It only takes a few minutes’ reading the Information Commissioner’s Office website before anyone with any experience of data protection and information security will have their head in their hands, asking themselves why so many organisations are leaving themselves open to public declarations about their security failings.
More significantly, with the huge number of publicised data leaks in the media, everyone in our sector should be well aware of the financial penalties an organisation can receive for serious data protection breaches, as well as the lasting damage to the organisation’s reputation.
This year alone, up to the start of June 2012, there have already been nine published financial penalty notices ranging from £70,000 to an eye-watering £325,000 for organisations who have failed to meet their data protection obligations.
The really interesting thing to note is that not one organisation receiving a penalty is in the private sector. So why are so many public sector organisations missing their targets on data protection while the private sector would appear to be handling the subject more successfully?
With our experience of working with and meeting with so many organisations in the housing sector, MET recognises a discernible pattern that could be the answer. Simply put, it is the ability to follow up and deploy the tools necessary to control data protection and protect sensitive information.
However, this does not appear to be down to private sector organisations having greater budgets to deal with data protection and security; it is more to do with the fact that damage to a commercial organisation’s reputation has the potential to ruin the business and therefore drives different behaviour.
This is where lessons can be learned by the housing sector. Private sector companies had to deal with security and data protection very early on and very aggressively, due to commercial and competitive pressures. They have paved the way for new techniques, services and products to address the challenges. What we now see is evidence of the pressure to address security and data protection growing within the housing sector, and taking a more business-like approach can only be beneficial.
One encouraging sign is the growing number of chief information security officers (CISO) within housing providers; the role of CISO is typically a very senior position with a heavy board presence.
The responsibility of the CISO is not simply to direct the IT approach to security, but also to win the support of the business stakeholders – to get their buy-in to tackling security and data protection as an organisation-wide challenge rather than it being seen as solely the remit of the IT department.
By recognising the impact a CISO can have, housing providers are starting to move away from the ‘get by’ attitude and are bringing skilled people into the sector who are in tune with the expertise available in the market, who understand that there are partners who can provide the services and products required, and who can help organisations mature as security becomes an embedded way of working, rather than simply being bolted on.
When considering data protection and security within the housing sector, I am encouraged to see many providers making the efforts to move in the right direction and would further encourage the momentum to drive this to the heart of the business. Ensuring that the business understands that it faces a greater risk from the ‘insider threat’ than from external hacking attacks will be critical to gaining support.
Adopting this approach will help the IT department ‘byte back’ and turn security into a widely-supported subject within the business rather than a widely ignored and misunderstood subject.
Kelvin McGlynn is business development manager for MET (Managed Enterprise Technologies).