Summit interview: Deloitte discusses security implications of the data deluge

Deloitte believes that the PCI Data Security Standard has done a lot to raise awareness

V3.co.uk: How do you think the problem of information overload has contributed to poor information security?
Mike Maddison: It’s been a fairly recurring theme of the past few years. A few years ago it was all about availability, with worms taking down networks. More recently, it’s shifted to confidentiality of information and organisations realising that information has an intrinsic value and is being targeted by groups. We’ve worked with every sector looking at information protection, and we’ve found in all sectors a huge amount of information has been retained, and duplicated within organisations, often for good reasons, and some of that information could be considered sensitive. So there has been a growth in retention of information often without any information governance strategy.

But are organisations getting there now?
MM: Yes – now there’s a recognition, and not just a technical one by IT, but a board level agenda. It’s driving interesting behaviours in organisations, because it’s happening higher up the food chain than previously. I’m optimistic because there’s a recognition that information security needs to be embedded in the day-to-day running of the business. The role of information protection is more visible too, as is the role of risk management. You just have to look at the number of CISO [chief information security officer] roles at a senior reporting level that there are now.

What is driving a greater awareness of information protection?
MM: The PCI Data Security Standard has done a lot to raise awareness among organisations that haven’t necessarily invested in securi ty before. It has added to the whole tone and tenor of what people need to do about data protection. There are large-scale privacy initiatives in a number of organisations now, whether it has been driven by the Financial Services Authority (FSA), the Data Protection Act or PCI. But there is still a challenge they face in understanding what information they hold – this is not just sensitive personal information either but corporate information – and where it flows out to the extended enterprise. It’s a big problem.

Why have security incidents still been happening, even with all the publicity they’re getting?
Steve Cummings: I think with organisations it’s possible that the people who work with the data don’t recognise the value and importance if they deal with the stuff every day. They take it for granted and that needs to be recognised internally – organisations must put programmes in place to ensure the people who work there do recognise this. We’re seeing a kind of stick and carrot approach being adopted by many, so they will reward good behaviour with data and also enforce a system of compliance to make it clear that if something is done in the wrong way there will be consequences.

So education is the most important aspect?
MM: Yes, the right processes and technologies should underpin it but there needs to be an education piece embedded in the day-to-day operations. Unfortunately, the credit crunch has probably had an impact on that. Where organisations fail is when they do a one-off shot, especially on the awareness piece. If it’s not embedded and doesn’t happen on a regular basis they’re setting themselves up to fail.

SC: Most responses to government data breaches have been about cultural change, because the technology is already in place there. It’s about getting everyone at the right levels to understand this and act responsibly.

Are government attempts at improving information security suffering because it can’t get hold of experts in data protection, risk management and associated disciplines?
SC: It depends. There are government departments that have no trouble recruiting extremely capable people. If you’re recruited to deal with risk management you’re likely to come in higher up and the public sector is prepared to pay the appropriate salaries. Government has recognised, with the setting up of the Office of Cybercrime, that there is not a big enough pool of people around nationally, and that needs to be addressed. I’m not sure if it’s a case of a public/private sector split.

Is the Data Protection Act working?
MM: When it was first brought in there was a perception of it as tick box compliance – it didn’t help protect information but more the way information was being used in marketing, and so on. That has shifted now though, and the Information Commissioner's Office is making people aware of it. Where that goes in the future I’m not sure, but it is having an effect. It’s all part of the evolution into the technology age. IT was the plumbing, a bunch of tins and wires, but now we’re in the information age where information flows across all sorts of boundaries.

SC: Organisations recognise the risks more now. Some years ago there was a tendency to say if we can collect we will, and we’ll think about how to use that information later. You don’t encounter that mindset at all now though because of the risks.

Should we still be afraid of big centralised government databases though?
SC: I’m not sure how many people actually have those fears. It’s not to say they aren't correct, but I’ve never met anyone who has been upset by it. Some people will give supermarkets their life story for a box of chocolates. Maybe it's a case for a lot of people that they rarely suffer the consequences of any government data loss.

But aren’t people more happy to give up some privacy if they’re getting something in return? When faced with government data losses they don’t think they’re getting anything in return.
SC: The government is collecting data so it can provide them with more effective services. The citizen is getting something in return. No one is collecting all of this stuff just for the sake of it. You can be sure that the speed of the progress in transforming government processes is being slowed down by recognition of security issues.

Should decentralisation be the way forward then?
MM: There are likely to be problems with information quality in this scenario. The problem in an info-centric society is that quality is as much of an issue as confidentiality. When you start putting stuff in the cloud it has huge implications for security. Whatever happens in future though, security will be intrinsically part of the way things are managed.

Visit our dedicated Summit web site for more breaking news, views, analysis and video on the topic of Information Overload.