T H E
M A G A Z I N E
F O R
T H E
I T
P R O F E S S I O N A L
SPRING 2015
DATA
WHERE IS IT?
HOW SECURE IS IT?
WHO CAN ACCESS IT?
bcs.org/itnow
DATA
DATA
08 DATA RETENTION WRANGLING
10 DATA COLLECTION DANGERS
14 RISK ASSESSMENT
16 DUDE, WHERE’S MY DATA?
18 CLOUD REGULATION
LEARNING AND DEVELOPMENT
42 DEVELOPING AND MENTORING
44 TECH MEETS TRADITION
Image: iStockphoto/173390168
HEALTH
46 INTRODUCTION TO BCS HEALTH
47 EMAIL ARCHIVING AND HEALTH
EDITORIAL TEAM
Henry Tucker Editor-in-Chief
Justin Richards Multimedia Editor
Grant Powell Assistant Editor
Brian Runciman Head of Editorial
PRODUCTION
Florence Leroy Production Manager
Advertising
Daniel Lindsey
E [email protected]
T +44 (0) 20 7978 2544
Keep in touch
Contributions are welcome
for consideration.
Please email: [email protected]
ITNOW is the membership magazine of
BCS, The Chartered Institute for IT.
It is sent to a wide variety of IT
professionals, from systems developers
to directors, consultants to training and
education specialists. A subscription to
ITNOW comprises four issues.
All prices include postage. For subscribers
outside the UK, delivery is by Standard Air.
Annual subscription rates
Institutional: print edition and site-wide
online access: £208/US$394/€311;
print edition only: £191/US$362/€286;
site-wide online access only: £166/
US$315/€249.
Personal: print edition and individual
online access: £191/US$362/€286.
ITNOW, ISSN 1746-5702, is published
quarterly (March, June, September,
December) by BCS, The Chartered Institute
for IT, North Star House, Swindon, UK.
The US annual subscription price is $394.
Airfreight and mailing in the USA by agent
named Air Business Ltd, c/o Worldnet
Shipping Inc., 156-15, 146th Avenue, 2nd
Floor, Jamaica, NY 11434, USA.
Periodicals postage paid at Jamaica NY
11431.
US Postmaster: Send address changes
to ITNOW, Air Business Ltd, c/o Worldnet
Shipping Inc., 156-15, 146th Avenue, 2nd
Floor, Jamaica, NY 11434, USA.
Subscription records are maintained at
BCS, The Chartered Institute for IT, North
Star House, North Star Avenue, Swindon,
SN2 1FA UK.
SECURITY
24 SCoE UPDATE
26 SECURE DEVELOPMENT
28 PAYING THE PRICE
30 PERSISTENT THREATS
32 MAINTAIN INTEGRITY
34 HOW SECURE IS SECURE?
36 SOMEONE IS WATCHING YOU
38 SECURING TRANSACTIONS
40 SECURITY BALANCING ACT
...THE REST
48 MANIFESTOS
56 CES: DRIVE-BY COMPUTING
58 DIGITAL LEADERS SURVEY
60 BUSINESS INTELLIGENCE
For payment details and terms and
conditions, please see:
www.oxfordjournals.org/our_journals/
combul/access_purchases /price_list.htm
The current year and two previous
years’ issues are available from Oxford
University Press. Previous volumes can
be obtained from the Periodicals Service
Company, 11 Main Street, Germantown,
NY 12526, USA.
E [email protected]
T +1 518 537 4700, F +1 518 537 5899
For further information, please contact:
Journals Customer Service Department,
Oxford University Press, Great Clarendon
Street, Oxford OX2 6DP, UK.
E [email protected]
T (and answerphone) +44 (0)1865 353 907
F +44 (0)1865 353 485
The opinions expressed herein are
not necessarily those of BCS or the
organisations employing the authors.
© 2015 The British Computer Society.
Registered Charity No 292786.
Copying: Permission to copy for educational
purposes only without fee all or part of
this material is granted provided that the
copies are not made or distributed for direct
commercial advantage; BCS copyright notice
and the title of the publication and its date
appear; and notice is given that copying is by
permission of BCS.
To copy otherwise, or to republish,
requires specific permission from the
publications manager at the address
below and may require a fee.
Printed by Rotolito Lombarda, S.p.A
Italy.
ISSN 1746-5702. Volume 57, Part 1.
BCS The Chartered Institute for IT
First Floor, Block D, North Star House,
North Star Avenue, Swindon, SN2 1FA, UK.
T +44 (0)1793 417 424
F +44 (0)1793 417 444
www.bcs.org/contact
Incorporated by Royal Charter 1984.
Liz Bacon BCS President
Paul Fletcher CEO
Feedback
email: [email protected]
MEMBER NEWS
MEMBER NEWS
ORGANISATIONAL
MEMBERSHIP
BAREFOOT COMPUTING PROJECT
doi:10.1093/itnow/bwv001 ©2015 The British Computer Society
BT has agreed to support the project from
March until the end of this school year.
The project was originally funded by the
Department for Education from September
2014 to March 2015.
Led by the Institute in partnership with
BT, and initially funded by the Department
for Education, the Barefoot project supports
primary school teachers to teach the new
computing curriculum, which became
compulsory in schools throughout England
in September 2014.
The scheme provides cross-curricular
computer science resources and training
for primary school teachers with no
previous computer science knowledge.
The initiative is being supported through
a programme of free in-school computing
workshops for primary school teachers
across England.
Pat Hughes, Project Leader for Barefoot
Computing said: ‘The announcement that
BT is providing funding to extend the
Barefoot project is great news. The scheme
has proved to be popular so far.
‘As well as training thousands of
teachers there have been 6,000
registrations to the Barefoot website
with 2,500 new teacher registrations
in the last two months. Barefoot helps
04
ITNOW March 2015
teachers understand ideas and concepts
such as algorithms, abstraction and data
structures, how they occur naturally in
many other disciplines that they also teach,
and how they can teach them to children
starting from age five.’
School Reform Minister, Nick Gibb said:
‘I am delighted that BT is extending the
successful Barefoot project, providing
innovative support for primary teachers
on the new computing curriculum. This is
an excellent example of industry working
together with schools to support teachers
- ensuring pupils leave school prepared for
life in modern Britain.’
Clive Selley, CEO of BT Technology,
Services and Operations said: ‘Computing is
a very important skill for BT and through our
engagement with schools we’ve seen that
children really enjoy it and that it can have a
profound impact on other STEM subjects.
‘We’re proud to be partnering with
Barefoot Computing and that the
workshops BT, and other volunteers across
England, have been involved have been
such a success; it’s great to hear from
teachers that the programme has boosted
their confidence.
‘The programme was due to end in
March, but given its popularity to date, BT
is pleased to announce it will be working
with BCS and Computing At School (CAS) to
ensure that it continues to run through the
summer term.’
The Barefoot training workshops are
run by volunteer professionals from the IT/
computing and education sectors. These
events introduce the new computing
curriculum to teachers and explain the
support available to them through Barefoot
and other related projects.
Pat Hughes continued: ‘This programme
of events will help equip teachers with the
skills and knowledge needed to incorporate
the computer science elements of the new
computing curriculum into their lessons.
By providing high quality cross-curricular
computer science resources for primary
school teachers, supported by explanations
of the key computing concepts, we are
providing support for teachers who may
have little previous knowledge of computer
science. A lot of teachers are already
introducing many of these concepts in
to their classrooms without realising it
and we want them to see that it’s not as
complicated as they may think.’
For more information about Barefoot
Computing visit: http://barefootcas.org.uk
WELCOME REVIEW
Image: iStock/158354481
Image: iStock/178471354
With almost 3,000 teachers from over 800 different schools in England having received training via the
Barefoot Computing Project since its launch last summer, BCS, The Chartered Institute for IT is pleased to
announce that the scheme is to be extended.
BCS, The Chartered Institute for IT, welcomes the review of the
accreditation of computer science courses in UK universities announced by
the Department of Business, Innovation and Skills.
Paul Fletcher, Group CEO of the Institute
said: ‘It’s very important that university
accreditation should undergo regular
reviews to ensure that courses offer
students the best opportunities. We are
pleased that computer science is the first
course to be reviewed as this reflects the
importance of this discipline today and in
the future.
‘As an accreditation body, we welcome
this focus; however, we want to ensure
that the review considers all factors.
Employability is critical as one of several
measures that need to be taken into
account; the ability for universities to drive
social mobility by helping students from
under privileged backgrounds is also
important.
‘We will be working with Tech
Partnership, employers and universities
to discuss these issues and how we can
help ensure students have access to an
education that provides them with the
skills for a career both at the end of their
course and a professional career over the
long-term.
‘For computer science courses specifically,
this means that we champion the teaching
of the principles that underpin computer
science rather than specific technologies.
This together with the skills to understand
how these principles can be applied in the
world of business is key to helping students
develop a successful career.’
BCS, The Chartered Institute for IT,
accredits computing courses in 80 per
cent of UK universities.
Goldsmiths, University of London has
joined the Organisational Membership
scheme offered by BCS, The
Chartered Institute for IT.
Goldsmiths is the first university to
join the scheme, which has attracted
many commercial organisations
including; Waitrose, the Post Office, Glue
Reply and London Metal Exchange.
David Evans, BCS Director of
Membership explained: ‘We’re delighted
to have Goldsmiths, University of
London, join our Organisational
Membership scheme. The university
sets very high standards and has a
vision which its IT team is instrumental
in helping to achieve.’
Goldsmiths’ IT department will now
be able to apply for BCS professional
membership and access the associated
benefits under the scheme which offers
a way for companies to increase their
return on IT investment and raise the
profile of their IT teams.
In addition, by encouraging
employees to join membership by
covering the cost, employers are able
to ensure that their IT practitioners
are professional and have access to
career development tools, industry
standards, best practice information
and qualifications.
Daniel Rubie, Head of Infrastructure
at Goldsmiths said: ‘Organisational
Membership is an investment in our
people. We have a team of professionals
who will help us turn our vision into
reality. By being part of this we will
be able to adopt the best practice
standards that are recognised across
the globe.’
He added: ‘The scheme will also
help individuals map out their career
paths and identify how they fit with the
industry standard Skills Framework
for the Information Age (SFIA). By
doing this, they will be able to identify
what they want to achieve in their own
careers and how they can achieve it.’
http://teamtalk.bcs.org
March 2015 ITNOW
05
INTERVIEW
ALCHEMY
BRINGING MEMBERS
VOLUNTEERS AND
STAFF TOGETHER
Paul Fletcher FBCS, Group Chief Executive, BCS, The Chartered
Institute for IT, joined the Institute in September 2014.
He spoke to Brian Runciman MBCS about his background, his initial
impressions of the organisation and more.
Tell us a bit about your background.
I’ve spent the last ten years at RM
Education where I was Group Managing
Director, Education Technology. My time
there was about getting tech into schools
and universities in the UK and solving the
problems that arise where education and
technology meet.
Before that I spent some time in
consultancy, which followed on from seven
years in the aerospace industry. Those are
members and staff work together - I think
it can create real alchemy. For example,
we have had a significant impact recently
with our work on the new curriculum and
as our charter says, we need to impact the
public - so that is a huge achievement.
Also, the BCS’s networks are strong.
The regional branches and specialist
groups provide a lot of benefits – they are
a real strength and an ingredient of that
unrivalled market position. As I have gone
‘We have an unrivalled market position and a
mandate created through legacy and the charter.’
the first three chapters of my working life I view BCS as the fourth.
doi:10.1093/itnow/bwv002 ©2015 The British Computer Society
What attracted you to BCS?
It felt like a natural progression for me; the
right time to move on to keep things fresh.
There is a big crossover with RM, with both the
education and technology focus, and I
genuinely think I have something to offer.
I also liked the opportunity to work in a notfor-profit organisation, a sector I had not
been in before. The laudable purpose of the
Institute was relevant in my decision-making
so, although like everyone I need to make a
living, I like the idea of an organisation whose
purpose and aims I share.
What does BCS do well at the moment?
We have an unrivalled market position and
a mandate created through legacy and the
charter to allow us to do good things. When
we get things right - when volunteers,
06
ITNOW March 2015
to various Institute meetings I have found
that the amount of effort people put in is
humbling – I’ve been really impressed that
our BCS people are so interested in giving
back to their profession that they give their
time for free.
What should the organisation be doing
more of, or better, than what you’ve seen
so far?
We pursue too many projects and
initiatives, so that means we lack some
focus. When you look at what we do and its
alignment with our organisation’s purpose,
the connection is sometimes tenuous. This
means we are spread a bit thinly and that,
in turn, reduces our impact.
Likewise, we need a stronger voice
on the big technology issues that are
impacting society. We need to have
an opinion, and that could even be
controversial if needs be. For example, the
tension between the safety of the UK in the
context of the terrorism threat and people’s
understandable concerns about privacy
– this is something on which we should
facilitate debate.
Is the broadness of the royal charter a
problem?
I don’t think so, it is in old English but the
fundamental principles still hold true.
What is the executive team’s vision for
near future?
When I came in I first wanted to work with
the team to deliver services for the
members this year and hit current targets.
Last year’s small financial surplus was
good, after all we need the commercial
activities to be successful to allow us to
invest. And that investment is not only in
systems for members and products, but so
we can fulfil our mandate to society. Some
of our intellectual property is now getting a
little old – so that needs work as well.
And the longer term?
It is time to refresh the BCS’s vision and
strategy. The executive team, alongside the
boards and council, have been working on
this and we have a revised purpose and
new strategic pillars to inform the vision.
We will be saying more about that in the
near future.
real and more basic difference in industrial
applications. Also, the way our children
learn is fundamentally changing – AI, if
used properly, can be used to assist in this.
‘We need to have an opinion and that could even be
controversial if needs be.’
The more of relevance we have to say,
the more we can feedback into useful
products, and the more we network the
better what we have to say is. It goes round
in an ever-improving loop. There is plenty
for us to talk about. People are concerned
about IT; it’s so prevalent in society.
People want to keep their kids safe, they
are concerned about privacy, the legal and
regulatory areas have a lot of challenges
ahead, some are worried about unchecked
AI research.
And this goes way beyond technology to
societal impact, ethics and our way of life
in general.
What upcoming tech excites you most?
Technology that continues to drive
efficiency. For example the internet of
things can distract you with its consumer
applications, but actually it can make a
Traditional classrooms will die - the
potential and the challenges are exciting.
What worries you most?
I do wonder where it will end. What will we
spend our time doing? What will we do to
earn a living?
It’s interesting that these questions
have particular relevance for the UK. For
example the automation of things like
banking and retail.
In the UK we were a manufacturing
nation, then we developed into a finance
and service-based economy – but those are
some of the main things that automation is
enhancing – so how does that impact our
workforce? An interesting question.
www.bcs.org
QUICK QUESTIONS
What tech couldn’t you live without?
My iPhone and iPad.
What gadget would you want if you
could have anything?
I hate traffic – I’d pay money to have
a proper real-time application that
reroutes traffic and keeps it flowing.
Mac or PC?
PC, but, as above, Apple devices. iOS for
mobile and a Windows desktop.
Killer app?
For me it’s about connectivity, email,
Facetime, texting. As I travel a lot I want
to stay connected.
Netflix or Amazon Prime?
Both. Terrestrial TV is dying. No-one
wants to sit through adverts, they just
want good programmes when they want
them. At the moment I am watching
Prison Break.
Favourite blog?
I like the Ted Talks. For a daily read I turn
to Tech Market View. Then I cherry-pick
anything related to tech and education,
apprenticeships, digital skills and so on.
Personal philosophy?
It’s about authenticity – you need to
understand who you are, your strengths
and weaknesses – and be yourself. Tell
people what you think.
March 2015 ITNOW
07
DATA
DATA
RETENTION
WRANGLES
Charlotte Walker-Osborn, Partner
and Head of Eversheds’ Tech,
Media and Telecoms Sector, talks
about a couple of hot topics relating to security in tech and media.
A new Counter-Terrorism and Security Bill
(the bill) was introduced to the House of
Commons on 26 November 2014 that will,
among other things, allow the government
to require communications providers to
retain data necessary to attribute an IP
address to an individual.
doi:10.1093/itnow/bwv003 ©2015 The British Computer Society
What?
