop the pilot.’  The UK board is made up of a majority of independent directors and, in larger companies, there will usually be a recognised ’senior director’ whose role it is to ensure that the Chairman doesn’t ‘go native’ and who would be expected to lead the board’s annual review of the Chairman’s performance.

US CEOs talk of themselves serving ‘at the pleasure of the board’; of course, this doesn’t really mean much as it is usually the CEO who chairs the board which, itself, is usually made up of ‘outside’ directors with whom the CEO has personal relationships. CEOs of US American companies are therefore usually in place for far too long and, because there is no genuinely independent control over their compensation packages, are hugely overpaid. (I’m never that impressed by a CEO offering to take a $1 salary for a year - it would be so much more impressive if he also volunteered to return 50% or more of the previous year’s multi-million dollar over-compensation to the company.)

While the UK corporate governance model doesn’t always protect UK shareholders from incompetence or stupidity on the part of their boards, it does at least help UK companies avoid a situation where their CEOs turn up in Parliament with a begging bowl, having flown there on parallel private jet flights. One would have thought that any Chairman worth his or her salt would immediately have sacked a CEO who is so far removed from reality that, when asked the direct question on camera about whether they would immediately dispose of the private jet and return home by commercial airline, he couldn’t even come up with a plausible response.

And, while the world has clearly been living beyond its means for far too long, it’s also clear that the US cult of the CEO ego is right at the heart of the huge, ill-considered, crazy bets that their companies have taken - and as a result of which we all now face a long, hard few years.

The US now needs a corporate governance code that resembles the UK’s Combined Code; in the UK, in the meantime, we need to get on with improving our own performance. We also need institutional shareholders tough and determined enough to insist on board changes when their boards are destroying the investments for which they have a fiduciary responsibility.

I think it’s a great pity - but clearly unavoidable - that the FSA has arrived at the view that it will have to fine individual board-level executives of retail banks if it is to get them to take adequate measures to protect customers’s information. I think this is excellent news - particularly the clear statement that ‘FSA wants to avoid executives palming off overall security responsibilities onto the IT department. Chief executives, compliance officers and board-level IT directors could all be held responsible.’

One would have thought that banks might have spotted that protecting customer information might be a fundamental part of customer care in this identity-theft age but, then again, I guess we might have expected banks to have spotted that it might not make sense to lend someone of limited income 130% of the already-inflated value of a house. 

A number of UK banks have been - or are about to be - taken into public ownership. The UK government doesn’t exactly have a great track record (eg HMRC, MOD, etc) when it comes to protecting personal data, either. So we have to hope that the FSA will have the courage to fine the government-appointed directors of nationalised banks where they fail to ensure their organisation takes adequate steps to protect personal data - or the protection of personal data in the UK will just become even more difficult.

Well, that’s a relief - the UK government has caught up with the fact that there are criminals on the Internet. The government has said that it will spend £7 million to establish the Police Central E-crime Unit (PceU) in London, that it will be run by London’s Metropolitan Police and will be more than half-funded by the Met.

I’m not going to waste time talking about the fantastic stupidity of creating and then, after three years, disbanding the High-Tech Crime Unit (creating SOCA, the Serious and Organised Crime Agency, whose priorities were drugs, people smuggling and similar more ‘traditional’ crimes) just as serious criminals migrated to the Internet. I am, though, going to make the obvious point that, even if the PceU does get going fairly early in 2009, it will still be something like two years before it will start being effective - it just takes a long time to get a new organisation (particularly a publicly-funded one) working, to get objectives and modi operandi and personnel and media and all those things properly sorted. And, in that time, cybercrime will become more sophisticated and the challenge of controlling it even more complex.

Let me put it another way: establishment of the PceU will be no panacea, anytime soon, for cyberthreats. Sensible organisations are just going to have keep on doing their own risk management around this issue.

I’ve always thought organisations that sell their ’software solutions’ entirely on the basis of Fear, Uncertainty and Doubt should on principle be shunned by all right-thinking CIOs and IT managers. Of course, there is a certain amount of FUD that software solutions have to combat, but sales should primarily be made to deliver quantifiable returns on investment (and I recognise that is not always an easy calculation).

It’s therefore a pleasure to see that Microsoft and Washington State’s Attorney General have filed lawsuits against scam artists who frighten consumers into buying useless software, and I hope these scam organisations are stopped.

The scary message, though, is this: ‘A recent report from North Carolina State University showed that most internet users are unable to tell the difference between genuine and fake pop-up messages. “This study demonstrates how easy it is to fool people on the web,” said co-author Dr Michael S Wogalter, professor of psychology. Despite being told some of the messages were fake, people hit the OK button 63% of the time.’ 

In other words, FUD will sadly be an effective sales tactic for so long as people allow themselves to be duped. Awareness and training become an ever more essential aspect of preparing people - consumers and employees - for what they will find on the Web.

I watched the Congressional clash of ideology and pragmatism play itself out in the US stockmarkets yesterday and through Asia overnight.  While I’m not entirely clear on the point of a vote that avoids spending $700 bn but triggers a $1 Trillion stockmarket slide, I am clear that the financial disaster will negatively impact the real economy. Even though this month’s Fortune magazine argued that, in the real (US) economy, there was no evidence of a recession, I can’t see how a combination of restricted credit, devalued assets, deleveraged businesses, increased unemployment, and reduced output can translate into anything other than a downturn.

While I largely agree with the analysis in this blog: Impact of the Economic Crisis on Security, I do think that Boards and IT management teams have it within their power to avoid the traditional knee-jerk response to a crisis, which is usually to cut investment, cut training, and cut corners. The key strategic fact is that IT is now fundamental to both survival and success - and, in a tougher economic climate, those organisations that more effectlvely leverage their information and IT investment are likely to be those organisations that are still standing at the end of the shake out. Of course, I’m only talking here about those organisations that have a living, breathing enterprise risk management framework - as we’ve seen, those who substitute hope for objective risk management get to go bust.

Put another way, effective IT governance will, in many instances, be the difference between success and failure.

The increasing incidence and serious nature of internal threats to the security of corporate information is well demonstrated by the recent need for Cable & Wireless to injunct a former executive to hand a 100,00-strong customer database back to her former employer. While the former executive denies the allegation, the BBC has established that the database is being used illegally by Pakistan call centres.

An effective information security management system (ie an ISMS in line with ISO27001) would have identified this risk and guarded against it. Identifying, investigating and responding to this sort of white collar corporate crime will increasingly be part of the ISMS operation, which is why we have just added a selection of useful books on White Collar Crime and Computer Forensics to our website.

We expect more stories of this sort.