Lord Broers, the Committee Chairman during the first inquiry, kicked things off, followed by various Lords who had sat on the Committee (and two others who hadn’t) then the opposition lead, Viscount Bridgeman, who put his party’s point of view (of which more in another article). Lord Brett (recently elevated to a Lord in Waiting — ie a whip), then replied to the debate and finally Lord Broers summarised and formally moved the “take note” motion which, as is custom and practice, the Lords then consented to nem con.

The Government speech in such a debate is partially pre-written, and should then consist of a series of responses to the various issues raised and answers to the questions put in the previous speeches. The Minister himself doesn’t write any of this, that’s done by civil servants from his department, sitting in a special “box” at the end of the chamber behind him.

However, since the previous speeches were so strongly critical of the Government’s position, and so many questions were put as to what was to be done next, I was able to see from my excellent vantage point (as TV viewers would never be able to) the almost constant flow of hastily scribbled notes from the box to the Minister — including one note that went to Lord Broers, due to an addressing error by the scribblers!

The result of this barrage of material was that Lord Brett ended up with so many bits of paper that he completely gave up trying to juggle them, read out just one, and promised to write to everyone concerned with the rest of the ripostes.

Of course it didn’t help that he’d only been in the job for five days and this was his first day at the dispatch box. But the number of issues he had to address would almost certainly have flummoxed a five-year veteran as well.

Amusing though this might be to watch, this does not bode well for the Government getting to grips with the issues raised in the reports. In technical areas such as “Personal Internet Security”, policy is almost entirely driven by the civil servants and not by the politicians.

So it is particularly disappointing that the pre-written parts of the Minister’s speech — the issues that the civil servants expected to come up and which they felt positive about addressing — were only a small proportion of the issues that were actually addressed in the debate.

It still seems as if the penny hasn’t dropped in Whitehall

Now, those of you who know me are probably picking your jaws up off the floor and asking whether I’ve suffered a stroke, have started drinking heavily, or have a gun pressed to my temple by a regulator or someone from the PCI lobby.  Nope.  I still have my full mental facilities (such as they are), and I make the statement without duress — however…

There’s compliance, and then there’s compliance

As usual, our profession tends to not be specific in our use of terms, which sets us up for confusion, inconsistency, and a host of other problems.  When I say “compliance is critical”, I don’t mean compliance with some external standard like PCI, ISO, or some hypothetical “best practice”.  I mean compliance with an organization’s own policies and standards.  Compliance with external standards has its place too (unfortunately), but we’ll pick that up in another post.

Think about it…

In most cases, if an organization was completely, 100% compliant with its own policies and standards, it would almost certainly have a much lower level of risk exposure than most other organizations.  In fact, in many cases a 100% compliant organization would be too secure to operate effectively.  In other words, the more significant problem isn’t typically a matter of how strong a policy is, it’s the variance from intended/desired state that’s described by policy.

In a perfect world…

The illustration below is intended to represent a “perfect world” condition, where all of the assets/systems/whatever are compliant with an organization’s policies/standards.  It also reflects the fact that there is no perfect security, and that the organization has wisely established its policies/standards with an acceptance of some degree of vulnerability (and thus, risk).

The real world tends to be much different

The illustration below represents a more likely condition, where controls applied to a population of assets/etc. tend to vary from what policy calls for.  It also reflects the effect that has on vulnerability, which in turn affects risk.

But we knew this already, right?

Yes, it’s true that 99.9% of us already know that variability exists and that it’s bad from a risk perspective — so what’s my point?  My point is that variance is one of the most important risk-related metrics we have available to us.  Here’s why…

As we see from the illustration above, variance from policy can be a strong indicator of an organization’s risk exposure.  At the same time, it’s also a marvelous indicator of an organization’s ability to manage risk (i.e., decision making capabilities and/or the ability to execute against decisions).  A little root cause analysis of a highly variant asset population can provide critical insights into what’s not working, which can lead to far more cost-effective risk management measures.

One example of where this could be applied is in the evaluation of a third party’s risk posture.  Rather than send a 60 page questionnaire, why not evaluate the organization’s compliance with its own policies across a cross-section of its information risk landscape.  I submit that it would provide a more accurate and useful picture of risk exposure and risk management capabilities than the typical questionnaire, at less cost/effort to both parties.