Earlier in 2014, the European Union’s Data
Retention Directive was found to be
invalid. The government passed a new Data
Retention and Investigatory Powers Act 2014
(DRIPA) in order to replace the Data Retention
Regulations 2009 (2009 Regulations), which
had implemented the EU Directive and was at
risk of being found invalid.
DRIPA contained various amendments
to the Regulation of Investigatory Powers
Act 2000 and set out a new regime for the
retention of communications data.
Among other things, DRIPA amended
the definition of telecommunications
service to cover services that
consist of, or include, facilitating the
creation, management or storage of
communications, catching over-the-top
players, internet mail providers and social
media businesses who may not have been
required to retain communications data
under the 2009 Regulations.
The bill makes certain amendments
08
ITNOW March 2015
to the provisions of DRIPA including
the definition of ‘communications data’.
Providers may now be required to retain
internet data that relates to internet access
services or internet communications
services and may be used to identify or
assist in identifying which IP address or
other identifier belongs to the sender or
recipient of a communication (whether or
not a person).
The effect is that providers that
are potentially required to retain
communications data may now need to
attribute IP addresses to individuals or
devices or retain information to assist law
enforcement authorities to identify the users
of certain telecommunications services.
So what?
In some ways, the new requirements
do not go much further than the existing
requirements of DRIPA. For example,
internet access providers could already be
required to retain IP address details.
However, providers may be under a
higher obligation to retain such data and,
unlike in the 2009 Regulations, there is no
defence for a provider in the event that
another organisation is already retaining
the relevant data.
The requirement for data to be collected
and retained to attribute IP addresses
and other internet identifiers to recipients
and senders may well be controversial
given that providers need to comply with
the data protection laws and regulations
with respect to the communications data
that they retain. Much will depend on
how draconian the government will be in
issuing data retention notices under the
amended DRIPA.
While DRIPA, and previous bills
proposed by the government on the
subject of data retention (including the
Communications Data Bill from 2012),
have been the subject of great debate, the
new focus of the new bill has been on the
wide-ranging powers that the government
has requested including the power to
place universities under a statutory duty
to prevent people from being drawn into
terrorism. Line by line examination of
the bill took place during the final day of
committee stage on 28 January 2015.
Amendments discussed covered clauses
21, 22, 24, 25, 28, 30, 32, 34, 36 and 42 of
the bill. At time of writing, the report stage
– further line-by-line examination of the
bill - was scheduled for 2 February 2015.
Whatever form the bill finally takes,
there is little doubt that the government
will continue to push its agenda for greater
powers in relation to communications data.
Recent studies on cloud computing
suggest that security concerns are still
hampering the adoption of cloud
computing. BT, Fujitsu and Netspoke
recently commissioned studies which,
predictably, revealed that confidence in the
security of the cloud is at an all-time low.
Despite the predictable results, these
studies will provide cloud computing
services providers with insightful prospective
customer feedback.
In September, BT published the results
of a study it commissioned that explored
the attitudes to, and use of, cloud-based
services of IT decision makers from
enterprise organisations in 11 countries.
BT reported that three quarters of those
surveyed (76%) cited security as their main
concern about using cloud-based services.
Despite security being a major concern,
surprisingly, 50% of those surveyed
admitted to adopting mass market,
consumer cloud services, rather than those
designed specifically for the enterprise.
Fujitsu’s study reported similar findings.
The study, ‘Two Years On: The Financial
Services Landscape: Is your organisation
super-powered?’, follows up on a 2012 study.
176 IT decision makers were surveyed at a
range of financial sector firms.
The study found that, two years on from
the last survey, less than a quarter of financial
sector firms have implemented cloud
computing and, of those who neither use cloud
at present nor are planning to in the future,
nearly half (42%) said that they believe that it
opens up too many security threats.
The Netspoke commissioned study,
Cloud Multiplier Effect in European
Countries, reported similar findings to
those of the BT and Fujitsu studies.
Just over half of the respondents did
not agree that their organisation’s cloud
service use enabled security technologies
to protect and secure sensitive and
confidential information and 72 per cent
said these cloud service providers are not
in full compliance with privacy and data
protection regulations and laws.
As expected, and in line with concerns
over security, the studies suggest that it
tends to be non-sensitive data and nonbusiness critical processes and data that
are being hosted in the cloud.
For example, Netspoke found that, on
average, only 23 per cent of a business’s
critical applications are in the cloud and
only 10 per cent of sensitive or confidential
information is stored in the cloud. Whilst
Fujitsu found that around three quarters
of those using cloud do so for internal
operations.
So what?
For those parties who supply cloud solutions,
the results of the surveys provide insightful
prospective customer feedback which can
be used to tackle certain barriers to the
adoption of cloud computing, including
security.
For those procuring or considering
procuring cloud, it will be interesting to
see how suppliers deal with the continuing
concerns around security and data. This is
an area I will be taking an in-depth look at
in a future briefing this year.
To help enterprises better understand
the cloud, the International Organisation
of Standardisation (ISO) has recently
released two international standards
on cloud computing, ISO/IEC 17788 and
ISO/IEC 17789. ISO/IEC 17788, Cloud
computing – Overview1 and vocabulary,
provides definitions of common cloud
computing terms, including those for cloud
service categories such as software-asa-service (SaaS), platform-as-a-service
(PaaS) and infrastructure-as-a-service
(IaaS). It also specifies the terminology for
cloud deployment models such as public
and private cloud. ISO/IEC 17789, Cloud
computing – Reference architecture2,
contains diagrams and descriptions of how
the various aspects of cloud computing
relate to one another.
Whilst many reading this article will
find the standards potentially quite
basic for them, these standards will
be significant in helping a number of
organisations’ understanding of the cloud
and are expected to pave the way for more
technical standards dealing with issues
such as security.
www.bcs.org/security
References
1. www.iso.org/iso/home/store/
catalogue_tc/catalogue_detail.
htm?csnumber=60544
2. www.iso.org/iso/home/store/
catalogue_tc/catalogue_detail.
htm?csnumber=60545
March 2015 ITNOW
09
DATA
doi:10.1093/itnow/bwv004 ©2015 The British Computer Society
Image: iStock/496034653
DATA
COLLECTION
DANGERS
Andy Smith from the BCS Security Community of Expertise examines the security risks of data
aggregation and mining.
10
ITNOW March 2015
The BCS Security Community of Expertise
and more specifically the Identity
Assurance Working Group have been
looking at various subjects related to
online security.
One of the issues that is becoming
much more serious is the ability for
organisations, including sales and
marketing departments, advertising
companies and serious organised crime,
to use data aggregation and data mining to
their advantage and to target individuals.
Aggregation is the collecting together
of individual items of data or databases to
form large sets of data, for example, bring
together social media accounts, internet
searches, shopping preferences and email
for millions of people.
Data mining is taking a large data set
and using tools to search for particular
words or phrases, then narrowing the
search with combined search terms to find
individual records of interest. For example,
searching the vehicle database for a car
registration number for a car in long-term
parking at Heathrow and using the name
results to search for travel details, electors
and school databases for other people
living at the address.
Targeted online marketing can be
aggressive and unwanted. We are all
victims of spam, ad-ware and other
unwelcome methods of trying to separate
us from our money. However, most online
marketing is actually good and welcome.
Targeted marketing can be very
useful, but to achieve this, the advertising
organisations need to track and hold a
significant amount of information about a
person.
Some of this can be personal such as
age and where you live. When they are
tracking spending profiles and the types
of products people buy this can become
very sensitive. Basically they are gathering
(aggregating) huge amounts of information
and then mining thisfor marketing purposes.
However, there are laws to protect the
public from aggressive marketing, invasion
of privacy and to ensure data protection.
This is especially true in Europe, including
the UK. These laws cover the type of
data that is held and ensure it is properly
protected, and to a certain extent, not
misused. But this only applies to reputable
companies and those in jurisdictions
covered by such laws.
Applying the same capability to
organised crime and you have a wholly
different and much more serious problem.
Between the law-abiding professional
organisations that provide useful
advertising services on the internet and
organised crime there is a spectrum
of organisations ranging from slightly
aggressive targeted marketing to malicious
code authors that install ad-ware on your
machine to replace official adverts with
nefarious ones.
This is one major area of data mining
and the one most people think of, but it is
not the only one. Organised crime, terrorist
organisations, investigative journalists
and private investigators can all use data
sources on the internet and data mining
tools to find and target people.
It is amazing what is now achievable
from knowing small snippets of
information and using these as keys in
different databases, which give further
bits of information, which in turn can be
used as search keys in other databases.
Given large aggregated data sets and the
right search terms, it’s possible to find a
lot of information about people including
information that could otherwise be
confidential, for example, that someone is
having an affair.
In democratic societies with good
governance and oversight, it is not
unreasonable for law enforcement to use
large government databases to track and
find criminals. Knowing a car was used in
a crime, finding the owner and tracking the
driver at the time is something expected
in the UK. However, in oppressive regimes
this can now be used for suppressing
human rights, such as finding a posting on
a news group that goes against the regime
and using the IP address to find the service
provider, then the credit card details to find
the poster, even though they thought their
posting was anonymous. It’s easy to find
people, even if you have a pay-as-you-go
tablet, it really depends on whether it is
worth the time and effort, which in most
cases it is not.
Take, for example, a hacker managing
to get in to loyalty scheme databases. It
would be easy to mine the data and identify
alcoholics, newly pregnant women etc. This
is why certain large supermarket chains
put huge amounts of effort into protecting
their databases. The security controls do
not just stop unauthorised access, they
stop authorised staff doing unauthorised
things. The security controls on some of
these databases are better than those on
military databases.
The trouble is that not all organisations
do such a good job of protecting their
data. Worse still, individuals are very bad
at protecting their own information. One
aspect of preventing data mining is helping
the naïve protect themselves online, for
example, parents protecting their children,
as the children do not understand the
implications of giving out sensitive personal
information.
So what can organisations do? The first
thing is to recognise where information is
being aggregated. This can apply to one
database or dataset, but it is also important
to look at that dataset in the context of
related datasets. By itself, a database of
customer details in a CRM system may
not seem that sensitive, but when related
to other databases it may be possible to
extrapolate additional information such as
someone with an addiction.
Having decided that a dataset
aggregates to something more sensitive
than the sum of the individual entries,
additional controls need to be added to
address the aggregation. Information may
be classed as personal if its one entry or
one million. But losing a copy of one entry
should have a much lower impact than
losing a copy of a million entries, especially
if it includes credit card information or
March 2015 ITNOW
11
12
ITNOW March 2015
permit multiple records to be returned?
It could also prevent wildcard searches
on the database or limit the search keys.
Banks do this very well. When a person
contacts the bank via a call centre, the
advisor will look up the record for the
person based on, for example, postcode
and surname. They will then be prompted
for information that only the caller would
know. Without this the record cannot be
seen.
The other control is to prevent bulk
extraction. A database may only be searched
for single records as part of a normal
business process. Again a firewall in front
of the database could prevent file transfer
or extracts of the database being taken.
Specific controls that prevent extraction of
data and data mining is the best method for
ensuring malicious code, hackers and staff
cannot take copies of the dataset or perform
searches on inappropriate search terms
including wildcards.
The last aspect is people who do not
realise they are sharing their lives, not
just with friends and family, but also with
anyone that has a good search engine,
from marketers to organised crime. This
is especially true when some social media
sites change their terms and conditions
and open up privacy settings.
I no longer have accounts on certain
social media sites, as they now ‘own
all photographs posted on xxxx’. They
also twice removed the privacy settings
so that my information was exposed
until I added the privacy controls again.
Millions of people still do not realise that
their information is public. Even simple
things like putting too much detail in a CV
uploaded to job sites can be a bad thing. It
does not take much for a criminal to open
an account as a potential employer and
browse CVs, which can include full names,
address, contact details and so on.
It is vital that people think about
what information they are putting on
the internet and why. A short CV with
an email address and note that a full
version is available on request is all that is
needed on job sites. Searching for medical
websites and certain information should
be done with caution, including ensuring
the browser is set to do not track. I would
suggest using a different web browser type
for sensitive sites, one that does not share
cookies or cache with your main browser.
If you look after the computers for
children and family members that may
be adults, but new to the internet, its best
to ensure that their computer has a full
internet security package, which includes
parental controls. Configure this for them
to prevent personal information being
exposed and prevent access to blacklisted
websites. Though this will not solve every
issue it will certainly help.
As storage gets cheaper, processing
power increases exponentially and the
internet becomes more pervasive in
everyone’s lives, the data mining issue
will just get worse. Criminals are going
to follow the money online. They are
going to target people for identity theft,
blackmail and worse. Private investigators
and investigative journalists are going to
use those massive data sources to their
benefit and marketing will become even
more accurate and targeted.
However, this does not have to be as
bad as it sounds; fear, uncertainty and
doubt can be just as bad, as they prevent
people making full use of the advantages
offered by the internet. If you protect your
personal data, as you would in the real
world, and minimise where your personal
data is exposed and stored on third party
databases, you can enjoy the internet with
minimal risk.
THERE ARE MORE
ATTACKERS THAN
DEFENDERS
Manage the threat.
Our information security portfolio
delivers the knowledge and capabilities
you need to keep your information safe.
bcs.org/infosecurity
BCS is sponsoring the Cyber Security Show,
13-14 April 2015, etc.venues 155 Bishopsgate, London.
15% discount for BCS members with code DFHM
terrapinn.com/cybersecurity
BC1062/LD/AD/0115
other sensitive data. Even wfrom a basic
business impact perspective, having to
send a letter to one customer to say their
credit card has been compromised may
cost £1; letters to a million customers on
the other hand...
The key controls are already there, but
they should be enhanced for aggregated
data. Access control should ensure only
authorised people have access to the data,
but do staff need access to all the data to
do their job or just some of it? If they only
need regional data, or access to single
entries at a time, then the authorisation
should be configured to enforce this policy.
More importantly the accounting should
be of sufficient quality that it can be
used as evidence in a court, should legal
enforcement be required.
Accounting is very important in
dissuading people of overstepping their
remit. Just because someone can do
something, it does not mean they should.
The ability to look at all records in a
database does not mean a member of
staff should start looking at details about
their neighbours or famous people.
There may be some records in a
database that you want to add a flag to.
Well known people are obvious examples,
but also company directors may be
deemed sensitive and could be flagged. By
this I mean using a host-based intrusion
detection system or other method to alert
security if someone looks at a particular
record. They would have a list of those
authorised to do so and would pay a visit
to anyone who was browsing.
If databases have search functions
there are also controls that can be put in
place to reduce or prevent data mining.
Putting a specific type of proxy in front of
the database that prevents more than a set
number of searches or only allows a small
number of records to be returned at a time
can help. If people only need to see single
records to do their job, why would you
www.bcs.org/security
© BCS, The Chartered Institute for IT, is the business name of The British Computer Society (Registered charity no. 292786) 2015
DATA
doi:10.1093/itnow/bwv005 ©2015 The British Computer Society
Image: Digital Vision/200134172-002
RISK
ASSESSMENT
John Mitchell, Chair of the BCS
Information Risk Management and
Assurance Specialist Group, looks
at the issues surrounding the
collecting, storing and use of data.
Risk identification of the issues surrounding
the collecting, storage and use of data is
relatively easy if we apply the confidentiality,
integrity and availability (CIA) framework.
Even risk prioritisation is pretty
straightforward.
The difficult part is the risk management
and assurance components. Why is this
the case? Well, the first two (identification
and prioritisation) only involve talking,
whereas the last two usually require some
action to be taken. For anything other than
tolerate the risk, something has to be done
14
ITNOW March 2015
to either terminate, transfer or mitigate
the risk.
If we visualise IT as a pyramid with
hardware at the bottom and information
at the top, then the successive layers
between the two are: base software
(i.e. operating system), middle software
(i.e. database management), application
software (i.e. payroll) and data.
