Friday, 27 November 2009

Blond sensation’s message for IT security

Out of nowhere this month there erupted onto the media stage the figure of Phillip Blond, until recently an unnoticed lecturer in theology at the University of Cumbria, now installed as “Philosopher King” of the Tory party, guru to David Cameron, and founder of a new think tank called ResPublica.
Armed with a social theory called “Red Toryism” (a bit of a cocktail out of Edmund Burke, Michael Oakeshott and Catholicism) Mr Blond believes he has the right prescription to fix Britain’s so-called “broken society”, but first, he wants to tell us what’s gone wrong.
He writes pungently. In an essay called The Ownership State he denounces the modern economy’s fixation with:
“...a purely market driven approach, whose domination of the speaking parts [in the corporate narrative] is so complete that in the middle of the greatest management meltdown in history, management responsibility for the financial crisis is entirely shielded from question. Resource allocation, risk, product design, accounting, reward and governance: the visible hand of the financial and banking sector ham-fistedly got every single aspect of management wrong. Yet not only is there no investigation, no critique and no alternatives on offer to the model that has got us here; the same model that caused the crash is now expected to get us out of it again.”
And again:
“In the market sector, Wall Street and the City of London are full of firms staffed by people with the highest academic and business qualifications who are collectively so witless that they have not only burned their own houses to the ground but almost brought down the whole edifice of capitalism.”
“Discuss,” as the exam questioners say; but during the course of the 40-odd pages of Mr Blond’s essay, some other observations resonated because they seemed to bear closely on the subject of Internet Security, and the reasons why experts consistently fail to convince the laity to understand and take online safety seriously (to repeat a shocking statistic: 98 per cent of UK office workers do not see the protection of corporate electronic data as their responsibility).
At the heart of contemporary enterprise Mr Blond perceives that those in command make “pessimistic assumptions” about human behaviour which lead them to devise ever more exhaustive systems of prescription and regulation; these in turn, “by emphasising formal controls perversely make organisations less adaptable, more stupid... a system that overemphasises knavish motives – through crass incentives or rigid targeting – will accentuate them. Or to put it another way, since you get the behaviour you plan for, treating workers like knaves makes them more likely to act like knaves.”
Treating them like idiots, equally, will make them behave more idiotically. But treat them like idiots is what, in my experience, IT security experts generally do to their inexpert clients inside the organisation.
What Mr Blond proposes is a transfer of power, trust, responsibility and reward away from managers and regulators and back to the troops in the front line: to the neighbourhoods, actual and metaphorical, where the living is real, raw and anxious and has material percussion and repercussion.
It seems to me that the critical task as we enter 2010 and develop our plan to “build the human firewall” is to find ways to open up the world of security and effect this transfer and empowerment; to stop delivering sermons and patches and find ways to help the inexpert, collectively (albeit with guidance) to teach security to themselves and each other.
Elsewhere, Mr Blond bemoans the fact that modern capitalism has obliterated “the great intermediary institutions of British life and the non-professional contributor” – all the voluntary, civil associations through which individuals once acquired and shared knowledge and exercised influence.
But is that quite true? Aren’t new “intermediary institutions,” albeit virtual ones, emerging via Facebook, Twitter, LinkedIn and all the other varieties of social media?
And are there clues there to the way staff empowerment could be achieved? In order to create, in Mr Blond’s phrase, “a structure where peer-to-peer motivation builds ethos and expertise and replaces vertical sanction”? It would be useful to start a dialogue.

No comments:

Post a Comment