Alan Calder on IT Governance, information security & ISO 27001

Warren Buffet encourages boards to develop meaningful penalties for executives who fail to fully and personally own risk control in their business.

He is, of course, right. In the UK, the Combined Code expects directors and the board to own risk and provides, in the Turnbull Guidance, comprehensive guidance on what is expected.

My impression is that, in the US, the CEO gets stratospheric compensation - and, the bigger and more complex the business, the more s/he gets paid. It seems wrong that the shareholder should stump up the funds for an acquisition, should see their investment savaged if the deal goes sour, have no real control over the acquisition strategy, get to pay the CEO more and more, but for there to be no real penalty for the CEO when s/he screws up - and being forced out with a big compensation package is no penalty.

As I see it, those organisations that survived 2008 are only going to get through 2009 if they manage cash really carefully. Cash management is only useful if it takes into account the full range of possible risks faced by the organisation. Simply hanging onto cash, not paying creditors and avoiding all expense and investment, is not the same as managing cash - because, even in a recession, there are business opportunities and growth prospects and those organisations that manage their cash effectively are able to prepare themselves to handle the range of possibilities - both on the upside and the downside.

Effective risk management tends only to happen in well-governed organisations; where risk management has failed (such as in our banks, the Big Three auto manufacturers and so on) it doesn’t take long to spot that their governance framework must also have been ineffective - not least if the organisation has had to beg for a support package from central Government.

I think that governance and risk management are going to be key themes in 2009 for the world’s better organisations; for all the rest, those for whom governance is just about box-ticking, 2009 will bring much more  box-ticking, because regulatory authorities are not going to allow a repetition of 2008’s ‘perfect storm’, which means that compliance requirements are going to increase.

Of course, box-ticked governance will still be the poor relation of more constructive, fully engaged governance and risk management models that boards - under the guidance of an independent Chairman - deploy to manage the risks faced by the organisation in the difficult economic climate we all face this year.

I kind of hope that those organisations that eschew proper governance will go bust quickly, and get out of the way of the rest of us.

I think it’s a great pity - but clearly unavoidable - that the FSA has arrived at the view that it will have to fine individual board-level executives of retail banks if it is to get them to take adequate measures to protect customers’s information. I think this is excellent news - particularly the clear statement that ‘FSA wants to avoid executives palming off overall security responsibilities onto the IT department. Chief executives, compliance officers and board-level IT directors could all be held responsible.’

One would have thought that banks might have spotted that protecting customer information might be a fundamental part of customer care in this identity-theft age but, then again, I guess we might have expected banks to have spotted that it might not make sense to lend someone of limited income 130% of the already-inflated value of a house. 

A number of UK banks have been - or are about to be - taken into public ownership. The UK government doesn’t exactly have a great track record (eg HMRC, MOD, etc) when it comes to protecting personal data, either. So we have to hope that the FSA will have the courage to fine the government-appointed directors of nationalised banks where they fail to ensure their organisation takes adequate steps to protect personal data - or the protection of personal data in the UK will just become even more difficult.

When financial markets appear to be in free fall, many organisations might think that data protection is the least of their worries. Who cares, they might wonder, about protecting personal data if tomorrow we might not exist any more? (And, from what we’ve seen over the last few weeks, the ‘might not exist tomorrow’ possibility should be a very real planning scenario for all but the world’s best-capitalised banks).

Well, in the UK, the Information Commissioner is unlikely to cease caring - already identified as “setting the political and administrative agendas for the protection of personal data in this century in the UK” and for “firmly disciplining politicians, civil servants, the media and business folk into line”, he’s unlikely to allow data protection to take a back seat at exactly the moment that spammers are expected to take advantage of bank buyouts to launch new phishing scams.

However, we’re talking here about banks who were unable to identify or adequately manage some rather more obvious risks to their business (like, if you lend someone 130% of the value of his collateral, and if his current cashflow is insufficient to pay the interest let alone repay the principle, how do you expect to survive?) than those around personal data. So, if you’re a bank customer, it might not be wise to hope that, in the midst of all this turmoil, your personal data will be adequately protected. The facts speak for themselves: US organisations are on track to report at least 680 data breaches by the end of 2008, affecting more than 30 million records.

It is clearly the case that, with personal data, one can only rely on oneself to protect it!

Virgin is a strong brand, so a welter of stories describing Virgin Media’s breach of the Data Protection Act, when it lost an unencrypted disc containing the details of some 3,000 customers, would not have been part of the PR strategy. As a result of a simple management failure - not requiring the encryption of all portable media that contain personal data - it now finds its name and brand logo alongside statements that Virgin Media has been guilty, ‘scolded, ‘reprimanded‘, ‘slammed‘ and ‘rapped‘ for inadequately protecting its customers’ data. Not a pretty outcome!

There is a simple way to avoid this sort of damage - encrypt all portable media! We wrote about this in our Data Breaches Report 2008 and, after the HMRC fiasco, one would have thought that all organisations would, at least, have carried out the encryption part of our recommendations.