This last level is stored and manipulated
by the lower levels to produce
information. The network which provides
the interconnectivity to distribute this
information can be imagined as running
up the spine of the pyramid. This means
that for information to be reliable and
available when required we must manage
every underlying asset and process.
The underlying risks are the usual CIA
ones, plus compliance, which is often
forgotten, but may be the biggest risk of all
as we shall see later. Taken together these
are a huge risk management challenge,
especially when it comes to providing
assurance that the end product of our
investment, the information, can be relied on.
BCS has a specialist group that deals
with this challenge; the Information Risk
Management and Assurance (IRMA) group
is one of the oldest within BCS and this
year celebrates its 50th anniversary. It has
gone through three name changes along
the way (Auditing by Computer, Computer
Audit and now IRMA), which illustrates its
attempt to keep pace with the changes in
risk due to changes in technology.
It is interesting to note that 50 years
ago, in the very early days of computing,
some far sighted people realised the need
to develop a control framework to provide
assurance that the information being
created by the technology could be relied on.
Data collection and subsequent
processing stages need to be controlled in
a way which provides for confidentiality,
integrity, availability and compliance at
each stage of the journey from raw data to
management information. When I reflect
on what is involved in that journey I am
amazed that we get anything approaching
reliable output; and yet by and large we
do. This is because over the years we
have identified the key risks and put in
appropriate controls to manage them to an
acceptable level.
This is not the same as no risk and
the acceptable level will vary from
industry sector to sector, from company
to company and even from system to
system, but we now have a pretty good
understanding as to what that level of
acceptability should be for any given
situation.
The only reason that we have all that
hardware, software and networks is to
capture the raw data, store it and then
process it to produce information for
(hopefully) sensible decision making.
The necessary control framework
is formidable. We must provide for
confidentiality, integrity, availability
and compliance within the world-wide
regulatory framework.
Although this is a daunting concept your
compliance friends (for indeed we are)
have developed just such an assurance
framework. We have dissembled IT into
36 key processes spread across five
domains, which are applicable regardless
of industry sector or technology. For
each process we have identified the key
controls and, even more importantly, ways
of measuring the operational effectiveness
of those controls. We can even measure
the effectiveness of the IT governance
framework in meeting IT objectives which
should align with business objectives.
We call this framework Control Objectives
for IT (COBITTM), which is now in its fifth
version since its inception in 1996.
COBIT was originally developed by the
Information Systems Audit and Control
Association (ISACA) as a result of a quarter
of a million dollars grant from IBM, who
realised the need for assurance over the
technology that it was selling. COBIT is
available for free at:
www.isaca.org/COBIT/Documents/COBIT5Ver2-FrameWork.pdf.
COBIT provides the capability for
mapping enterprise goals, to IT goals,
and then to IT processes, with further
drill-down into activities, key goals, key
performance indicators, capability maturity
modelling and assessment against ISO
15504. It is a truly awesome concentration
of risk and control knowledge.
It starts with the concept that as IT is
there to support the business, then IT risks
are business risks. If we know which IT
components are being used to achieve a
particular business objective, then we can
risk assess and manage those components
whether they are infrastructure, hardware,
software or people related.
That way we can assess HR processes
to ensure that we have the appropriate
IT personnel in place; the design and
implementation stages; and the operational
and support phases.
Every three years ISACA conducts a
statistically valid world-wide survey to
ascertain what the real risks are and
how they are being managed. This is
supported by research into technological
developments and whether we need to
adjust our information risk management
and assurance tactics accordingly. This
has enabled us to adjust our control
paradigms to recognise the changing
risk profiles caused by the move from
mainframe computers to tablets, from
batch processing to real-time systems,
from LANs to cloud, from internal to
outsourced management and from
centralised to de-centralised data collection
and processing.
We do not claim to know all the answers,
but the identification of the risks is an
important first step. We are also able
to dispel myths, such as trust being a
control, by mathematically measuring
the effectiveness of a specific control in
managing a particular risk.
To effectively manage a risk you ideally
need to manage both the likelihood and
the consequence. A single control can
only manage one side of the risk equation
so you need a minimum of two controls
for each risk and this assumes that
both controls operate to a 100 per cent
effectiveness. Most controls do not achieve
anywhere near this effectiveness level
so we may well need multiple controls to
manage the risk to the appropriate level.
By applying such assurance techniques
we can help management to identify
weaknesses in their IRMA structure. It is
then up to them to decide whether they are
willing to live with it (tolerate), remove it
(terminate), adjust it (treat) or share it with
another party (transfer).
You will notice that every decision, apart
from tolerate, requires some action to be
taken. These improvement programmes
are where you need to speak to your
assurance professional.
There are multiple ways of achieving a
particular control objective and they can
help the IT professional decide on the most
appropriate approach. This should be a
team effort.
The IT people know the technology and
us assurance professionals know the
controls. Working together makes sense,
collaboration is so much better than
confrontation.
www.bcs.org/groups/irma
March 2015 ITNOW
15
DATA
DUDE
WHERE’S MY
DATA?
a number of publicly available Twitter
aggregators such as StreamedIn,
Twitonomy and the aptly named Creepy.
With the time and inclination, it’s possible
to extrapolate all sorts of information from
an unsuspecting user’s tweets. From trivial
snippets such as a user’s favourite band
or preferred coffee shop, to more private
things such as an individual’s route to work
and where they live. All of this information
derived from data that users have leaked
one tweet at a time1.
This is a key point. Even though the
Twitter user may never have expressly said,
‘I live here’, it is, nevertheless, possible to
put the pieces of the jigsaw together to see
the bigger picture.
doi:10.1093/itnow/bwv006 ©2015 The British Computer Society
Image: Digital Vision/200286490-001
(It should be pointed out that Twitter has
merely been used as an example here
and there is no question of there being
any malpractice on its part.)
consequences of doing so?
In this article location data will be used
as an example to show some of the ethical
issues relating to mass data collection,
before concluding with some realistic
proposals about what can be done about
these issues.
Hidden data
Mobile phones are able to track their
owner’s location with remarkable accuracy.
The apps installed on mobile devices have
access to this data with the user’s
permission. It is likely that there are a
large number of users unaware that their
data is being transferred to third parties
without it being obvious to them that this
is happening.
Having already seen what can be done
with the limited location data we know
about, it’s only a small logical step to see
what might be possible if all location data
was aggregated in some way.
Unintended consequences
Let’s take Twitter as an example. People
muse about whatever is on their mind using
140 characters or less. Tweets sit there for
all the world to see. It’s all good fun. However,
it is also a goldmine of information for those
that are interested. And a lot of people are
interested - especially if a user tweets a lot
and has elected to add their location data to
their tweets.
The presence of Twitter has spawned
Ethical questions
The examples above start to raise some
ethical questions.
Are the terms and conditions for mobile
phone apps set out in plain language that
a typical user can understand? Assuming
the end users even read the T&Cs in the
first place, probably not a safe assumption,
it could be argued that the users have not
expressly given their consent for their data
to be used in the way it is actually being
Data is everywhere. Some of this data is information we voluntarily give away through social media or other
online tools, but data is also being generated as a by-product of us simply going about our day to day lives. This
raises ethical questions, says John Quayle MBCS, a member of the BCS Ethics Specialist Group.
Every day we are adding to our digital
footprint and, given the ubiquity of the
devices we all use out of necessity rather
than choice, there is very little we can do,
as individuals, to change this.
Our industry has barely scratched
the surface of big data so it is therefore
unsurprising that a new generation of
products has emerged specifically to gather
data about individuals, what they like, what
they do, what they buy, their political views
and so on.
These new products follow the same
basic model: users provide their data and,
in return, something of value is offered as
compensation. Perhaps the most obvious
examples of this type of product are the
likes of Twitter, Facebook and LinkedIn, but
data collection is happening far beyond the
16
ITNOW March 2015
boundaries of social media.
To give a few examples: people are
happy to provide data about their shopping
habits via store loyalty cards in return
for special offers; smart cards track their
owner’s travel habits in return for the
convenience of being able to tap in and
out of the transport system; files and
emails are hosted on somebody else’s
servers so that they can be accessed from
anywhere that has an internet connection;
photographs are posted on social media
sites so that people can share experiences
with their friends.
Generally this seems to work. Quid pro
quo. You take my data, you provide me with
a service in return. Everybody wins. But
do people really understand how much
data they’re giving away and the potential
used. In fact, the user may not even be
aware that data is being collected at all. How
can a user take steps to seek the deletion of
any data being held about them if they don’t
even know it exists in the first place?
For many, this is the user’s problem. They
should have read the T&Cs in the first place
so that they understand the risks.
However, this type of thinking misses
the point. Our industry has a duty of care to
protect its end-users and it would be simply
irresponsible to ignore questions about data
security and integrity.
Furthermore, people will be far more likely
to share data if and when they can be given
confidence that their data is, in some way,
protected. We must never forget that the key
point in data collection is not what the data
is supposed to be used for, but what it could
be used for. In the wrong hands, data can be
used for malicious purposes and this is what
we must take steps to avoid.
Proposals
So what is to be done? The following
proposals are put forward in order to start
the debate:
Firstly, the terms and conditions to which
users sign up need to be simplified. Key
facts documents similar to those in the
financial industry would go a long way to
helping end-users decide if they want to
sign up to a service or indeed how they
might want to use a service.
Many users don’t even read the T&Cs
because they are so long and complex;
literally longer than a Shakespeare play in
some cases2! A key facts document is far
more likely to be read and understood than
a verbose legal document.
Secondly, people should know about
all the data that is held about them. Data
controllers should, therefore, be obliged to
send an annual statement of data to each
and every individual for whom they store
personalised data. On the face of it, this
might seem controversial, creating a vast
overhead for companies but, in practice,
this should be a relatively simple task for
any company that is competent to handle
data. Google, Facebook and Twitter all offer
the option for users to download all the
data that is held about them. Organisations
that cannot comply with this request would
either have to anonymise data or delete the
data they hold.
Finally, there should be an assumption
that individuals own their own data and
should have the right to have their data
deleted within certain parameters. It
wouldn’t make sense, for example, to allow
individuals to delete missed payments from
their credit history, but the individual does
have the right to make sure their credit
history is correct.
Data can be used for purposes contrary
to the spirit in which it was provided.
Furthermore, personalised data is also
being collected about individuals who may
not even be aware it’s being collected in
the first place. The IT industry has duty
of care to ensure that data is handled
competently. This would ensure that
individuals are protected but also give endusers confidence that their data will not be
misused.
The methods by which the industry
protects its end-users is a matter of debate,
but options include making terms and
conditions easier to understand, providing
greater transparency of the data that is
held on individuals and the adoption of the
general assumption that the end-user owns
any data from which they can be identified.
www.bcs.org
References
1. http://cms1.gre.ac.uk/research/
csafe/publications/JenkinsGanCFET2014.pdf
2. http://www.dailymail.co.uk/
news/article-2118688/PayPalagreement-longer-Hamlet-iTunesbeats-Macbeth.html
March 2015 ITNOW
17
DATA
justified or not, surely the EU is right to
work towards such minimum standards.
Currently the market norm is complex
contracts or service level agreements that
are insufficiently specific and balanced
and which contain extensive disclaimers.
The use of take-it-or-leave-it standard
contracts might be cost-saving for the
cloud provider, but is often undesirable for
the user, including the final consumer.
Standardised contractual terms would
reduce the transaction cost of legal advice.
Contractual litigation should be regarded
as a sign of regulatory failure. Robust
and transparent standard contractual
terms must be the way forward. Usefully,
therefore, the EU is working towards
model contract terms and a code of
conduct for cloud providers. See also ISO/
IEC 27018 mentioned below.
CLOUD WITH A CHANCE OF
The EU’s regulatory planning for cloud computing and data protection is an expanding domain worthy of
everyone’s attention. Whether you are pro-EU regulation, or anti, the European Commission is
addressing vital solutions to key issues so says Stephen Meachem, a barrister and solicitor with the Law
Tribe and a member of the BCS Law Specialist Group.
doi:10.1093/itnow/bwv007 ©2015 The British Computer Society
Image: iStock/452232627
REGULATION
Though the cloud supports business agility
and market entry by having the potential
to offer flexibility and scalability it is not
without issues.
The regulatory concerns around cloud
computing and the data-related issues it
raises for businesses arise in two areas:
(a) the relationship (contractual and
operational) between cloud providers and
their customers;
(b) the regulatory landscape, which
includes data protection.
A proposed new General Data Protection
Regulation is intended to regulate big data,
the cloud and social networks. This may
offer innovation opportunities in cloud
18
ITNOW March 2015
software development.
Standardisation of cloud service terms
and conditions
Currently, individual vendors have
an incentive to fight for dominance by
locking in their customers. The market
needs service level agreements giving
a contractual right to get data back in a
usable form, which is easy to integrate
in-house or to a different cloud provider.
If a service goes down users require
to be up and running again as quickly as
possible. Given the current capabilities of
IT is this a big ask? Both Google’s Apps for
Business and Microsoft’s cloud services
are able to manage it. Whatever difficulties
small providers may claim, whether
Data protection in the cloud
The cloud is blurring the boundaries of the
enterprise and creating security issues.
People need to know where their data
is and who has the right to see it. Issues
arise in the cloud when cloud services are
used to process personally identifiable
information (PII).
It is hard to imagine an organisation
that does not hold a certain amount of
PII (related to employees for instance).
However, in the cloud, whilst the data
processing is outsourced and under cloud
provider control, the legal obligations
regarding PII protection remain with the
client of the cloud services; under the Data
Protection Directive 1995, as implemented
in the UK by the Data Protection Act 1998.
The EU has developed an auditable
voluntary standard known as ISO/IEC
27018. An auditor can verify whether a
cloud provider meets the requirements of
the standard and, if the level of compliance
is adequate, it can issue a compliance
certificate.
This certificate can be used both as
a marketing tool for the cloud provider
and as a warranty that the cloud provider
meets its obligations regarding PII
March 2015 ITNOW
19
DATA
processing. To complete the regulatory
system the compliance certificate can
then be registered in the contract signed
between the client and the cloud service
provider. This is an admirable solution in
my view.
The Data Protection Directive 1995 is
relevant to the cloud and big data as it
contains a purpose limitation principle
that provides that personal information
must only be processed for specified,
explicit and legitimate purposes, and that
it must not be further processed in a way
incompatible with those purposes.
Derogations are only permitted where
this is necessary to safeguard one of a
list of public policy objectives, including,
for example, public and national security,
defence and the prevention of crime.
The UK’s Information Commissioner’s
Guide to Data Protection links the
compatibility of two or more purposes to
the question of whether or not any further
processing can be considered fair.
Using or disclosing personal information
in a way that is outside that which the
individual concerned would reasonably
expect, or which would have an unjustified
adverse effect on them, would be
considered unfair and thus incompatible
with the original purpose.
Accordingly when assessing the
compatibility of new purposes, data
controllers must take into account,
inter alia, the nature of the data, the
legal grounds on which it was originally
collected, and whether the data subject
was in a weak bargaining position or
whether it was mandatory for the data
subject to provide the data in the first
place.
However, Section 35 of the Data
Protection Act 1995 permits disclosures
‘under any UK enactment’, even if those
disclosures would otherwise violate the
purpose limitation principle. The practical
effect of this provision in its current form
20
ITNOW March 2015
is that UK data controllers have no right
(or obligation) to refuse a request for
the disclosure of personal data to public
bodies on the basis of their data protection
obligations as long as that disclosure is
mandated by any statutory or common law
obligation.
It could, of course, be argued that such
a lawful request from a UK government
agency would itself be in breach of its
obligations under the Data Protection
Directive; which would be a potentially
costly and lengthy litigation matter.
Article 6(4) of the proposed General
Data Protection Regulation will dilute the
purpose limitation principle somewhat
in that it will provide a statutory basis in
EU law for data processing activities for
purposes that would otherwise prima
facie have been judged as incompatible
with the original purpose where inter alia
‘processing is necessary for compliance
with a legal obligation to which the
controller is subject’ (Article 6(1)(c)) or
‘processing is necessary for the purposes
of the legitimate interests pursued by a
controller, except where such interests are
overridden by the interests or fundamental
rights and freedoms of the data subject
which require protection of personal data
…’ (Article 6(1)(f).
