The curious case of Enda and the Technology
Enda Kenny found himself slightly ambushed on the news last night (6-One News on RTE) by Bryan Dobson. At the end of a segment about the trials and tribulations of Brian Cowen, Enda was asked about the problems that have befallen the FG website.
Enda’s response was telling on a number of fronts.
- He indicated that the FG site had been implemented because he’d been impressed by a to the European People’s Party (Maman Poulet wrote about that a while ago).
- He indicated that they were looking into moving the site to an Irish host.
- He stated that he was not competent in the technology
- He stressed that “40 young people” were being trained in these new technologies in FG HQ, which would add to their CVs.
In short… FG are focusing on the technology. This is exactly the point I was trying to make in my first post about the need to set “the tone at the top” and ensure that the values expressed in that tone cascade down the organisation and are expressed and executed through effective governance.
By focusing on the technology rather than the effective governance of the information (in a way that would support their objectives and their brand), it seems FG have got tunnel vision on a particular technology and missed the point completely.
Indeed, back in 1999, Peter Drucker wrote that:
So far, for 50 years, the information revolution has centered on data—their collection, storage, transmission, analysis, and presentation. It has centered on the “T” in IT.
The next information revolution asks, what is the MEANING of information, and what is its PURPOSE?
FG may have had a purpose (to listen, and to build a mailing list) but they don’t appear to have considered what it means to gather personal data, particularly SENSITIVE personal data.
In this context, Enda and the leadership of FG are not being asked to suddenly become PhD level experts in all aspects of Information Security and Web design. What they are expected to do is apply reasonable levels of due diligence to ensure compliance with the law of the land and the standard of care that is expected of organisations who process Sensitive Personal Data.
Organisations like, for example, the Civil Service, who have produced very clear guidelines on the processing of personal data and the standards of care that must be exercised. Those guidelines are very explicit in a number of sections about the importance of encrypting sensitive data when it is being transferred. For example, in relation to transfer of personal data by email the guidelines say:
1. Standard unencrypted email should never be used to transmit any data of a personal or sensitive nature. Departments that wish to use email to transfer such data must ensure that personal or sensitive information is encrypted either through file encryption or through the use of a secure email facility which will encrypt the data (including any attachments) being sent. The strongest encryption methods available should be used. Departments should also ensure that such email is sent only to the intended recipient.
So, if FG become the leaders of the next Government, will it be a case of the Executive arm telling the Civil Service “Do as we say, don’t do as we do?”
That is what I mean by SETTING THE TONE FROM THE TOP.
Given the comments in the Evening Herald yesterday, apparently from the hackers who attacked the FG website, that the web-designers who built the FG website had left various passwords set to their defaults, my attention is drawn to the comments in the Civil Service Guidance Notice in relation to passwords.
In the context of mobile devices (like phones), the Guidance explicitly states that
Manufacturer or operator-provided PIN codes must be changed from the default setting by the user on receipt of the device.
So, default settings aren’t allowed for security reasons in the Civil Service on devices as common place as mobile phones. In relation to databases and other devices, the guidance says:
Passwords used to access PCs, applications, databases, etc. should be of sufficient strength to deter password cracking or guessing attacks.
A reasonable implication here is “don’t leave it at the default settings”.
If it is good enough for the Civil Service, why not good enough for Fine Gael?
Enda tried to make a big noise about the “40 young people” who were getting training in the technology. It is very far-reaching to teach young people (how old are they?) how to use Social Networks and Twitter.
What would be more far reaching would be to ensure that all levels of the FG organisation received appropriate training in Data Protection principles and practice and rather than instill a technocratic focus in the culture of the organisation that FG began the process of inculcating a info-centric culture that put the meaning, purpose, and value, of Information at the heart of their strategy.
That info-centric culture would need to extend beyond flashy websites to the mundane matters of organisational governance, control, and accountability for information that the Party organisation processes, whether it is on the web, by email, or on paper.
A beneficial by-product
A by-product of such a culture change (and it would need to be an actual change, not just more banal lip-service) might be that we would get, perhaps for the first time, the articulation of what a “Knowledge Economy” might actually be, expressed in terms that might echo the sentiments of Peter Drucker over a decade ago, that wouldn’t descend into babbling and burbling about technologies which, by his own admission, Enda isn’t competent to talk about.