So, I was looking through the various blogs hosted over at Computer Weekly when I came across a discussion on Stuart King's Risk Management blog. See
http://www.computerweekly.com/blogs/stuart_king/2009/02/public-sector-vs-private-secto-1.html
Stuart and his co-blogger Duncan Hart have started one of those discussions that you should never start. A subject almost as delicate as religion, politics and questioning the choice of allegiance of that big group of blokes in the football shirts. The question? Whether security is better in the public or private sector. Ouch.
It's one of those discussions bound to stir up opinions – often uninformed and vitriolic. It's a good excuse for those in the private sector to dig out the well-worn cliches and condescending attitudes with respect to public sector security whilst those in the public sector can come back with their own traditional ripostes. My own opinion – I have to admit a little bias here having spent the last few years predominantly in the public sector – is that the two areas are so vast as to make such trivial comparisons worthless. You can find good security in the public sector as surely as you can find weak security in the private sector – yes, I'm looking at you utility and manufacturing organisations (amongst others).
I spent the early part of my career doing penetration testing and vulnerability assessments across a wide spread of sectors and I found as many problems in certain private sectors as I did in HMG. Yes, you will tend to find pretty good security in those organisations where a lack of control will tend to result in a monetary hit but there was certainly no guarantee.
HMG have at least taken steps to improve security with the release of the Security Policy Framework and other initiatives aimed at making the (usually) adequate guidance that was previously embodied within the Manual of Protective Security more widely available Think ISO27001 with extra doses of physical security, personnel security and various other goodies. Together with the public Good Practice Guidance on offer from both CESG and the CPNI and there's a wealth of information available – never mind the stuff that does not make it into the public domain. More importantly still, following the Hannigan Review of Data Handling Procedures in Government, there is an added impetus to making sure that the mandatory minimum requirements within the various HMG standards are enforced. It may take time, but information assurance in the public sector is on the way up.
Can the same be said for the private sector?
Given the length of this posting, I'll leave that topic for another day.
Subscribe to:
Post Comments (Atom)
2 comments:
Hi Lee,
Great to find you here and thanks for your comments.
Fully agree that Stuart and I can't do the subject any real justice given the wide ranging nature and complexity of this area. Without clearly defining the perimeters of the context, the argument and a number of caveats to boot the whole topic can quickly become directionless, unfocused and far too simplistic. It's not surprising that one of my most well worn phrases is: "I think you'll find it's a bit more complicated than that".
Nevertheless, Stuart and I feel there are real pros and cons to both public and private sector approaches and like most things in life it's about getting the right balance between the two. We thought our series of posts would be a good way to generate some wider thought in this area.
I'd agree with your comments that a lot of effort has recently been expended on getting the standards right for HM Government and this is a timely review which should be kept under regular inspection. Alas, the devil, as you know, is in the implementation and even the best standards can be let badly down in this area.
IMHO one of the biggest disadvantages is that HMG often has very long feedback loops which often don't become apparent, if at all (security failures are often silent!), many years after critical design decisions were made. At least the private sector has the advantage of almost near time (through share price movements or quarterly financial reporting) feedback to judge whether they're getting things right or not.
Hi Duncan,
Fully agree that there are lessons for both sides in this debate. I would hope that the recent problems in the financial services industry will highlight that the private sector has certainly not got it's risk management approaches 100% correct. I realise that information risk management did not cause the credit crunch (although I would argue that a lack of availability of understanding of the true nature of the financial instruments being traded was one cause, alongside blatant greed) but even before the crunch, the tales of rogue traders exceeding their limits were not uncommon.
I'm not sure I fully agree with your comment regarding a faster feedback loop in the private sector provided by share price or financial reporting - particularly given what happened to the TJX share price following one of the largest reported data losses, see
http://www.computerweekly.com/Articles/2007/08/24/226367/tjx-sales-and-share-price-rise-despite-data-loss.htm
I certainly believe that HMG would benefit from a more slimline approach to project delivery and risk management - the timelines currently expected within the public sector would certainly not be acceptable in a number of private sector industries.
Given the recent move of the HMG ITPC scheme into the IISP, I'd hope that we now have a new opportunity for information and best practice exchange between the public and private sectors facilitated through the Institute.
Better go before this comment ends up longer than the initial post ;-)
Post a Comment