Safeguards in respect of 6(1)(c) appear
at Article 6(3): the ‘legal obligation’ must
meet an objective of public interest or
be ‘necessary to protect the rights and
freedoms of others’ and ‘respect the
essence of the right to the protection of
personal data’ and ‘be proportionate to
the aim pursued’. Moreover, it must be
consonant with the Charter of Fundamental
Rights of the European Union. Stronger
safeguards may be required. Data
processors may disagree.
Arguably to restore and maximise trust
in the cloud more transparency is needed
on government access to data, for example,
for reasons of law enforcement and
national security, including commitments
on what constitutes legitimate government
access to data and transparency about
what access requests have been made.
Summary of the proposed EU General
Data Protection Regulation.
• A right to be forgotten. When a data
subject no longer wants data to be
processed and there are no legitimate
grounds for retaining it, the data
will be deleted. The rules are about
empowering individuals, not about
erasing past events or restricting the
freedom of the press.
• Data subjects will have easier access
to their own data.
• A right to transfer personal data from
one service provider to another.
• When a data subject’s consent is
required, they must be asked explicitly.
• More transparency about how your data
is handled, with easy-to-understand
information, especially for children.
• Businesses and organisations will
need to inform data subjects about
data breaches that could adversely
affect you without undue delay, within
24 hours. They will also have to notify
the relevant data protection authority.
• Improved administrative and judicial
remedies in cases of violation of data
protection rights.
• Increased responsibility and
accountability for those processing
personal data, through requirements
for data protection risk assessments,
organisational data protection
officers and the principles of ‘privacy
by design’ and ‘privacy by default,’
which must be implemented within
systems.
This treaty is the closest instrument
to a universal declaration of data rights
in existence. A key amendment is the
explicit formulation of the principle of
proportionality, which is to be respected at
any stage of data processing.
New duties of data controllers and
processors include a duty of active
transparency and an obligation to establish
internal mechanisms to demonstrate
compliance, to carry out risk analyses, and
to design processing in such a way as to
minimise risks for data subjects.
The above principles and the principles
of ‘privacy by design’ and ‘privacy by
default’ to be enacted in the General Data
Protection Regulation are certainly food
for thought and a source of potential
instructions for software engineers.
Love or hate it, being in Europe can’t be
all bad for business! Can it?
www.bcs.org/law
Proposed amendment by the Council
of Europe of the 1981 Convention 108 for
the Protection of Individuals with regard to
Automatic Processing of Personal Data
Further information
Sources of further information
Proposed General Data Protection
Regulation: http://ec.europa.eu/
justice/data-protection/document/
review2012/com_2012_11_en.pdf
ISO/IEC 27018:
https://www.iso.org/obp/
ui/#iso:std:iso-iec:27018:ed-1:v1:en
Recent EU guidelines identifying and
disseminating best practices in
contract terms:
https://ec.europa.eu/digital-agenda/
en/news/cloud-service-level-agreement-standardisation-guidelines
The European Commission’s Expert
Group on Cloud Computing Contracts:
http://ec.europa.eu/justice/contract/
cloud-computing/expert-group/
index_en.htm
The European Commission
Roadmap: http://eur-lex.
europa.eu/legal-content/EN/
TXT/?uri=CELEX:52012DC0529
The European Commission’s Digital
Agenda for Europe: http://ec.europa.
eu/digital-agenda/en/europeancloud-computing-strategy
Proposed amendment by the Council
of Europe of Convention 108 for the
Protection of Individuals with Regard
to Automatic Processing of Personal
Data: http://www.coe.int/t/dghl/
standardsetting/dataprotection/TPD_
documents/T-PD(2012)04Rev4_E_
Convention%20108%20modernised%20version.pdf
March 2015 ITNOW
21
INFORMATION SECURITY
LESSONS
LEARNED
doi:10.1093/itnow/bwv008 ©2015 The British Computer Society
Image: iStock/476346099
When it comes to dealing with hacks such as the one Sony suffered,
Gareth Niblett, Chairman of the BCS Information Security Specialist Group
says we should all learn from others mistakes.
We are all susceptible to being hacked
and our private records compromised.
The trick to defending yourself or
your organisation is to learn from the
experiences of others and understand
who might wish to target you.
Avoiding the mistakes of others is
a low-cost method of improving your
security posture.
One of the big attacks of 2014 was
against Sony, which was comprehensively
taken over by hackers.
22
ITNOW March 2015
Other than the debate as to who
perpetrated the hack, it was apparent
that Sony has not learned from previous
compromises, that it and others had
suffered, as it continued to operate with
lax security controls.
Observers might wonder how a large
organisation, more than able to afford
capable professionals, administering
appropriate security policies and
procedures, and underpinned by
technology could allow many terabytes of
data to be exfiltrated without anyone or
anything noticing something was awry.
The practice of keeping a directory of
static passwords for corporate accounts
shows how even a large business
struggles to find a way to balance security
with usability.
Attacks leveraging zero-day
vulnerabilities can crack open even the
strongest layers of defence, so you still
need to also be checking on the inside.
All of us rely on software and many of
us rely on it being robust and secure. It
is impossible for functional software to
have no bugs or vulnerabilities, but many
can be squashed during the software
development lifecycle, with code analysis /
testing. Secure software development can
make our digital environment safer.
The UK’s largest
exhibition & conference
dedicated to ITSM
EXHIBITION | KEYNOTES | NETWORKING | SEMINARS | EXPERT ADVICE
Sponsored by:
Supported by:
In partnership with
www.servicedesk360.com
FURTHER INFORMATION
Information Security Specialist
Group (ISSG):
www.bcs-issg.org.uk
Information Risk Management and
Assurance Specialist Group:
www.bcs.org/groups/irma
BCS Security Community of
Expertise (SCoE):
www.bcs.org/securitycommunity
Register for FREE entry
Quote priority code 104SITS and save £35 on the day
www.ITSMshow.com
INFORMATION SECURITY
EXPERT
GUIDANCE
Andy Smith MSc FBCS CITP
provides an update on the BCS
Security Community of Expertise.
doi:10.1093/itnow/bwv009 ©2015 The British Computer Society
Image: Photodisc/200402666-001
The BCS Security Community of Expertise
(SCoE) (www.bcs.org/scoe) and its various
subgroups have been very active over the
last few months.
There have been a number of changes
on the committee with some long standing
members retiring and new members
being voted on to the committee. We
now have a liaison with (ISC)2 and better
representation on the ISO standards
panels as a result.
The Identity Assurance Working Group
(IAWG) has also been very active and
representatives will be talking at UK IGF
this year and will submit proposals for talks
at EuroDIG and UN-IGF www.intgovforum.
org/cms. A summary paper of the activity
from last year will be placed on the website
shortly www.bcs.org/scoe.
The focus of the SCoE remains on
providing advice and guidance for the BCS
membership and ensuring BCS is a voice
in various areas including government and
European policy. Our relationship with the
Digital Policy Alliance and other government
related organisations remains strong and
24
ITNOW March 2015
we are striving to ensure the views of the
BCS membership are taken into account
in the various panels and forums. If you
would like to contribute to any of the policy
consultations please do, the information is
here and is constantly updated:
http://policy.bcs.org/consultations.
The SCoE has taken an active interest
in near field communication (NFC) and
a position paper on this is being drafted.
There is a lot of distrust around NFC.
The market is in flux, with an uneasy
relationship between the IT industry and
financial organisations. There is no real
liability model for NFC and there are issues
such as malicious code and privacy that still
need to be addressed properly.
The SCoE came up with a number of
areas to look at during 2015. A few of
these will be selected based on what we
feel will provide the most benefit to the
membership.
The short-listed topics are:
• Hold a top tips Q&A at Infosec 2015 as
part of our workshop on
professionalising the security industry
and security education;
• BYOD security aspects focused on:
‘stop looking at the devices, look at
the data’ - the security and ownership
of content not the security and
ownership of devices (note this also
•
•
•
•
•
•
applies to the cloud);
Cyber security aspects of internet of
things. This will mainly be done via
the IoT WG focus on the awareness
and impact of IOT on the public in
cars, smart TVs, smart metres, smart
lights etc;
Education: security sense/home
advice/risk assessment - linked to
security top tips and Get Safe Online,
which BCS contributes to. Including
developing a basic security sense
guide for individuals and SMEs;
Presence online - how do you protect
yourself online (legal, moral,
personal and social – plus such things
as understanding jurisdictions). Also
how to protect the naïve from
themselves.
Cloud security / safety - what are the
key threats and how do companies
and security professionals deal with
these. There are specific concerns
around follow-the-sun administration,
proxies and organised crime in this
context.
EU legislation - such as the new data
protection, e-signatures and e-trust
regulations, right to be forgotten and
net neutrality push.
Working with the Charity Commission
on promoting good practice. This is tied
•
•
in to our work on security education;
Big data and privacy - data aggregation
and data mining;
Lack of application security and the
complexity for the public to understand
what is provided for them and their own
responsibilities.
From this list a few topics will be chosen
and as much as possible achieved over the
next year.
There are a large range of subjects that
are now proving interesting and critical to
daily life, from internet of things and NFC,
to Bluetooth and ‘my life in my hand’ where
people have their whole lives; calendars,
contacts, email, social media, basically
everything, on their smartphone.
So many of these technologies are
becoming ubiquitous and combined in
previously unimaginable ways. Now your
smartphone can control your TV, sound
system, cooker, lights, etc., which means
that unless its properly secured, so can
other people.
With the internet now being a standard
inclusion on most TVs including video
conferencing and web browsing right from
your sofa, life is so much easier. But how
many people read the user agreement? The
one that gives the manufacturer the right
to monitor your web usage, turn on your
camera and microphone remotely and listen
in. Yes there are some that include this. It
is subjects like this that show how people
should be protected from cool features that
have hidden security issues.
BYODis now becoming a much more
important subject for organisations, with
staff using tablets for taking meeting notes
and managing their calendar to some
diverting their work email to their personal
device and others working out they can
access that wonderful cloud email service
the company just started using from their
phone. This is a topic we are looking at
further and may become a key theme for
2015.
I think 2015 will be an interesting year
with many lively debates on privacy and
anonymity and ongoing security issues
surrounding merging technologies.
The SCoE will endeavour to represent
the BCS membership across a wide variety
of forums. There are regular talks and
meetings at the BCS office, especially useful
if you live in London, but security events do
take place on a regional basis too.
Check out your local branch for more
details: www.bcs.org/branches.
www.bcs.org/security
March 2015 ITNOW
25
INFORMATION SECURITY
SECURE
DEVELOPMENT
Steve Daniels FBCS CITP, Strategic Business Advisor for Cyber Security in CGI UK, looks at the best
practices for secure cyber development now being adopted.
doi:10.1093/itnow/bwv010 ©2015 The British Computer Society
Today’s reality is that an insecure system
will be breached. Secure systems
engineering has often not been sufficiently
prioritised, over being faster to market and
adopting new technology.
The many publicly quoted data breaches
demonstrate that this approach is not good
for business. Failing to keep customer and
organisation data private, available and
correct now comes at an escalating price.
This can include significant remedial costs
and lost revenue (e.g. Sony ‘The Interview’1),
huge fines (e.g. TJ Maxx2), lost customers,
getting swallowed up (e.g. HBGary3) or
going out of business (e.g. Nortel4). Recent
evidence5 shows that recovery costs can be
2.5 times larger than mitigating the issue in
the development process.
Applying structured risk management
within the development approach is the best
way to address this challenge.
Why is it seemingly so hard?
Securing systems is not trivial. With
millions of lines of code on a complex
mesh of servers, running multiple
protocols across a network, with the
applications on top, it is often considered
an insurmountable challenge.
Such architectures can quickly become
riddled with security vulnerabilities.
Numerous security industry reports6 show
a substantial number of vulnerabilities
reported annually. One study7 cited that 53
per cent of the systems scanned contained
exploitable vulnerabilities. A study of
applications8 showed 86 per cent of their
websites contained at least one serious flaw.
26
ITNOW March 2015
Software development lifecycles are being
increasingly compressed to deliver results
sooner. Monthly ‘waterfall’ phases are now
weekly ‘updates’ and ‘daily stand-ups’ within
rapid development (‘AGILE’) processes.
These challenges are not new. Many
organisations have established secure
development lifecycles to fundamentally
reduce system vulnerabilities8. These have
resulted in accessible techniques and
guidance, with corresponding improvements
in secure systems9. Microsoft’s ‘STRIDE’ is
one such model for structured analysis of
threat or attack patterns.
The central role of risk assessment
A comprehensive risk assessment of a
systems development provides a common
language for ‘potential problem management’,
usable throughout the lifecycle.
The resulting risk scenarios have proven
to be helpful in communicating the threats
and risks to the proposed system, to
architects and developers. But additionally,
these scenarios provide an excellent
mechanism through which to ensure that:
1. the right amount, level and frequency
of management engagement can be
obtained.
2. architects and designers understand
why they are implementing security
controls rather than seeing them as
annoyances which delay implementation.
3. security investment in the project
overall, and effort to be invested in
each of the security activities
themselves, is ‘right-sized’ and
appropriately ‘weighted’.
4. in an agile environment, security is
more suited to the ‘sprints’ process.
5. proposals to trade-off controls for
functionality and delivery can be
addressed objectively.
Plotting the secure development journey
Risk assessments are successful when
a consensus results. Communication and
collaboration between the business users,
developers, security experts and other
stakeholders are essential.
Too many business managers
today consider that development is for
developers. But, even if it takes some effort
to get initial engagement to build the risk
assessment, many benefits then accrue.
My experience is that this can actually bring
forward the development delivery date.
One example of risk assessment smoothing
the development process, is it identifies
how critical security factors are in each
instance and how it compares to the other
development perspectives.
Clearly articulated security requirements
are the keystone of every secure system
development and must be commensurate
with the risk, unless this is over-ridden, for
example, by regulatory obligations.
For these to be useful for software
development, they must be specific
statements such as ‘the application must
authorise users using the username,
memorable word and PIN code’ rather than
generic statements such as ‘the application
must authorise all users’. The existence
of the risk assessment will reassure
designers that the requirements are neither
over- or under-stated.
Shaping the design and managing the build
No one would challenge the need for
effective architecture practices, such as
understanding:
1. the technologies being used and
where there may be incompatibilities;
2. that the architecture has been built up
appropriately;
3. the design and assurance processes
applied to all the components;
4. the provenance and past performance
of the components and applications.
However, such processes are often
carried out by development teams in
isolation. In contrast, when these
assessments are undertaken in a
‘risk-driven’ format, increased delivery
efficiency results, in which different activities
can be weighted uniquely.
In an agile development some processes
are well suited to integrating security, such
as the iterative code development phase.
But the architecture analysis can seem at
odds with the iterative nature of agile.
In fact, design reviews and code
clean-ups can easily be added to the
backlog to become part of scheduled
sprints. The risk model is then very effective
both at ensuring that this happens and that
progressive sprints focus on completing
the relevant parts, in priority order and
sufficient detail.
Sufficient testing
Then comes the vitally important step of
real-world security testing, often wrongly
seen as the final development step.
With all the system modules integrated,
the testing seeks to confirm that the system
performs and security controls operate as
expected. This will include testing of:
1. the original security requirements;
2. common security issues with the
adopted technologies;
3. specific application features;
4. specially developed security controls.
This can again be best structured by
reference back to the risk model. This
will resolve such questions as: should the
testing be done by an independent testing
house, perhaps undertaking a CREST or
CHECK10 review? Does the development
really merit standard testing? How much
specialist and user engagement should
there be to probe such issues as
performance of the user interface? What
testing tools would be appropriate? What
testing of capacity would be justified?
Achieving and demonstrating assurance
When a total cost of operation view is taken
of the development, the real last stage is
providing a sustainable assurance regime.
The risk model again plays a major role
in defining how user acceptance will be
obtained from the business, and who from.
Associated activities can also be shaped
by risk to include what user acceptance
training should be undertaken and what the
audit regime’s scope, frequency and depth
of review needs to be.
