Enisa gives birth to a monster

The EU's security task force, Enisa (European Network and Information Security Agency) has just released a new 600 page document, designed to provide an overview of the 'state of the art' in network and information security (NIS) in each of the 27 European member states.

Now, some of the more cynical readers of this blog may be thinking 'so what?', and to be honest, a 600 page document designed to categorise and map all of the major NIS stakeholders and their mutual relations in each member state, is probably not going to set the pulse racing.

Enisa, which was formed around three years ago now, has sometimes come in for a bit of criticism in security circles for being too bureaucratic, not reactive enough and generally a little ineffectual. Yet it has undertaken some important research in the past and, a bit like the EU itself, it likes to think of itself as more of a coordinator, an overseer and a bringer together of disparate groups.

So what of the Country Reports document? Well, it found that NIS institutions vary substantially from country to country, with the most important actors for implementing NIS policies being governmental organisations. No prizes for guessing that, although it is interesting to hear what the European agency has to say, objectively, about the UK.

We are highly developed in our e-government services and household broadband usage, according to the report, and we come top when it comes to percentage of online buyers, but the percentage of our population with internet skills is alarmingly low; in ninth place behind countries like Hungary.

And now the interesting bit. What then follows in the report is a flow chart of mind-boggling complexity, attempting to show the interrelationships between all the key stakeholders in the sphere of NIS.

The Home Office, the Information Commissioner's Office, the Serious Organised Crime Agency (SOCA), the Department for Business Enterprise and Regulatory Reform (BERR), the Information Assurance Policy and Program Board (IAPPB), the Chief Information Officer Council, The Communications-Electronics Security Group (CESG), The United Kingdom Computer Emergency Response Team (UK-CERT), The Communications-Electronics Security Group (CESG) and The United Kingdom Computer Emergency Response Team (UK-CERT) are all mentioned.

Surely there's no clearer sign of our overly bureaucratic approach to network and information security than this. We're often thought of as a European leader in terms of the maturity of our security market, but surely some serious thought has to go into streamlining and consolidation such bodies if the UK is to truly hold itself up as an example to others..