It’s time someone said it. The ICT industry has taken a battering over the last few months and we’ve typically responded by trying to find technical solutions to business problems in our usual helpful way. That approach is not going to work this time, in fact it could be counter-productive. We’re taking responsibility for something that we can’t fix.
What is important is to understand the underlying process of the privacy breaches rather than attacking it at individual layers. Whatever the answer is, while there may be a technology solution that can ease the risk of privacy breaches, it is only a very small part of the answer.
James Reason’s Swiss Cheese Model continues to be a construct that companies use to lower the risks of organisational accidents.
“Reason hypothesizes that most accidents can be traced to one or more of four levels of failure: Organizational influences, unsafe supervision, preconditions for unsafe acts, and the unsafe acts themselves. In the Swiss Cheese model, an organization’s defenses against failure are modeled as a series of barriers, represented as slices of Swiss cheese. The holes in the cheese slices represent individual weaknesses in individual parts of the system, and are continually varying in size and position in all slices. The system as a whole produces failures when all of the holes in each of the slices momentarily align, permitting (in Reason’s words) “a trajectory of accident opportunity”, so that a hazard passes through all of the holes in all of the defenses, leading to a failure.” – Wikipedia
The point is this; there is no single point of failure that causes a privacy breach, there are multiple contributing factors and unless you take a wide view of all of those factors then you’re doomed to repeat the same mistakes.
Let’s take the EQC breach as an example, and you’ll forgive the generalisations, obviously I don’t know all the details of the issue.
What we do know is that after the Christchurch earthquake, EQC grew by tenfold. The pace of that growth is extraordinary. It doesn’t allow time to alter existing tools or processes to cope with the rapid expansion. If you were a normal company growing rapidly you would, hopefully, consider that utilising tools like spreadsheets and stand alone databases would no longer be appropriate. You would start to look for a software solution to manage the business problem of massive expansion. As part of that process, hopefully, you would build in privacy process and checks to lower the risk of a breach.
Clearly that didn’t happen. Coupled with the massive growth EQC is under enormous political pressure. I don’t care whether you bat for National or Labour, the government is throwing as much resource as they can at the problem so that people can just get on with their lives. If you read the press, it’s not enough. I’m sure if you look behind the scenes you’ll see an organisation that is doing their level best to deal with a very human problem. That political pressure and very real human interaction with the people of Canterbury, causes immense stress on the organisation structure. Things must happen quickly. Decisions must be made right now. Corners must be cut. Process is an impediment.
That means that bad decisions will be made. It also means that any cautionary words from staff are likely to be seen through the light of “blocking” as opposed to helping. Risk management will be quite a long way down the organisation’s priority list. This further creates opportunity for blind-siding accidents.
On top of that, we can add financial pressure across two fronts. Firstly, having 1,500 staff where there were once 150 is a hole in Government budgets. The government (former and current) have placed massive pressure on agencies to consistently reduce cost. The first thing that goes in cost cutting are the roles and projects that are seen as compliance, as opposed to something that delivers current and future value. This means that you cut risk management, business continuity, new software solutions, back office functions, ICT, and … security.
So we have a perfect storm. The poor front line staff member is under immense pressure from the entire slew of factors. They must work fast. They must make decisions that are quick. They are working with open tools that have few safety controls. A slip of the keyboard at the end of a busy and stressful day and bang, privacy breach.
The entire system from earthquake, to government response, to EQC, to the staff that operate those systems are at fault. There is a confluence of events that cause the breach.
It is not an ICT fault.
Similarly we look at the ACC incident and no doubt could draw exactly the same kind of conclusion. And MSD. And MoE. And and and…
There are other factors in the wider environmental mix that add to all of these breaches.
There is intense media interest. Particularly with government (you don’t see the private companies being slammed in the media for breaches.) After all, it’s a relatively easy story.
The growth of data is massive. Everything we do today is digital and that rate of adoption is massive. Our entire lives are digitised. If you look at the technology change in the last three years it is astounding. The ability to share data has matured as well. It’s not just email today, it’s a range of free Cloud services. What amazes me is that we don’t have hundreds of breaches.
There is a massive push by government to push centralised ICT services in an effort to reduce cost (there it is again) and to allow New Zealanders better access to government. What does that mean? More digitisation. More technology. More sharing. More breaches.
There is of course a technology solution to this. It’s quite simple. Turn it all off. That would solve the problem promptly. The consequences of that of course is that we’ll return to circa 1970 in terms of capability.
I’ve seen a few solutions put up by the media and ICT industry members but in my opinion they won’t help. Because the problem is not a technology one. The two that are popular are using encryption to send information and turning off email attachments all together.
Neither will work until those political and organisational pressures and processes are sorted out.
People under pressure will simply work around the process, especially when under stress in an environment that demands high throughput. Both encryption and turning off attachments on email, or turning off auto-complete, is a momentary challenge that is easily defeated.
So how do you solve the EQC problem? Well, I don’t think you can because any solution runs contrary to the entire environment. In other words, anything that is put in place will slow down the processing of claims, cost more money, increase the political pressure, and require a cultural change of “getting the job done” to one of a mature end-to-end service.
Given that EQC is at a temporary high because of Canterbury, why would government invest in all of those resources, projects, tools, and processes?
These privacy and security breaches are not failures of technology, they are organisational failures. Technology is doing exactly what it was designed to do.
I think we will see more and more privacy breaches and a little bit like Syria the media will get bored with it and we’ll forget about it. The government continues to put downward cost pressure on agencies ICT. The government continues to try to push for centralisation of ICT services. The amount of data grows by an average of 100% per annum. The tools for sharing are exploding. Big data will increase the risk levels if not managed properly.
The answer lies in the business management of an organisation and what they are willing to do to manage risk across the entire spectrum including technology.
Quick addition: Clare Curran (@clarecurranmp) has pointed out that I forgot a factor in the solution, that being leadership. It’s a great point, without strong leadership, and sponsorship, of these issues inside an organisation then all the resource in the world won’t make any difference at all.