Another critically important aspect of
development, which can be shaped by the
risk model, is how to handle waivers or
non-compliances, i.e. those issues that
remain unfixed. By identifying relative
priorities, the risk model will enable this to
become a business-based decision.
The start point will then be whether
these can even be afforded. But if they can,
what is the relative priority to fix them? In
what timescale and how soon must the
issue’s continued existence be subject to
re-approval and by who?
Last, but not least, no good system
goes live without appropriate performance
reporting i.e. critical success factors
supported by metrics. The risk model is
ideal for defining what these need to be.
By using risk assessment to calibrate
the development activities, they will remain
proportionate and relevant to the real risks
to which the live system will be exposed.
Whilst a more secure system will have
been delivered, many other material
benefits will emerge that mandate the
adoption of this approach. These will
encompass: lower development costs,
lower running costs, more uptime, more
throughput, higher end-customer trust and,
as a consequence, more end-customers.
Secure systems development is therefore
achievable and entirely worthwhile.
www.bcs.org/security
References
1. Sony’s costs for The Interview
Breach; Bloomberg, January 2015:
http://tinyurl.com/otypbsg
2. TJX, Visa reach $40.9M
settlement for data breach; USA
Today, November 2007;
http://tinyurl.com/nxc94x4
3. Anonymous speaks: the inside
story of the HBGary hack; Ars
Technica; February 2011;
http://tinyurl.com/75e4ymp
4. Chinese Hackers Suspected In
Long-Term Nortel Breach; Wall Street
Journal; February 2012;
http://tinyurl.com/mom4u7p
5. Ponemon : Costs of Data Breaches
2014: www.ponemon.org/news-2/23
6. http://tinyurl.com/pjhpwuz
7. 2013 Internet Security Threat
Report, Volume 18; http://tinyurl.
com/cc7856t
8. Cisco Secure Development
Lifecycle; Cisco; Retrieved November
2013; http://tinyurl.com/nelpqxp
Oracle Software Security Assurance;
Oracle; Retrieved November 2013;
http://tinyurl.com/oj4pyo5
Microsoft Security Development
Lifecycle; Microsoft; Retrieved
November 2013;
http://tinyurl.com/l9rssvm
9. The Trustworthy Computing
Security Development Lifecycle.
The Benefits; Microsoft; March 2005;
http://tinyurl.com/n2tkzrf
10. CREST: http://crest-approved.org/
CHECK:
www.cesg.gov.uk/Pages/homepage.
aspx
March 2015 ITNOW
27
INFORMATION SECURITY
without triggering any monitoring systems.
Compounding the concern is that the
vast majority of these attacks are not
actually particularly sophisticated. Clever
in elements of their implementation
perhaps, but using known vulnerabilities
and off-the-shelf tools.
Properly patched and maintained
organisations, with dedicated security
teams and security software in place
should not be falling victim to hackers of
this level of capability.
It seems remarkable then that, when
cyber security is so high-profile, such
breaches can still occur with such
depressing frequency. What is going wrong?
In the defence of big organisations,
ensuring consistent security standards
across a large, often multinational
estate, which may have grown through
acquisition, and with different cultural
approaches in each region, is non-trivial.
However, the root of the problem is
deeper and more systemic. For too long IT
has been treated as something that should
be subject to cost cutting, often very
PAYING
doi:10.1093/itnow/bwv011 ©2015 The British Computer Society
Image: Thinkstock/78617963
THE PRICE
When it comes to cyber security,
why do large companies do it so
poorly, asks Rob Pritchard.
2014 was a mammoth year for security
breaches. Target was the first breach to
make headlines, when millions of customer
credit card details were stolen by pointof-sale malware. Home Depot suffered a
similar breach.
JP Morgan came later in the year, with
the admission of the compromise of some
80 million customers’ details by a Russian
criminal gang, with media allusion of
connections to the Russian state.
Rounding off the year was the
destructive hack against Sony, quickly
28
ITNOW March 2015
attributed to North Korea. Receiving
less media coverage, though otherwise
very similar, was the equally destructive
attack on the Sands Casino in Las Vegas,
apparently carried out by Iranian groups
following controversial comments about
the appropriate response to the Iranian
nuclear programme made by the casino’s
owner at a pro-Israeli US conference.
In 2014, when these breaches occurred,
none of the companies could claim
ignorance of security issues. Both in
the UK and the US, cyber security has
gone from niche concern to headline generating news, and been the subject
of government funding and awareness
campaigns.
Indeed, in nearly all of these examples
the unfortunate organisations had been
spending money on cyber security
initiatives. Target had deployed a security
monitoring product which alerted them to
the problem, but no action was taken.
Significant compromises do not occur
overnight. It takes time to gain, and
maintain, persistent and deep access to a
large network.
An initial breach is made, often through
a phishing email compromising the
machine of a single user, and slowly
expanded, with the attackers stealing
credentials, accessing more computers
on the network and ensuring they have
persistent access. They have to do all this
of operating systems and applications,
often dated and out of support. Poor asset
management compounds these problems.
How can you assess your exposure to a
threat if you do not know the extent of your
perimeter and what software you have
running on what operating system? It’s
simply not possible, and budget and remit
for cyber security projects rarely extends to
remediating these issues.
Extensive outsourcing has not helped.
I am not arguing that outsourcing is
inherently insecure, but the way it is
usually done is anathema to good, effective,
cyber security.
Large organisations will usually have
complex outsourcing arrangements, which
encompass everything from network
management, to patching and the help desk.
Often these functions are carried out
by different companies, in geographically
diverse parts of the world.
And to be clear I am also not arguing
that organisations from other parts of the
world are incapable, or inherently insecure
- but anyone who has managed teams
Significant compromises do not occur
overnight. It takes time to gain, and maintain,
persistent and deep access to a large network.
aggressively. The failures in security we
see today are the consequences of a longterm failure to invest in what is businesscritical infrastructure.
Whilst organisations are certainly
beginning to spend more money on
security, it is usually restricted to spending
specifically on tools, and the recruitment
and training of security staff.
This is not, in itself, a bad thing, but even
relatively large spend on security cannot
make up for years of underspend in IT
infrastructure.
Too many large companies have
networks they barely understand, and
an estate consisting of a huge variety
across different locations will know how
challenging it is to ensure effective working
practises, even more so across different
timezones.
Outsourcing contracts and deliverables
focus on cost and resolution time, and do
not enforce, or often even mention, security.
Even where they do mention security,
employees of a third party company, with
targets based on numbers of tickets closed,
may not be willing, or able, to properly
consider security when resolving issues.
The fundamental underpinnings of
good cyber security are also good IT
management practice:
• asset management, which underpins
•
•
•
•
effective patching;
good network management;
properly architected applications, built
through a development process that
includes security requirements from
the ground up;
ensuring user accounts are created
using the principle of least privilege,
and that there is a proper process
for prompt removal of access when
employees leave;
and possibly more importantly than
any of these are IT, network and
development teams that work as a
cohesive whole and recognise the
responsibility they have to protect the
company and its assets.
Cyber security is not a black box solution,
no matter what some marketing blurb
would have you believe.
Spending money solely on cyber security
whilst not addressing fundamental flaws
in IT infrastructure is like installing fire
alarms in a straw house full of smokers.
Effective cyber security stems from
a well-managed infrastructure, with a
security team working alongside those
responsible for IT management.
2015 will bring more high profile security
incidents. More data will be lost, accounts
breached and organisations suffer huge
losses, lawsuits and damage to reputations.
Equally, spending on cyber security will
continue to climb. There will be more
conferences, government initiatives and
hand wringing about cyber threats.
Until we see spending on IT
infrastructure begin to increase and boards
recognising that their IT is a critical asset
that underpins all of their business, we will
not see a decline in security incidents.
www.bcs.org/security
March 2015 ITNOW
29
INFORMATION SECURITY
PERSISTENT
THREATS
doi:10.1093/itnow/bwv012 ©2015 The British Computer Society
Image: Digital Vision/sb10062916kk-001
Valory Batchellor and Neil
Warburton from IBM take a look at
the recent attack on Sony and ask
what we can learn from it.
2014 saw a number of very high-profile
attacks on major companies and continued
the trend for more frequent and bigger
breaches. It was rounded off by an attack
on Sony Pictures Entertainment in the
USA, which had a far-reaching impact and
still making news in early January.
A group called Guardians of Peace
(GOP) claimed responsibility. Estimates of
the data stolen vary between 1 and 100
Terabytes, including employee sensitive
personal information and personal emails
between senior executives. Unreleased
films were made available for download on
file-sharing sites. Up to 30,000 company
PCs were compromised and hard drives
wiped. The company was effectively
closed for business for several days with
employees reverting to pen and paper.
At time of writing, we know that
malware called Destover was involved in
the breach and was active within Sony
for several days before the hack became
public.
However, it is not clear how long Sony’s
systems had been breached for or what
the initial attack vector was.
30
ITNOW March 2015
Spear-phishing or simple insider help
may have been involved. Recently, a
second group claimed it shared stolen
Sony user IDs with GOP. The FBI stated
this attack would have evaded many US
government security measures. They
currently blame North Korea, though some
experts disagree.
Many companies will look to update
their traditional defences such as IPS,
antivirus and firewalls in the wake of the
Sony attack. Major security vendors have
issued guidance on configuration and/or
signature updates to detect Destover and
some may leverage this incident to try to
sell yet more security tools.
Is stopping Destover enough?
From knowledge of other attacks, it seems
likely that Destover was a final step in
a carefully planned, prolonged attack.
Removing so much data takes a lot of
time, as does analysing and distributing it.
Identifying and halting Destover may have
saved Sony’s PCs, but much of the
business damage was already done.
We would expect security systems to
have spotted such a large data breach
and raised alerts. How could it remain
undetected? We’ll explore this below.
Modern cyber-attacks
The term advanced persistent threat (APT)
is used to describe modern cyberattack
techniques.
Advanced refers to the sophistication of
the attack and the fact that one or more
elements are often as yet unrecognised by
security products.
Persistent refers to the fact that they
take place over a long time (often months)
and usually involve some kind of remote
monitoring by the hackers.
The following explains the five broad
phases of an APT:
1. Break in: reconnaissance, spear
phishing and remote exploits to gain
access;
2. Latch-on: malware and backdoors
installed to establish a foothold;
3. Expand: lateral movement to increase
access and maintain a presence;
4. Gather: acquisition and aggregation of
confidential data;
5. Exfiltrate: data exfiltration to external
networks.
APT attacks involve a good deal of
planning and often multiple attack
vectors. Once in, they spread to wherever
they find a weakness, constantly growing
their knowledge of the infrastructure and
where its weaknesses are until they find
what they can exploit or steal. Data is then
often extracted over a long period of time.
The development of cyberattacks over
time has an analogy in bank heist movies.
Once, we liked our bank robbery movies
to show daring smash-and-grabs, where
a gang was in and out as fast as possible.
If they were in the bank more than a few
minutes, it was going wrong.
Now, we like movies about sophisticated
bank robberies that are carried out
over months, often with inside help and
sometimes with the robbers inside the bank
for long periods (e.g., Inside Man, 2006).
With insufficient details on how Sony
was attacked, we have to refer to a wellknown historical APT attack to illustrate
common attack patterns and make
recommendations.
Target was attacked in 2013. Its
systems were first breached by attackers
using credentials stolen from an employee
of a third-party company (phase one).
From there the attackers penetrated as far
as the point-of-sale systems where they
installed malware (phases two and three).
They also breached data servers, installed
more malware and used all of this to steal
credit card data (phases four and five).
The in-house security systems actually
detected the activity early on, and raised
alerts, but these were missed or ignored.
How did this happen?
Too much information
An IBM survey found that a major
challenge facing many organisations is a
plethora of security tools – one respondent
reported 85 tools from 45 vendors.
We all know what it is like to be
overwhelmed by a constant stream
of information coming at us. How do
you prioritise which alerts should be
investigated? Especially if they are on
multiple screens from multiple systems.
How can you improve your chances of
not being the next APT victim?
Steps to mitigate risk
First, you need a clear view of your
organisational security posture. Not all data
is created equal, and budgets are limited.
Define where the most important data
is and take all necessary steps to protect it.
What data has most value for the company?
Where is it held? What is the best way to
protect it? What risks can you bear?
Second, understand trends in security
tool technology. Tools that use behaviourbased technologies to detect unusual
activity have several advantages over
traditional signature-based solutions that
detect exploits:
•
•
•
Many attacks share common
behaviours, so one behavioural
‘pattern’ can cover many specific
attacks.
Zero-day exploits (no signature
available) can be detected by their
activity.
You do not need thousands of up-todate signature files, this means less
reliance on updates from a vendor
and quicker identification of an attack.
Third, you need to be able to interpret the
output from the security tools and respond
to protect your business according to the
severity of the risk and potential business
damage. This means visualising the activity in
the infrastructure and determining quickly
what matters most.
This is where the application of analytics
to security, security intelligence, can help.
While many people have heard of security
information and event management (SIEM)
systems, security intelligence is more than
just a SIEM. An integrated approach to
security intelligence directs and augments
the skills of security professionals and
allows them to use their experience and
judgement to best effect.
Security intelligence takes input from
multiple security tools and other sources
of infrastructure information such as event
logs and network flows, and correlates this
against knowledge such as: infrastructure
and network layout; historical behaviour;
known bad agents; known vulnerabilities in
the infrastructure; importance of specific
assets and routes to exploit those assets.
From this it should provide a ‘single pane
of glass’ into the organisation showing
where the greatest threats and risks are at
any given point in time. It takes advantage
of the outputs from good tools and the work
done to define your security posture.
Although there will be set-up costs, these
will be offset by much greater productivity
and accuracy in dealing with incidents.
Security intelligence will also increasingly
become available via managed service
providers or cloud-based deployments.
Finally, it will help you mitigate simple
human error or poor processes. Security
intelligence can be the smoke detector
in your organisation: check the status
regularly, change the battery (i.e., review
policies as your organisation evolves) and
pay attention when it goes off!
www.bcs.org/security
References
https://en.wikipedia.org/wiki/Sony_
Pictures_Entertainment_hack
http://deadline.com/2014/12/sony-hacktimeline-any-pascal-the-interview-northkorea-1201325501/
http://www.politico.com/story/2014/12/
fbi-briefed-on-alternate-sony-hacktheory-113866.html
http://threatpost.com/detailsemerge-on-sony-wiper-malwaredestover/109727
http://en.wikipedia.org/wiki/Advanced_
persistent_threat
http://www.informationisbeautiful.net/
visualizations/worlds-biggest-databreaches-hacks/
http://www.bbc.co.uk/news/
technology-30632711
March 2015 ITNOW
31
INFORMATION SECURITY
When it comes to security
planning, John Mitchell says you
can hope for the best, but you
must also plan for the worst.
doi:10.1093/itnow/bwv013 ©2015 The British Computer Society
Image: iStock/493632875
MAINTAIN INTEGRITY
The correct information at the time and
place of need is what every manager
desires. To do this we need to add the
requirement that the information complies
with the statutory and regulatory framework.
Every security manager quotes
confidentiality, integrity and availability
(CIA), but the compliance aspect is equally
important. Indeed it may be argued that
it is more so, because what is the point of
having good CIA if you can go to prison for
a breach of the law?
As an example, one could design a
secure image collection, storage and
retrieval system that meets all necessary
CIA criteria, but if the images are of a
by someone who breaks the compliance
(secrecy act) requirement.
Even the collection of the raw data may
be in breach of compliance requirements,
as may encoding it and transmitting it
in an encoded format. It just depends on
where you are in the world and what the
local regulations are.
You can be arrested in the USA for
processes run in the UK, as the CEO
of BetOnSports, the online gambling
company, found to his detriment when
he was hauled from an aircraft, which
was simply transiting through the USA.
Although the bets were processed in
the UK, the transactions passed through
Data entry, or garbage in-garbage out (GIGO)
as it is better defined, needs far more
attention than it currently receives.
paedophilic nature, then the CIA aspects
are trumped by the compliance criterion.
Likewise, one could have really excellent
CIA for government secrets only for
these to be put into the public domain
32
ITNOW March 2015
USA networks and online gambling is an
offence in the USA.
