Information assurance placed as 'top agenda item'

Only by doing this would they maintain the public’s confidence in the way secure data is handled, a series of top-line keynote speakers told the event, which attracted more than 500 senior Government figures and industry leaders to discuss latest trends and share best practice in IA.

Key speakers
Keynote speakers from the Cabinet Secretary and Head of the Civil Service Sir Gus O’Donnell to Robert Hannigan, Security Adviser to the Prime Minister, and John Suffolk, the Government’s Chief Information Officer, looked at how public confidence needed to be restored in the way sensitive information was handled.
    
IA08 also featured high-powered discussion panels led by senior industry figures, case studies, exclusive research findings and workshops.
    
The two-day conference in London was chaired by Director of GCHQ Sir David Pepper, who set the scene with his opening remarks highlighting the significant change in the public’s awareness of IA between 2006’s inaugural conference and this year’s event.
    
“The spotlight is now firmly on Information Assurance issues and on us, the IA community, to act,” he said. “Never before has Information Assurance been subject to this level of widespread external scrutiny.
    
“See this as an opportunity,” he told delegates. “An opportunity to maintain our momentum as we move forwards. An opportunity to garner support from our wider organisations – and the public – as we implement change.”
    
Delivering the second day’s keynote speech, Sir Gus called on the industry to help drive the change already well underway in Government towards achieve its goal of building world-class public services.
    
Some of the most effective and powerful examples of public service reform are based on the use of technology, he said. In order to provide the level of services the public now expects and demands, data will have to continue to be shared between government departments, and where appropriate and necessary between these departments and private companies – he cited the example of over seven million people last year choosing to renew their car tax online.
    
“We need to join things up and do it securely,” he said. “That moves us to a much better service.” The importance of IA as an issue for Whitehall was reflected in Sir Gus chairing a meeting of Permanent Secretaries of all Government Departments at a side meeting at IA08.

Further development
Sir David, in his keynote speech said recent reviews, including the Government’s Data Handling Review (DHR), had provided the industry with a platform for further development.
    
“We have moved from a world where Information Assurance was viewed as a purely technical issue to a world where Information Assurance is recognised to be a much broader issue, encompassing all aspects of the collection, use, storage and disposal of information – in whatever form,” he said.
    
Mr Hannigan also touched on the DHR, pointing out that there was an ongoing need for Government to ensure the right people had access to the right information while protecting personal information.
    
“This is vitally important, as a recent survey by the Institute for Insight into Public Services reported that only 37 per cent of those polled had confidence in the Government to handle their personal data securely,” he said.
    
“This is a baseline that we must work to improve,” he said, adding that there was now a need for cultural change.

Challenges ahead
The challenge for the IA industry across all sectors was underlined by a survey of IA08 delegates conducted by content security providers Clearswift, which revealed a wide gap between the current situation and what is needed for IA to succeed.
    
Stephen Millard, vice-president Marketing at Clearswift, said: “We are hardwired to believe that security is a technical issue rather than a business issue. Only by taking action at board level can IA increase. It’s about process and culture. IA must be hardwired into an organisation’s make up.”
    
The event also heard from John W. Thompson, Chairman and CEO of Symantec, the global protection software group. In his speech delivered by John Turner, Symantec’s vice-president EMEA, he said better software was key to effective Information Assurance – and the IT industry was picking up that challenge.
    
But he warned that a new approach was needed to IA, which place information at the heart of an organisation’s attitude to security.
    
“Ensuring Information Assurance isn’t just about layering on security solutions. We need to embed Information Assurance into day-to-day business and that means we all need to focus on building better software,” he said in a speech entitled ‘Taking an Information-Centric Based Approach to Security’.
    
“After all, we rely on software every day for our daily operations and business processes. The bottom line is: You can’t secure what you don’t manage.”

Loss of data
Data breaches were also on the increase he added. Theft or loss of portable devices was now the most common cause, accounting for nearly 60 per cent of cases reported to Symantec during the last six months of 2007.
    
