Another swallow flew by, but who was looking ?

| January 12, 2008

Since posting "Privacy gains attention over the Christmas New Year break. Does a swallow or two make a Spring?", there has been another swallow of sorts.

But not everybody has been watching or maybe it is typical Spring weather.

Since posting "Privacy gains attention over the Christmas New Year break. Does a swallow or two make a Spring?", there has been another swallow of sorts.

But not everybody has been watching or maybe it is typical Spring weather.

First, the swallow.  In "Ten digital trends to watch out for in 2008" at, Prediction No 2 was that "Privacy will continue to be a sensitive issue" after a Facebook user was banned for exporting his "friends'" data without their permission to his address book at Plaxo. But Prediction No 9 was that "Behavioural targetting will become more widespread – and something which is expected".  This won't please everybody interested in their privacy, as became clear at the US Federal Trade Commission's "Town Hall" meeting entitled "Ehavioral Advertising: Tracking, Targeting, and Technology".

But are folks listening?  Have a look at "Global TMT companies treading water when it comes to security and privacy", released by Deloitte on 7 January. 

Their cautious conclusions included the observation that

"According to the survey, a small percentage … (17%) …" of privacy officers in Technology, Media & Telecommunications companies report to the CEO or Board.  This suggested "that many of the surveyed TMT companies do not view privacy as a strategic business issue."

Deloitte goes onto observe, though, that

"Yet the privacy issue seems to be growing in importance.  According to the survey, many TMT companies (44 percent) acknowledge that their privacy program is just starting to get staffed and organized." 

They also remark that influential drivers with respect to privacy include reputation & brand, regulation, potential liabilities and information sharing with affiliates & other third parties.

Let's be charitable:  Like any Spring, it would seem that the weather is a bit unpredictable.


Malcolm Crompton is Managing Director of Information Integrity Solutions (IIS), a globally connected company that works with public sector and private sector organisations to help them build customer trust through respect for the customer and their personal information.



  1. StephenWilson

    January 13, 2008 at 7:07 am

    Privacy movement deja vu

    Just to focus on one aspect of Malcolm's interesting post: the percentage of privacy officers that report to the CEO or Board.

    Regardless of the actual number, Deloitte's interest in privacy officers' reporting lines has worrying echoes from the Quality Movement of the 1990s, as well as trends in the Information Security sector subsequently. In both of those domains, methodologies became more and more formulaic. It was thought that one important predictor of quality or security would be the reporting lines of the quality assurance and security middle management. Indeed, nowadays, if a company's CSO doesn't sit on the Executive Committee and report to the CEO or better still, the Board itself, then aspersions may automatically be cast upon the organisation's commitment to the task.

    It's clearly a good idea for top level management to commit to quality, security and privacy, but I hope that Deloitte doesn't see the reporting line in and of itself as a Critical Success Factor.

    Perhaps my response to a little note about reporting lines is drawing a long bow, but …

    I dread the repeat in privacy of the robotic, document-driven, audit-intensive approach that defined and killed the Quality Movement and which now afflicts almost all orthodox Information Security.

    There is an elephant in the room: Compliance. No matter that we might all we agree that "Privacy is good for business" — like "Security is good for business" and "Quality is good for business" — the fact remains that complying with orthodox privacy/security/quality regimes entails major overheads. Moreover, the only method in orthodox X-regimes available to improve X is to create ever more detailed documents (standards, codes, policies, processes, procedures, work instructions ad infinitum …) and submit to ever more detailed audits. Compliance demands measurement; the only way to measure business processes is to document them and audit against them; the only way to "increase" compliance is to increase the documents and the audits.

    This is not an overly cynical view. Five years in an ISO 9001-obsessed industry in the 90s, followed by 12 years in information security has shown me countless audits in which the dominant findings were that such-and-such a process was not properly documented, or not being properly measured. The auditors' principal mode of work is to come back every 12 months to check if the documents and metrics found to be missing on their last visit have since been written, tracked and posted on the intranet. This sort of cycle is deeply robotic; it can border on brain dead. Most of us have probably experienced the sheer inanity of an audit when the auditor is brand new, has no understanding of the business and is simply re-tracing last year's report, and when the staffers are also new and are reading, often for the very first time, the documents written by their predecessors.

    The truth of course is that businesses hate compliance. What rational organisation wouldn't try to minimise their expenditure on policies and procedures and audits, especially when it's really hard to see how spending time and money on policy documents improves the bottom line? Let's be honest: the links between compliance and the bottom line — in unregulated industries — must be tenuous, subtle, controversial or frankly marginal. Otherwise we wouldn't need to read breathless Harvard Business Review articles on the topic, for it would be obvious to the most junior staff!

    What worries me in security and privacy is that most approaches eerily mimic ISO 9001 (although it's great to see greenfield efforts like the Privacy & Trust Partnership taking a fresh look at the challenges).

    I wonder if the deep problem in so many orthodox approaches is that they treat Management as if it has an underlying algorithm: a repeatable procedure or recipe that can be applied to solve each new Management problem.

    An algorithm takes a fixed set of inputs, weights them, combines and processes them in a step-wise fashion, and spits out an answer. For instance, most security Threat & Risk Assessments are conducted as algorithms: there is a fixed set of inputs (known threats, their probabilities and their impacts) and there is a single formal output for each threat: "Fix now", "Fix later" or "Don't worry". If each TRA was started with a blank sheet of paper, and a genuine effort was made afresh to discover the real threats, then that would be great. But in reality most TRAs are cut-and-paste from the last TRA; few if any fresh inputs are considered. And even if an effort is made to look diligently for new threats, scant regard may be given to the philosophical problem of not knowing what you don't know. It's impossible to tell if there is a threat that has been missed, yet we kid ourselves that TRAs give conservative answers.

    Logicians have long known that there exist very simple problems for which there are no algorithms. For instance, there is no algorithmic solution to the "Stopping Problem" in Computer Science (that is, no computer program can be written that will tell us if another program, given as input, will ever stop). Similarly, there is no efficient algorithm for the "Travelling Salesman" problem (how to work out the shortest route for visiting every town connected by an arbitrary network of roads).

    So it should not surprise us that in human affairs, there is probably no algorithm for Management! We really should temper our expectations that organisations will automatically benefit from adopting standards, writing policy documents, auditing our compliance with those documents, and continuously writing new ones.

    "Quality is dead", thanks to the mechanistic naivety of the Total Quality Movement. And I for one see the writing on the wall for the Information Security industry in its current form, where the only thing better than ISO 17799 is ISO 27001, as if standards intrinsically weave magic (if we wish security practitioners to innovate, analyse, think, maybe we need fewer standards, not more). But it's not too late to change our approach to privacy fundamentally, with real innovation in how we gauge, value, control and trade personal information. The challenge is: How can we get businesses to take privacy seriously, rather than take compliance reluctantly?

    Stephen Wilson