Even ignoring the compliance aspects
we may face major problems with data
integrity due to the way the data is
initially collected. Data entry, or garbage
in-garbage out (GIGO) as it is better
defined, needs far more attention than it
currently receives.
Simply eyeballing an entry and then
pressing the enter key can lead to a nearly
two per cent error rate.
Even when coupled with instant
validation of the entry the error rate is
rarely reduced to zero. If the data quality
rules allow a range, then anything within
the range will be accepted regardless of its
integrity.
Even where only an absolute entry is
allowed, such as gender, the resulting
entry of M or F may still be incorrect, as
we found from comparing gender with
operation type in a patients’ records
system, where we found several males
associated with hysterectomies!
We know that we are not going to get
absolute data integrity at the collection
stage, it simply depends on how much
additional care we are willing to put into
those data items that really matter. We
may decide that we can live with incorrect
post codes, but not with incorrect account
numbers.
The risk analysis should determine what
is acceptable and then we should design
the controls to provide for that level of
acceptability. Control design is both an art
and a science and really should be done at
the system design stage. Ideally we should
generate a table of data quality rules for
each data item.
The challenge here is that the data may
be one of four major classes: configuration,
standing, derived or transaction. Each of
these has its relative level of importance.
For example, configuration data may
impact on the entire system, whereas
standing data will only impact on the
transactions to which it is applied.
Derived data usually uses some standing
and transaction data manipulated by some
logic. So there is even more opportunity for
the resulting information to be wrong.
We once found a bug in a Unix compiler
that resulted in a numeric one divided by a
numeric one not equalling a numeric one,
which made a real mess of the information
being produced.
Even if the compliance and integrity
aspects are okay we still need to consider
the availability and confidentiality
aspects. The data may produce accurate
information, but if that information is not
available at time of need then it is totally
useless, as NATS found when it had to
close a significant part of UK air space due
to their air traffic control system failing.
With real-time information systems the
failure to deliver at time and place of need
is immediately known to the customer,
whereas an integrity problem may go
unnoticed for years.
Which brings me to the confidentiality
aspect of CIA. We spend vast amounts
of money in trying to ensure that only
authorised people have access to our data,
but as I have argued previously, once you
grant privileges, then your entire control
framework is based on the trust you have
in that individual and trust is not a control,
it is a hope. I was taught to hope for the
best, but plan for the worst. I am sure that
Sony corporation wish that they had spent
more time on the latter.
www.bcs.org/security
March 2015 ITNOW
33
INFORMATION SECURITY
HOW SECURE
IS SECURE?
doi:10.1093/itnow/bwv014 ©2015 The British Computer Society
Image: iStock/477444495
Gareth Baxendale FBCS CITP,
Head of Technology, Clinical
Research, Network National
Institute for Health Research,
looks at the ways to secure
critical infrastructure.
Despite popular belief, hackers do not
tend to don balaclavas, before they begin
their silent attacks on our infrastructures.
However, we do seem to associate this
bank robber-esque image with the activity
of hacking and IT security.
In today’s world, security is a way of
life for all of us, you only have to go to the
airport and you will be reminded of how
serious it can get.
For technologists the securing of data
is no doubt ‘business as usual’, but as we
evolve more complex methods to present
our services and allow users to interact
with them, the greater the risk becomes.
How secure is secure?
Securing your infrastructure can take
considerable effort, and getting the correct
level of security in place, at the right level,
is key. It is easy to over-engineer a solution
that may impact the entire user experience.
On the other hand, a poorly designed
solution will require greater effort at the
other end in maintaining and monitoring,
and may even result in sleepless nights.
When designing an approach, the
infrastructure, application and data layer
must be viewed as a whole, or you may
secure one layer but leave another open
to attack. Some questions to consider: do
you want to use a DMZ (demilitarized zone)
and open ports on your internal firewall for
every service required? Or do you want to
simply keep everything on the internal side
34
ITNOW March 2015
so as not to turn your firewall into Swiss
cheese?
Then there is the CMZ (classified
militarized zone) which, by choice, contains
your sensitive data and is monitored to an
extreme degree to ensure it is protected at
all costs.
When presenting data do you use a
staging database in a different subnet to
limit the chance of a direct connection to
your back-end data layer? Will you consider
emerging proactive database monitoring
tools such as Fortinet’s FortiDB?
Of course, your approach will depend on
the services you are exposing and every
vendor will have a different set of options
for you to choose from.
Good practice
The annual security review and pen test,
while still important, is now giving way to
more live security reporting and analysis
to provide you with assurance that your
data is safe. Many security vendors now
offer proactive monitoring of your external
services to ensure that known exploits
have not accidentally been opened up by
trigger-happy firewall administrators.
Some simple good practice can make a
real difference, such as ensuring you have
multi-vendor firewalls separating your
networks. This may seem like an expensive
luxury at first, but It means that any wouldbe attacker has two highly complex firewall
technologies to overcome instead of just
one. It also means that in the rare case a
vendor’s firewall has a known weakness it
is unlikely that the second vendor will have
the same exploit, reducing the chances of
an attacker’s success.
Ensuring your systems are patched to
current levels is also an essential activity
in the battle against the hacker.
But let’s not just limit this to technology
itself; ‘change control’, as a process, is an
important defensive weapon against human
error that might otherwise cost you dearly.
Knowing what needs to be changed, gaining
approval, planning who will do the work
and when, along with ensuring a full impact
assessment is carried out, will save you a
lot of pain later on.
In most cases the attack vector will be
your database. This is where an attacker
can collect personal details about your
customers, harvest passwords and
login details, collect credit card data, or,
even worse, medical history and other
sensitive data. While these data assets
may be ‘hashed and salted’ using complex
encryption techniques, the reality faced is
that many organisations suffer immense
reputational damage having to admit
publicly that the data was stolen in the
first place, even if there is no chance the
data could be unencrypted.
Attacks from within, by members of
staff, are also now common place. Take
for example a very high profile insurance
company who suffered embarrassment
when two members of staff acquired data
on customer’s recent insurance claims and
sold it to claims management companies.
Also, don’t assume that a hacker will
always attack from the perimeter of your
network from an obscure country. Keeping
the virtual front door locked, but leaving
the physical back door open can be a
perfect way for a determined hacker to
gain access. Local attacks are as much a
risk as remote ones.
The tiger hunts
Take the following as an example, if a
hacker knows where your office is located
(Let’s be honest, Google will show them
the front door!) they may attempt to access
your premises as the air-conditioning or
printer repair man. Of course they are
not on the list of expected visitors, so off
reception go to find out the score from
facilities management leaving the
reception desk unattended. Our hacker
printer repair man pulls out a Wi-Fi router
and loops it to the back of the reception PC
and hides it behind the desk.
The receptionist returns and informs
our hacker printer repair man that no
repairs are scheduled.
‘It must be a mix up at HQ,’ he says and
politely leaves. He now heads for his car
and connects over Wi-Fi to the router he
has just planted, He now has access to your
LAN and the attack begins. This activity is
often done by ‘ethical hackers’ who are paid
by companies to find weaknesses in their
security processes and is known as a ‘Tiger
Attack’. It could, however, be a real event if
your data is valuable enough to an organised
crime syndicate or someone who wants to
damage your company’s reputation.
Sadly, the weakest link in data security
is almost always the human. Socially
engineered attacks are the first weapon
in the arsenal of the hacker. With it they
can pose as your local service desk team
and email unsuspecting staff of an ‘urgent
security breach’ that requires them to
change their password immediately. Your
staff are super trained in security and data
protection, the email has the company
logo and looks genuine, so the security
conscious staff member clicks on the link
to change their password.
Once complete the member of staff
feels proud that they have dutifully
followed the security advice and probably
begins encouraging the rest of the team to
do the same.
Little do they know they have just typed
their username and password into a fake
website page where our hacker will harvest
and use the details entered to access
services like Outlook Web Access in order
to read sensitive emails, or a VPN service to
gain remote access to the network.
However, since we always use different
passwords for all our internet accounts
there is absolutely no chance that our
hacker might use the same harvested
details to access our personal eBay, PayPal
or other financially related site, right?
Know thy enemy
We all hope that our online accounts are
secure and that we have dutifully set up all
the mandatory PINs, secret words, picture
security and the like. Each site though
typically uses a different selection of
security options and this poses an easy
way for a hacker to collate a security
profile on us. It only takes one site to reveal
some data on us for a hacker to use that
data to access another site.
Basic security questions like ‘What’s the
name of my dog?’ can easily be harvested
from your Facebook account where you’ve
shared cute pictures of your little mutt. The
oft used mother’s maiden name is also
at risk with your family history being on
show on Facebook. Hackers can even use
this information to ring up support lines
and pose as you to get account passwords
reset so be careful about your choice of
security questions. Where possible always
use two-factor authentication where a
random PIN is generated to a device you
have such as your smartphone. Oddly eBay
doesn’t offer this feature, probably one of
the sites we use the most!
In the battle to protect your data the best
advice is to think like a hacker. A hacker
will target the weakest link so the question
for you is what’s your weakest link? This
applies to your company’s data assets and
your own personal data.
Don’t be caught out by focusing
exclusively on the complex end of security,
the real risk lies in the simple and often
unnoticed day-to-day functions of your
organisation. And don’t forget to review
your own personal security profile so as
not to be the next victim of those pesky
hackers.
www.bcs.org/security
March 2015 ITNOW
35
INFORMATION SECURITY
SOMEONE IS
WATCHING
YOU
doi:10.1093/itnow/bwv015 ©2015 The British Computer Society
Image: iStock/178758211
While there were a number of
prominent security incidents in
2014, there were undoubtedly
more than those reported, says
Nic Oatridge MBCS.
The attack on Sony Pictures was one of the
most widely reported in 2014, however, in
my experience many organisations choose
to keep mum about them. One incident I
looked at in 2013 involved a serious
security incident at a relatively small
subsidiary of a major corporation. The
company chose not to disclose it for fear
that it could lead to the subsidiary winding
up, or that it could adversely affect the
reputation of the parent company.
Many companies adopt the same
approach. The number of attempted security
breaches is probably impossible to assess,
but is almost certainly more extensive than
most people think or most surveys suggest.
Atos, the worldwide IT partner for the
Olympic Committee, detected over 255
million security alerts on its security
information and event management (SIEM)
system during the London Olympics, of
which 4.5 million, constituted significant
events and over 5,000 resulted in incidents
that required further assessment.
36
ITNOW March 2015
No security incidents impacted live
competition, but it can clearly be seen that
the scale of the assaults on organisations
can be staggering.
Small businesses who do not court
controversy or international attention may
feel that the firewalls, security patches
and password systems they have in place
constitute the extent of the controls they
need to have, but the leading information
security management standard, ISO27001,
identifies no less than 114 areas where
controls are likely to be required. And the
need for adequate controls is critical even
for a small undertaking.
I run a number of websites and it is
revealing to analyse the traffic I receive.
Take one website, SwissWinterSports.co.uk,
a site aimed at informing English-speaking
skiers and snowboarders about winter
sports in Switzerland. It gets a modest
amount of traffic, with several hundred
legitimate visitors a day.
However, the leading sources of hits
during one typical week in December were
respectively an ISP in Israel, a suspicious
unknown IP address, a known comment
spammer, a Russian spam harvester and
a Ukrainian spam harvester. Throughout
the list of visitors and in the error logs was
evidence of highly suspicious activity.
Two of the most common sources of 404
‘document not found’ errors were to the
administrative login pages associated with
Wordpress and Joomla, neither of which
I host at this site, so presumably these
are attempted security breaches. The 404
errors included a number from known bugs
and legitimate sources, such as hits on icon
files that don’t exist, but most were not.
As you might expect for a website of
this nature, the countries associated with
the most traffic are the UK, USA and
Switzerland, but lurking in the top ten are
China, the Russian Federation and Ukraine.
Brazil, India, Israel and Romania also often
feature in the top 20 of countries visiting
the site, countries not renowned for their
love of skiing.
This unwanted traffic may not breach
security (although one day it might), but it
is a source of unwanted consumption of
bandwidth and processor performance
to the extent that some sites now bar
traffic from some countries that they
do not target and I would definitely
recommend that you bar some countries
from accessing the administrative pages
of your CMS. Incidentally, you may wonder
where North Korea figures in this, but their
spooks, such as the notorious Unit 121,
that reputedly hacked Sony, operate out of
China with Chinese IP addresses.
I mention the risk to web tools, like
Wordpress. By some measures, Wordpress
powers a quarter of the web and, in the
same way Windows became a target for
viruses because of its ubiquity, Wordpress
suffers similarly. Fortunately there are
many add-ins to improve security, but one
problem with frameworks in general is
that they contain way more functionality
than you need, which you should therefore
disable if you can, and their open source is
no doubt pored over by hackers looking to
find zero-day exploits.
Many spam servers are not operated
directly by criminal gangs, script kiddies,
hackers and government agencies.
Instead poorly protected, innocent
servers are turned into zombies, sending
dubious traffic out from their unknowing
hosts, who in turn then get identified as
suspect and may suffer loss of service or
reputation as a result. Project Honeypot
acts as a target for robots, crawlers,
spiders and spammers to identify who
they are and whether they are legitimate.
consumers expect increase significantly
the likelihood of backdoors to your most
coveted information assets.
The importance of having a concrete
security architecture and pro-actively
maintaining it are imperative. I have
seen sites that have encrypted sensitive
personal data on the same infrastructure
as the keys required to access it, with the
inevitable consequence. It is simply not
tenable to think it is safe to hold all company
data behind one impregnable perimeter,
as one breach can compromise many
information resources. Similarly it is hard
for organisations to have every information
and communication system they operate
accessed only by locked down devices.
Although the cloud has become widely
recognised as requiring particular security
considerations, many organisations operate
what are effectively private clouds in which
information of differing confidentiality,
integrity and availability (CIA) requirements
is all treated equally. All information assets
should be classified with the risks formally
identified and managed appropriately, even
In the same way Windows became a target
for viruses because of its ubiquity, Wordpress
suffers similarly.
To date they have identified many
millions of harvesters, spam servers,
comment spammers, dictionary
attackers and other suspect visits to
their honey pots. They provide a useful
tool for checking suspect IP addresses at
projecthoneypot.org, as does IPvoid.com
and a number of other online sites.
Unfortunately the most accomplished
intruders operate stealthily and often look
like legitimate traffic. Spammers are a
nuisance, but an SQL injection or denial
of service (DoS) attack could be much
more serious. Moreover the different form
factors and increasingly sophisticated user
interfaces that employees, customers and
in the smallest enterprise. If anything, it is the
smaller operation that is more at existential
risk from poorly managed information than
large diversified organisations.
Associated with the architecture are
clear policies and these should not only
cover networked assets but embedded
systems and stand-alone systems, indeed
anything that has a microprocessor;
remember Stuxnet?
Even a well-designed security
architecture does not offer full protection
if security operations are not effective.
As the breaches at Sony demonstrate, a
truly determined hacker may be able to
overcome virtually any security measures.
This emphasises the importance of
effective security information and event
management, so that security risks and
incidents can be identified quickly or even
anticipated.
The quality and speed of response
to a security incident is also important.
A leading company I worked with was
hacked by Anonymous and, whilst they
were figuring out how to address the
circumstances that gave rise to the hack,
got hacked again through the same port.
This emphasises the need to replay
security incident scenarios so that there is
a clear course of action understood by all
involved parties in the event of a serious
security incident.
And we all do backups, don’t we?
However, when did you last check the
integrity of your backup data, how
quickly you can recover or whether the
security policies you used when you first
implemented your backup system are still
appropriate?
I mentioned ISO27001 earlier. Essentially
it mandates organisations to implement
a rigorous management control system
with periodic security audits. It does not
guarantee that an organisation follows
perfect security management practices,
but it is a start. However, in this heavily
interconnected world, it may not be your
security policies that lead to a security
incident. The major breach at Target
occurred because a contracted company
did not follow effective policies; Snowden
was a contractor.