“Time is of the essence. We need to move quickly to protect information because right now, too many organisations across the world are leaking critical data like a rusty bucket. And it’s costing real money,” Mr Thompson said.
    
During his speech Mr Suffolk looked at the ‘human challenge’ of getting public sector employees to adopt good IT practice, illustrating his point by citing a series of motoring commercials such as drink-driving, 30mph speed limits and the Green Cross Code as examples of behaviour change campaigns.
    
He then looked at five interlinked strands of focus that are at the heart of adopting good IA practice, ranging from awareness, understanding and education to the development of the IA community, applying standards and rules to monitoring compliance and learning.
    
He emphasised the approach was to create clarity in what is acceptable in terms of IA, providing clear, simple governance and encouraging broad involvement and action. There is serious recognition in Government of the need for change and that the challenge has been set to drive ‘to the best IA holistic capability’.
    
He concluded saying that: “Our emerging action plan, requirements and governance position must now place IA as a top agenda item for all public sector bodies.”

In the real world
Case studies were used to show delegates how different organisations were tackling IA, including one exploring how the Department for Work and Pensions reacted to the loss of HMRC data last October.
    
Chris Bywater, Head of Business Continuity and Security at the DWP, said the issue had presented major challenges for all government departments – but the lessons learnt had led to a greater understanding of the importance of IA and a re-focusing of secure data handling.
    
In another case study presentation, Paul Gray, Director, Change and Corporate Services at The Scottish Government, shared its journey from pre- to post-DHR.
    
Serious leadership challenges, including a new level of openness across the organisation, were overcome to successfully adopt the data handling review (DHR) in Scotland, he said.
    
The Scottish Government had decided to adopt the DHR and use its introduction as a way of bringing about a high level of change in the organisation’s approach to Information Assurance.

Working with industry
Four break-out streams and a number of panel discussions and debates at IA08 looked at issues as diverse as collaboration between Government and industry in IA, creating cultural change in organisations, future product and service delivery and enabling future capability.
    
High-profile speakers, facilitators and chairmen at these sessions were drawn from Whitehall, Westminster, industry and academia and included Andrew Bull, Head of Infrastructure & IT Security Strategy & Architecture at HM Revenue & Customs, Roger Styles, Deputy Director, Central Sponsor for Information Assurance at the Cabinet Office, Lord Toby Harris, Steve Nowell, Director Business Protection at Nationwide Building Society, John Cridland, Deputy Director General of the CBI, Debi Ashenden, Senior Research Fellow at Cranfield University’s Defence Academy of the UK, Dougie Rowlinson, a consultant to Cabinet Office, John Widdowson, Director IA at GCHQ,  and MP Alun Michael who chairs the UK Internet Governance Forum and the UK Internet Crime & Disorder Reduction Parthership.
    
Delegates also got the chance to quiz the keynote speakers and stream chairmen by using electronic ‘tablets’ - one on each table in the main conference hall – into which they could type questions. These were read out by conference facilitator and Radio 4 Today programme presenter Edward Stourton. His co-presenter John Humphrys spoke at the event’s gala dinner.

Greater momentum
Summing up IA08 in his concluding remarks, Sir David Pepper said it had shown while much had been achieved in since 2007’s conference, there was still much to do.
    
The data breaches of the past six months had dramatically altered the landscape but had given IA greater momentum and it was now even more important that those at the very top of their organisations, whether government departments or private companies, brought about the changes needed.
    
He identified the need for a change in culture in organisations to ensure IA was put at their very heart – but there needed to be a balance between security and usability.
    
Throwing down the gauntlet for the industry, he added: “I’m absolutely clear that change won’t happen unless it is led from the very top.”
    
IA08 took place 17 & 18 June 2008 at the Park Plaza Riverbank Hotel, London.

Please register to comment on this article