They who must not be named…
3 years ago I attended a conference run by the Institute of Civil Engineers about digital within the Industry. Back then it was all about BIM, full of 3D models all rendered up nicely and even featured a fly through of the point cloud survey of Waterloo station set to the soundtrack of ABBA’s hit of the same name. There was one particular presenter however, that stuck in my mind.
He was introduced as “Paul” from a “Security Organisation”, his conference programme mugshot was a silhouette, and we were banned from using social media throughout his presentation… I don’t think Paul was his real name.
His presentation started with a warning that there were 63 unprotected Bluetooth connections in the room and that one specific company had particularly worrying security settings – that certainly got the attention of the audience.
The “Security Organisation” he worked for had gotten wind that the construction industry were building incredibly detailed 3D models of nationally significant infrastructure assets, filling them full of information about how they operate and hosting these models on the internet.
To quote the speaker that may or may not have been called Paul.. “anyone with hostile intentions can undertake reconnaissance and planning on nationally significant infrastructure without leaving their bedrooms” (Note: may not be a word for word quote – it was 3 years ago – but you get the gist!). Coincidently the team presenting the fly through of Waterloo station, and the Chinese delegation showing off the 3D model of one of their hydroelectric plants shrunk down in their seats a little.
Data is undoubtedly a very powerful asset for a number of reasons, and for those very reasons, those that create and use it (that’s all of us by the way!) need to adopt a certain level of security mindedness. There were a number of things that happened following that presentation including the addition of PAS1192-5 to the suite of BIM standards that covers how to address security mindedness in a BIM project.
— Casey D Rutland (@CaseyRutland) October 13, 2017
Back to the future…
3 years on at the same annual conference held by the ICE (less 3D models this time!), I again found myself in a conference hall with a presenter who couldn’t give her second name and refused to allow photos of her on social media, I may have given too much away by letting on it was a woman.
This time it was the National Cyber Security Centre talking to us about digital resilience, things like cyber essentials and GDPR and this raised a number of interesting talking points.
Thankfully the room needed no convincing that data and digital information holds huge benefit right across our industry and businesses, and the conversations have moved on from 3D models to how to change the culture of an industry to embrace a digital future.
But, with the increase in information we are dealing with, and the nature of information we are dealing with, security needs to be addressed. Schemes like Cyber Essentials and legislation like GDPR are forcing industry and businesses to look at how they manage data and information, but this in itself presents challenges with an industry battling to transform the way it operates and compete in an increasingly digitally enabled economy.
Here are a couple of thoughts based on discussions throughout the day.
When to let go of the reins?
If there is one thing we know about the current technology landscape it’s that its showing no signs of slowing down, new technology appears on a weekly basis, new opportunities and ideas even quicker. Creativity and innovation need freedom, room to try things out, get them wrong, refine and develop things quickly and freely. In the world of digital and data that often means playing with datasets, or creating some kind of program or process, or investigating new technology to look at things differently.
There was one speaker on the day, with a background in retail and finance, both hugely data driven industries, who made a bold claim that he could guarantee you would find something of value by connecting 2 datasets that hadn’t been connected before.
Contrast that against the world of IT security and Cyber Essentials, and industry and a scheme with a remit to do the exact opposite. Prevent the unauthorised access and movement of data, secure our systems so changes and new things cant be introduced without first being tested to destruction. Restrict access to only the tools and information you need to carry out your specific task.
Both of these things are hugely important – you need the ability to be creative and innovative. If you’re not, in this day in age, you are going to be out of date very quickly. Then you won’t have any systems that need protecting because you won’t have a business. But you also need to protect what you have against cyber risks.
There was a statistic on the day that 60-80% of IT security issues came from within an organisations either accidentally or maliciously. Getting the right balance between freedom to be creative and innovative, and the policies and restrictions to operate in a system that is as risk free as possible is a tight balancing act that needs careful consideration. Simply forcing IT policy without regard to business operations is counterproductive. As the lady with no second name said:
“security that doesn’t work for people doesn’t work”…
Overdoing it is a risk.
Unstoppable force meets unmovable object…
There is a concept many of you may not have heard of before, but one that is getting a lot of attention across a number of sectors: BLOCKCHAIN – A distributed ledger system that de-risks data transactions, it’s the technology that underpins Bitcoins. The basic principal being it creates a permanent record, stored in multiple locations, of the transfer of some form of asset from one person or organisation to another, or maybe a record of someone agreeing to something. It’s what is being held up as one of the biggest enablers to making a digital economy work and huge amounts of money are going into making blockchain work in areas such as Smart Contracts, Land and Property Registry and of course financial transactions.
There is also some European legislation about to land – GDPR General Data Protection Regulation. A legislation designed to protect personal information, the successor to the Data Protection Act.
It’s one of the things that will allow you to go to facebook and request that all information they hold on you should be deleted forever. It has implications for any business who stores personal information – if you leave a business, or if you decide to leave any organisation you belong to (online shopping for example) the data they have about you needs to leave to. If you collect personal information from people – they need to know this, and you cant keep hold of it. Basically there has to be a way for a person to ensure any company has no information about them at all.
So what happens when GDPR and Blockchain meet – one legislation devised to ensure digital information can be removed from existence, and one emerging technology designed to ensure digital records can be kept forever? Will it be a case of an unstoppable force meets unmovable object, or is it exactly this kind of counterbalance that ensure the checks and balances are in place to make it a success.
I’m not sure anyone has the answer right now, but what we do know is that one can’t exist without the other, we need the ability to be bold, take risks and try new things. Without the risk of accidentally leaning on that big red launch nuclear warheads button!