For organisations that have not yet been
hit by a major information security incident,
work on the basis that it is probably only a
matter of time. The new year is as good a
time as any to reflect on the consequences,
as many executives who suffered security
breaches in 2014 are doing now, belatedly.
www.bcs.org/security
March 2015 ITNOW
37
Editors-in-Chief
Professor David Pym
Professor Tyler Moore
SECURING DIGITAL
TRANSACTIONS
SUBMISSIONS NOW OPEN
doi:10.1093/itnow/bwv016 ©2015 The British Computer Society
Image: iStock/450947285
With today’s smartphones, transferring money at a branch or ATM is quickly becoming a thing of the past.
But how can you be sure that your money and personal information are secure when banking on your
smartphone asks Alex Grant, Managing Director, Fraud Prevention, Barclays.
According to a recent study, over £4 billion
worth of transactions were processed in a
single month using smartphones in 20141.
It’s undeniable. Using banking apps on
smartphones to check balances or manage
your money is becoming a way of life.
The growing reliance on these kinds
of transactions has put security at the
forefront for banks and customers alike.
The new BSI Kitemark for Secure Digital
Transactions assures security for a wide
range of online transactions including
entertainment and gaming.
Today’s website and software developers
have to consider a wide range of threat
vectors. Moreover, they have to ensure
functionality over numerous disparate
browsers and operating systems.
This is particularly crucial with financial
transactions, where the threat of password
compromise or malicious URLs needs to
be managed. Currently, criminals target
websites and smartphone applications
that manage financial transactions
because the rewards are quick and
plentiful, and because they’re able to
exploit complexities within the systems
that lead to vulnerabilities.
Despite the many secure software
development methodologies already
available, the pressure on developers to
be more agile and deliver to market often
leads to shortcuts and the acceptance of
unnecessary risks.
Collaboration
BSI created the Kitemark as a sign of quality in
38
ITNOW March 2015
the early 1900s, and it’s become a familiar
symbol of quality, safety and trust in
marketing and consumer materials over
the years.
Barclays commissioned a survey to
determine whether the presence of the
BSI Kitemark would provide banking
customers with a similar level of comfort –
encouraging them to register for their free
banking products. The survey concluded
that wary customers were more likely to
register for and use a product associated
with the Kitemark.
Testing
A key part of any Secure Digital
Transactions Kitemark would be the testing
of the systems to be certified to ensure
that they were secure to a measurable
standard.
The common vulnerability scoring
system (CVSS) was chosen as the most
consistent and reliable method to measure
the risk of vulnerabilities across software,
infrastructure and services.
The Open Web Application Security
Project (OWASP) Application Security
Verification Standard (ASVS) was chosen
as the standard to define the level of depth
and rigour that testing would be conducted.
The functional testing of the product
in its production environment rather
than development releases was critical
to understanding how susceptible the
banking products were to external
malicious attack and in setting a
benchmark of what good looks like.
Penetration testing company. Gotham
Digital Science (GDS) performed the
security testing to the level defined for
the Kitemark and delivered a functional
penetration test report that identified some
vulnerabilities, but importantly none were
above the critical CVSS value of 7.0, which
would be considered a major vulnerability.
The management and resolution of
lower risk vulnerabilities used a standard
model that was an existing component of
the ISO/IEC 27001 Information Security
Management System operated by
Barclays. A continuous surveillance visit
by BSI ISMS auditors resulted in several
actions that needed to be addressed to
achieve the Kitemark criteria
The BSI Kitemark certification ensures
that a product or service meets the
required British, European, international
standard for quality, safety, performance
and trust.
Like ISO/IEC 27001, it’s a voluntary
certification, but is provided by BSI
– which maintains impartiality and
independence and is recognized for its
rigorous standards for apps and online
transactions. This includes a process of
ongoing assessments to maintain high
levels of security.
www.bcs.org
Anthropology
Cultural Studies Journal of Cybersecurity is a new open access journal
Computer Science committed to providing quality original research and
Security
scholarship in the inherently interdisciplinary cyber domain.
Cryptography
Economics
Submissions are now open and published content
Law
will be available from Spring 2015.
Psychology
Politics and Policy
War Studies
Reference
1. FS Tech www.fstech.co.uk/fst/Barclays_
Smartphone_App_Payments.php
cybersecurity.oxfordjournals.org
INFORMATION SECURITY
THE
G
IN
C
N
A
L
A
B
Y
IT
R
U
C
E
S
ACT
Security must therefore be viewed as a
component within the risk management
infrastructure of the organisation. The level
of security should be determined by the
needs of the business and in relation to
the provision of all forms of risk mitigation.
Various frameworks such as the ISO2700n
family of standards, COBIT and its
extended form RiskIT help to steer these
deliberations, but judgements remain
subjective.
On a positive note, the growing
importance of online transactions, the
increase of regulatory compliance
(including initiatives such as those of the
payment card industry), and increasing
awareness of cyber risks have increased
the awareness of business leaders of the
need for security.
doi:10.1093/itnow/bwv017 ©2015 The British Computer Society
Image: iStock/149354357
Graham Titterington examines the
many challenges organisations
face with IT security.
We live in a market driven economy and
the link between security expenditure
and its return on investment is tenuous.
Information security gives a form of
insurance: protecting the assets, reputation,
customer confidence, brand and, increasingly,
the physical security of the business as
more things become internet connected.
While these things are the most valuable
business assets, they are hard to quantify.
Neither the goals nor the route
to achieving security are clear. Total
security is impossible as people are a
major component in the risk scenario. In
addition the IT infrastructure in almost
all businesses is vast and not fully
documented. The threat environment
is continually changing and becoming
40
ITNOW March 2015
more menacing, coming from sources as
diverse as foreign powers and disaffected
employees. There are many laws and
regulations emerging in this area, notably
data protection legislation, but these set
objectives and the route to delivering the
requirements is not defined.
Security strategy in a business can only
be delivered in an efficient way if there is
a top-down strategy driven by the board
and structured along risk management
lines. This won’t guarantee success, but it
will help to clarify policies and should be
flexible enough to accommodate changing
circumstances.
Security is subordinate to the business
In general the business decisions relating
to information security spending should be
made on the basis of what level of risk is
acceptable, and what is the most efficient way
of achieving the necessary risk mitigation.
IT security is a necessary burden for
most organisations. Customers, partners,
staff, suppliers and other stakeholders
expect an organisation to be secure and
it is, therefore, hard to sell security as a
value-added commodity. However, the cost
to the business of not providing effective
security is enormous, possibly ruinous.
Despite this, security professionals are
always under pressure to cut costs.
The potential risk in the information
security field is hard to quantify. From an
actuarial point of view, rare major losses
are harder to estimate than more frequent
lower level losses. The biggest single risk
for most businesses is brand degradation,
and this is particularly hard to quantify.
The cost of a security breach is
often borne by a party other than the
one that was responsible for the lapse.
For example, individuals bear the
consequences of leakage of their personal
data, and are only partly compensated by
the organisation that leaked them.
You can’t secure what you can’t manage
Securing IT systems is an integral part of
managing IT systems.
The first requirement to secure
something is to have an accurate record
of what you have, how it is being used, and
corporate infrastructure is increasingly
incorporating personal devices that
are harder to manage and secure than
corporate-owned devices.
Who is responsible?
IT security needs to be driven by the top
level management in an organisation, and
in most cases there is now a policy
framework coming from the board.
However, this is only the first step.
Differences in the vocabularies used by
the business and the IT department have
impeded communication down the line.
Information security is a requirement on
people throughout an organisation and the
deployment of IT security products is often
delegated to departmental level.
For example, marketing or business
development may well be responsible
for corporate websites. IT departments
generally run data centres. Identity
management and user access controls
often come under the remit of the HR
department. This is a problem because
information security needs to be viewed
Total security is impossible as people are a
major component in the risk scenario.
what it is being used for. Most organisations
struggle to stay up-to-date with the status
of each of their servers, let alone with
user PCs spread across multiple sites and
countries. Simply managing all their digital
certificates is challenging.
Furthermore an integral part of any
IT system is the users, who may be
employees, subcontractors, suppliers,
customers, partners or others. All
of them are human and therefore
unpredictable. The human risk is most
evident in protecting removable storage
and mobile devices. If we ignore people
who deliberately seek to subvert security,
others will make mistakes or fall for some
form of social engineering scam. The
from a holistic perspective in order to
identify residual levels of risk resulting
from policies and practices in each area of
the corporate operations.
Where does the threat come from?
There is a wide gulf between headlinegrabbing stories such as the Sony Studios
hack and a typical cyber-attack. Most
incidents are the result of mistakes or
random malware attacks.
However, the deliberate attacks have
the most serious consequences. Deliberate
attacks are planned, determined and
often long-term. Such attacks may
come from disaffected employees and
former employees, competitors, criminal
gangs usually intent on fraud or theft, or
governments. The criminal gangs are the
main danger for most businesses. Attacks
can involve a multi-stage process that
starts with a social engineering approach
aimed at stealing key passwords and user
credentials for use in subsequent stages
of the attack. In some cases spyware is
downloaded into the organisation.
However, ultimately attackers are driven
by their own need for profit. This can
come from a few high value information
assets, a multitude of relatively mundane
information assets, or from inflicting
damage on an opponent.
Security management
Security management is a developing area
for product support. The higher levels of
security management have to dovetail into
business process frameworks and risk
management.
The intermediate layers include monitoring
and managing the configuration of IT
infrastructure, and the security information
and event management (SIEM) field.
While most compliance regulations
are expressed in business terms (with
the notable exception of the payment
card Industry data security standard), the
delivery of these requirements necessitates
numerous security controls.
This means that the reports available
from security management products
are crucial to satisfying compliance
requirements. However, they do need to be
re-presented in a format required by each
set of regulations.
When it comes to deploying security
products it is helpful to get products that
are well integrated with each other, even if
this means selecting on a basis of fit-forpurpose, rather than best of breed. Many
organisations are seeking to rationalise
their suppliers to help achieve this, as well
as to get better contractual terms.
www.bcs.org/security
March 2015 ITNOW
41
LEARNING AND DEVELOPMENT
DEVELOPMENT
AND MENTORING
doi:10.1093/itnow/bws004
doi:10.1093/itnow/bwv018 ©2012
©2015 The
The British
British Computer
Computer Society
Society
Image: Creatas/80608276
Jill Dann FBCS CITP, Director at Consultation Ltd, takes us on a whistle stop tour of BCSWomen Specialist
Group’s methods and tools.
It is an individual’s responsibility to take
on their own professional development
and mentoring. The BCSWomen Specialist
Group seeks to support women returning to
STEM careers as well as to inspire women
to have the best possible career utilising
their potential.
That doesn’t absolve any employer from
their responsibility to support employee
development, however, development needs
to support an individual in ways that make
sense to them; one which extends beyond
their workplace or current role.
Some women may not have resources
from an employer or be on a career break
or have other responsibilities holding
back their ability to focus on their careers,
for example, parental care, childcare
responsibilities.
Women are encouraged to join BCS
and BCSWomen to gain access to the
Personal Development Plan tools, the Career
Mentoring Network (currently in pilot phase)
42
ITNOW March 2015
and the group’s initiatives, such as the
events run this past summer on the 3 and
23 June 2014, to train mentors in some
of the necessary skills. The materials are
available, both a slideshow and exercise
workbook; Scotland and Wales have run
their own branch events using them.
Your goals, your outcomes
Any development activity is only valuable
in its effect on the individual, which is why
we focus on outcomes. Reflection on what
was gained from an activity is essential, as
it can help focus on the valuable outcomes
and aid future planning.
Reflection on personal direction and
development undertaken can then lead to
goals and a clearer idea of what is actually
helping.
A broad view of what works
What are relevant development activities?
Basically, anything that helps you progress
in a measurable way. If you are looking for
activities with specific outcomes to meet
development goals, then it is important to think
broadly about sources of help and to recognise
the triggers for changing behaviours.
BCSWomen hold events around the
country and can make materials available
wherever you are based. Anything from
an eBook, seminar, discussion and online
material, to a conversation can contribute
to your development. Structured activities
like BCS courses and certifications can
be very useful and, in some careers,
necessary. A blended approach is a good
idea focused on a goal to employment, role
change or progression.
Reports and articles, through to joining
a group committee, working group or
contributing to a policy statement can lead
to relevant outcomes against goals. Going
for Chartered status can help to move
your career forward. Simply meeting up
with other professionals can expand your
horizons, all the way through to more
structured mentoring towards a particular
purpose.
Guidance and resources
www.bcs.org/cpd contains a range of
guidance notes that can help you set out
on a development journey and has
suggestions on resources and events that
might be useful to you.
Getting systematic
Setting goals and recording your activities
provides a basic structure for your
development. With this in mind BCS has the
Personal Development Plan (PDP), an online
tool to help you record and plan goals and
activities and is highly customisable to your
needs.
It’s available to all at www.pdp.bcs.org, but
with some functions restricted to members.
It embodies our philosophy of development,
and it can be configured to suit your way of
working. Members can also report against
goals for sharing with others.
Mentoring
A mentor can, for example, help a mentee to
acquire technical expertise, to gain knowledge
and skills, understand appropriate behaviour
in social situations and to understand the
workings of an organisation and its
expectations of their role.
No blueprint exists for the ideal
mentoring relationship, but what is
common to all cases of mentoring is that
the mentee comes to view things in a
different way with expanded horizons. The
mentor engenders change in the mentee,
helping that person towards a new vision
of attainment.
Mentoring can be useful through
any part of your development journey,
helping you look at your career direction,
planning goals, or as an activity against
a goal. Mentoring others can, in turn, be
very rewarding and a useful development
activity in itself, as well as supporting the
wider development of the profession.
This is a great way of getting support in
your development and is a key element of
BCS’s professional culture. Being a mentor
is open to anyone who has something to
offer and is not restricted solely to those
with long experience.
The BCSWomen Specialist Group
can provide the materials for interested
members to run events to educate mentors
and mentees.
BCS plans to launch its Career
Mentoring Network, which will enable
members to make connections with
mentors and mentees as well as through
specific programmes (e.g. BCS Women,
BCS Entrepreneurs).
www.bcs.org/bcswomen
March 2015 ITNOW
43
LEARNING AND DEVELOPMENT
TECHNOLOGY
MEETS TRADITION
The Company hosts a monthly informal get
together at Bangers Wine Bar in the City of
London, it also hosts four annual business
lunches with notable speakers drawn from
industry. There are a further three formal
events; The Master’s installation service
and dinner, The New Freemens’ Dinner and
The Partners’ Dinner – a white tie
banquet held at The Mansion House, which
is the apex of the social calendar.
Civic duty
The senior members of the Company,
known as liverymen, have the right to
participate in the annual election of the
two sheriffs of the City of London, and with
the City’s Aldermen they elect The Right
Honourable The Lord Mayor of London - the
world’s oldest extant democratically elected
office.
doi:10.1093/itnow/bws004
doi:10.1093/itnow/bwv019 ©2012
©2015 The
The British
British Computer
Computer Society
Society
Image: iStock/533350537
Paul D Jagger FBCS CITP a Court Liveryman of The Worshipful Company of Information Technologists
explores the role of the Company, its links with charity, education, industry and fellowship, the armed forces and the City of London’s government.
Clearly the IT profession didn’t grow out of a
medieval guild, so it may surprise
readers to learn that IT has its own guild in
the UK, namely The Worshipful Company of
Information Technologists (the Company).
The Worshipful Company of Information
Technologists is one of 110 livery companies
in the City of London. The Company was
formed in the mid-1980s and achieved the
status of a guild soon after. In 1989 it was
granted a Coat of Arms and in 1992 the
government of the City of London conferred
livery company status upon the guild. In
2000 the Company moved into what it
describes as its ‘first hall’, premises in
the City of London, that is the home of the
Company for business and social events.
In 2010 the Company received a Royal
Charter presented by HRH The Earl of
Wessex on behalf of HM The Queen and in
2011 the Company opened its first school,
a project jointly funded with The Mercers’
Company (the most senior of the City livery
companies).
44
ITNOW March 2015
What is the role of the Company?
The Company is immensely active and
despite its youthful status it punches far
above its weight among the other livery
companies.
Some of the more tangible ways in which
the Company achieves its Royal Charter
aims include:
and has a strong technology focus.
The Company also provides school
governors, practical support and mentors
to students at Lilian Baylis Technology
School in Lambeth. With the support of the
Company Lilian Baylis achieved outstanding
rating in all aspects of its 2014 Ofsted
assessment.
Charity
The Company has been successful in
supporting several charitable initiatives
including partnering with Litelites – an
organisation that provides assistive
technology to severely handicapped
children. The Company also founded
iT4Communities, which links IT professionals
seeking to give their time and talent to nonprofit organisations.
Industry
The Company is described in City circles as
‘a working company’, meaning it is made up
of members who are still active in the occupation represented by the company.
The Company also has links with BCS at
both the organisation and membership level,
and those links form the basis for several
joint initiatives, such as an Oxford Union
style debate in 2013.
The Company also has links with the
trade association techUK, and many
employers of IT professionals.
Education
The Company jointly founded
Hammersmith Academy with the Mercers’
Company. The Academy opened in 2011
Fellowship
Armed forces and cadets
The Company has a long-standing
relationship with The Royal Signals, the IT
combat support arm of the British Army.
The Company awards prizes for
excellence among the soldiers and
officers of the Royal Signals and provides
career advice and mentorship for those
transitioning from the military to civilian
occupations.
The Company also has affiliations
with two cadet forces units in the Greater
London area. The cadets often provide a
carpet guard at formal company events.
the IT professional. The Company focuses
on charitable giveback and
providing an environment for fellowship.
The Company counts among its members
many Members or Fellows of BCS and
several past presidents.
Who joins the Company?
The membership comprises business leaders, IT entrepreneurs, freelance IT
professionals, academics, IT practitioners in
businesses of all sizes and those
working in allied professions such as law,
financial services and the information
content industry. With nearly 800 members,
the Company is among the largest of the
livery companies.
The Company has a diverse membership,
already having provided three female
Masters, and there are members
from a wide range of social and ethnic
backgrounds. What binds them all together
is a desire to give back to the profession,
and to meet in fellowship.
The Company also operates a very
successful journeyman scheme, a
mentorship programme for graduates in
the early years of their occupation. Many of
these journeymen (the term imports both
genders) go on to become Freemen of the
Company.
Church
Whilst the livery companies welcome those
of any faith or none, each Company is
affiliated with a church in the City. The
Priory Church of Saint Bartholomew the
Great is the place where the Company
comes together to worship for a number of
annual events.
How does the Company link with tradition?
The Company participates in many
city-wide traditions such as the annual Lord
Mayor’s Show and the United Guilds Service
at St Paul’s. The Company also embraces
the customs and ceremonies associated
with all livery companies at formal dining
events. Members have the opportunity to
become Freemen of the City of London and
even to stand for elected office in the City.
Four members of the Company have served
in the office of Lord Mayor of London.
Relationship with BCS
The Company and BCS have complimentary
roles that enable both to collaborate where
relevant, but focus on different societal
roles. BCS focuses on developing the IT
profession for the benefit of UK Plc, and for
What are the benefits of membership?
The Company is one of those organisations
where members get out what they put in,
and consequently each members
experience will differ. Some of the
highlights of membership include:
•
•
•
•
•
•
meeting with some of the most
influential people in the IT profession in
a neutral setting;
participating in the traditions, customs
and ceremonies of the City of London;
becoming a Freeman of the City of
London (yes, they can and do take
sheep across London Bridge);
the opportunity to make an immense
difference in the lives of less fortunate
people through charitable activities.;
participating in some truly memorable
and historic social, civic and
professional events;
mentoring entrepreneurs, small
business, students and soldiers to help
them develop and grow their IT career.
A common misconception is that livery
companies are a branch or offshoot of
Freemasonry. Whilst there is no direct
connection between the livery companies
and Freemasonry, it is probable that
Freemasonry grew out of the City of London
livery companies in the late 17th Century.
You don’t have to be a Freemason to join a
livery company.
What if I don’t live in or near London?
Livery companies are creatures of the City,
and as such their life is centred on the City
of London. However, the Company has
members all over the UK and there are
regional groups outside of London. There is
a wealth of sporting and social events that
happen outside of the City and many ways
for members to get involved without regularly coming into London.
How would I go about joining?
The Company is always keen to welcome
new members, male or female, young or
old, short or tall! The best place to start is
simply to contact the Company at IT Hall
and ask for the application form. If you don’t
know anyone in the Company, then the staff
at IT Hall will put you in touch with someone
who shares a similar background or perhaps lives near to you.
www.wcit.org.uk
March 2015 ITNOW
45
HEALTH INFORMATICS
EMAIL ARCHIVING AND HEALTH
INTRODUCTION TO BCS HEALTH
Mike Freeman, Sales Director, Techne-Comm Ltd, discusses the importance of email archiving in the
healthcare sector.
Gareth Baxendale FBCS, Head of Technology, National Institute for Health Research, Clinical Research
Network, University of Leeds, introduces himself and BCS’s health informatics group, BCS Health.
46
ITNOW March 2015
together under one agreed approach.
How to get involved in BCS Health
As a member of BCS you can simply join
our merry band by selecting ‘BCS Health’
from the list of specialist groups in your
secure membership area. Upon selecting
the option you will not only enjoy a warm
fuzzy feeling, but also start to receive
updates and invitations to specialist events
sent out by BCS Health.
You can also join a regional BCS Health
We work as volunteers bringing our
professional experience to help with health IT
challenges and support the interests of both
patients and health professionals.
policies and consultations offering position
statements on behalf of you, the member.
BCS Health supports and influences
professional standards; for example,
we are involved in supporting the new
Federation of Informatics Professionals
(FED-IP), which is an exciting initiative
to increase the professional standing of
informatics professionals and bring the
many informatics professional bodies
Group including BCS Health Wales,
Scotland, Northern, London & South East
and Northern Ireland and other supporting
groups such as BCS Primary Health Care,
BCS ASSIST and BCS Nursing. All play a
part in shaping and influencing key issues
faced by patients and professionals across
the health IT spectrum.
www.bcs.org/health
Image: Wavebreak Media/494385415
What is BCS Health
Well, perhaps I should start with the role
I play on behalf of BCS Health. I have
recently been privileged to take on the
role of Vice Chair Communications and
Publications, so it will come as no surprise
that I am somewhat keen on socialising
and educating (pretty much with anyone
who will listen) on the amazing work and
effort that goes on at BCS Health.
We work as volunteers bringing our
professional experience to the table to
help with health IT challenges and support
the interests of both patients and health
professionals.
BCS Health has many branches of
activity that you may not be aware of; in
fact many of the activities you are welcome
to join and participate in. BCS Health’s
focus is really about modern healthcare
and both the technology and patient data
that support it.
On the subject of data, BCS Health
feeds into an independent group called
the Professional Records Standards Body,
which was set up to represent patient and
care professional organisations on the
type and structure of data that should be
included in care records.
BCS Health also works to influence
policy and is represented on the BCS
Policy & Public Affairs Board who consider
policy affecting the IT profession and
wider society. BCS Health also works with
government and responds to relevant
doi:10.1093/itnow/bwv021 ©2015 The British Computer Society
doi:10.1093/itnow/bwv020 ©2015 The British Computer Society
Image: iStock/465134963e
We all like a warm welcome, so please
accept a convivial welcome from the
volunteers and BCS staff that make BCS
Health what it is today.
Now we’re all friends please let me
share with you a little about who we are…
Within the UK healthcare sector, NHSmail
is rapidly being adopted by NHS trusts. As
the only dedicated mail system to have
received government ‘OFFICIAL SENSITIVE’
accreditation and be fully approved by the
Department of Health for the purpose of
sharing patient identifiable and other
sensitive information.
As a result, the vast majority of NHS
organisations are using it in some form, with
usage growing due to the refresh initiative
driven by HSCIC, as well as the approval
of the ISB 1596 Secure Email standard in
March 2014. NHS trusts and organisations
are being encouraged to either move to
NHSmail or bring existing email systems in
line with the new standards.
NHSmail is currently being used by
over 500,000 GPs, healthcare workers
and other staff within the NHS. It brings a
number of benefits to users – both those
dealing directly with patients, as well as
other staff, such as those in administration
or procurement roles.
NHSmail is a national system, run
by the NHS, ensuring that users can
share folders and calendars across
organisations. It is a secure service, with
emails protected to the standards set out
by the UK Government. NHSmail is also
cost-effective, fast and always available,
allowing users to have access to the
information required 24-hours a day and
from any device.
However, the one downside to NHSmail
is that for the majority of users the size
of the mailbox is limited; storage space is
approximately 400MB. For users sending
patient data, files and scans on a daily
basis, this can be problematic, especially
considering that much of this information
must be kept for compliance and legal
reasons. The role of email archiving
therefore, is an important one.
The main requirements for an archiving
solution are ease of use and accessibility.
With the importance of the information
being exchanged, it is crucial that it can
be easily found and accessed, whilst
remaining 100 per cent secure.
For NHSmail users, emails can be
archived using Outlook Personal Storage
Folders, also known as PSTs. The difficulty
with using this format is that users are
not necessarily aware of where these
files are stored; they can be saved to
the desktop of the user or a network
drive, which undermines security and
can cause storage issues. Folders larger
than 2GB are often prone to corruption
and if this occurs, valuable data could be
lost. PSTs are also costly to back up as a
large amount of space is required when
they are backed up regularly. In addition,
searching for these files is complex, which
can present a challenge when, for example,
searching for a Freedom of Information
(FOI) Act request.
For critical sectors, such as healthcare,
archiving solutions should, therefore, be
easy to use and accessible. Searching for
specific information, for both the user and
supervisor, is made easier if the personal
folder structure of a mailbox is replicated
within the archiving solution.
Additionally, being able to search
according to different criteria – including
keyword in the message or subject, date,
sender or recipient etc. would ensure that
emails can quickly be found based on little
information. Ideally, this archiving solution
should not use PST folders, instead
archiving emails and relevant information
in a way that meets the security standards
and does not employ methods such as
stubbing or shortcutting.
The management of both the email
system and the archiving solution plays
a crucial role in the overall success of an
organisation. For the NHS, in particular,
having the correct technology and
solutions in place will enable users to be
more productive and effective, which can
ultimately impact on patient care.
www.bcs.org/health
March 2015 ITNOW
47
MANIFESTOS
MANIFESTOS
MAKING THE UK THE IT PLACE TO BE
doi:10.1093/itnow/bwv021 ©2015 The British Computer Society
Image: iStock/511665345
There will be a general election in 2015. In preparation many bodies have produced manifestos to try to
influence government policy in the IT space. Are they asking for the right things? Brian Runciman MBCS
reports on some of the manifestos and highlights some BCS reaction from a recent policy meeting.
According to Nesta UK (formerly NESTA,
National Endowment for Science,
Technology and the Arts) political
manifestos have actually been quite
successful in incorporating new trends –
for example the rise of automation and the
creation of the internet. However, they also
caution that ‘they rarely set out clear
policies for taking advantage of new trends,
or for mitigating their risks.’
Noting that government is also poor
at predicting the shocks that such trends
can cause and taking into account the
increasing speed of change in the digital
landscape, getting the approach to national
digital strategy right requires expert input.
As techUK has noted, the tech sector has
outperformed the rest of the private sector
over the last 10 years, and it recovered
far more quickly in the aftermath of the
2008 financial crisis. It will be even more
important during the next parliamentary
term and beyond.
Key themes
The key themes that come out of these
manifestos are:
1. UK startups and innovation;
2. tech in government services;
3. digital skills;
4. identity assurance and security;
48
ITNOW March 2015
5. European integration and global
integration;
6. the workforce;
7. the legislative landscape;
8. the tech itself.
UK startups and innovation
The Coalition for a Digital Economy
(Coadec) report that the ‘UK’s internet
economy makes over 8 per cent of GDP’
and predict that this will grow to 12 per
cent by 2016. Also noting that the UK was
the fastest growing economy in G20, it
draws attention to the role of microentrepreneurs in creating innovative
services. This means that innovation often
has its roots in the startup environment,
making it key to continued UK growth.
One problem Coadec draws attention to
is that of funding, noting that whilst seed
funding can be easier to get, taking ideas,
products and innovations forward, which
needs more funding, is increasingly tough.
Like many of the eight main themes
there is cross-over with other areas. In this
case job creation. The link is made explicit
by e-Skills, in quoting the 2007 Kauffman
Foundation study, which says that most job
creation comes from entrepreneurship.
Coadec wants to create an ‘environment
to encourage permission-less innovation
where possible.’ eSkills adds a practical
aspect to this with their view that every
country in Europe needs a ‘jobs through
e-entrepreneurship’ campaign. techUK
sees even further, asking that we make
the UK a ‘global hub for talent with a
smart migration policy’ to attract wealth
creators to the UK economy who can use
and disseminate the skills needed to make
innovative ideas fly.
What is BCS’s take on this? Simply that
we should aspire to make the UK a melting
pot for innovation.
The UK should be the destination for
innovation in IT, and the organisations
that can make this happen go beyond the
exciting start-ups at digital roundabout
to the bodies that take the lead in the
profession, government, policy bodies and
more.
Indeed, the BCS Entrepreneurs Specialist
Group aims to engage with entrepreneurial
communities to grow the digital ecosystem
for the benefit of members and society,
provide a real-time forum for existing and
would-be entrepreneurs to network with
an expert group of innovation stakeholders
from government, established and
emerging technology enterprises and digital
support clusters.
Tech in government services
A phrase that comes up several times in
the government services space is
‘government as a platform.’ Whilst it may
be tempting to see this as buzzword
creation, both Coadec and the Policy
Exchange put some meat on the bones,
with the idea that government should
release APIs for government services,
allowing others to innovate ‘on top’ of them.
techUK also discusses the use of
commoditised and utility solutions to
standardise functions and the sharing
of data. If there is a need for bespoke
services, which techUK concedes there
may be, it adds the useful corollary that
these be implemented in ways to promote
further growth – for example allowing
SMEs to reuse the intellectual property
(IP) they may have originally developed for
government contracts.
More specific suggestions come from
the Policy Exchange, which thinks that
the civil service competency framework
should be updated to include IT skills and
techUK suggests the next government
should appoint a chief privacy officer to
oversee and maintain public services.
As BCS notes, services are increasingly
digital by default – and that’s a good thing.
The Institute necessarily has this default
position – indeed BCS already does a lot
of good work in tandem with government,
including influencing at the policy level.
More specifically in recent years the
Institute had a pivotal role in introducing
a proper computer science curriculum for
schools – and continues to support users
with ECDL.
Digital skills
The need for improved and ongoing
support for digital skills comes out loud and
clear in nearly every manifesto available.
As eSkills comments, one of the problems
is Warholesque: ‘Today when you graduate
you are set for, say, 15 minutes.’ But it also
adds in the problem of the narrow field of
view because ‘national IT policies tend to
the population is online (Policy Exchange
compares this to the 98 per cent plus
penetration in Norway and Iceland).
The new computer science curriculum,
which, as noted above, BCS was
instrumental in bringing into being, is
mentioned in several manifestos. Coadec
notes that the suggested £3.5m to support
teachers in their teaching of the new
curriculum amounts to only £175 per
school - unfavourably comparing that to
the £15,000 per school that Jersey has
provided – albeit with fewer schools.
Policy Exchange is even more
parsimonious with its £3m pot for a
competitive grant to fund third parties
to deliver teacher training for the new
curriculum.
On the same issue the UK Digital Skills
Taskforce says a ‘minimum of £20m over
the next Parliament’ is needed to assist
teachers.
One suggestion to combat this issue
comes from Coadec, which suggests
incentives for startups to help train
teachers. Where an entrepreneur would
find the time may be another question - a
An EU report shows that only 25 per cent
self-report a high level of digital competency.
job too far?
Conversely, the National Institute of Adult
Continuing Education (NIACE) says that
investment in skills is ‘too heavily focused
on young adults at expense of over 24s.’
And with the issue of extended working
lives coming nearer then life-long learning
becomes even more necessary.
As e-Skills notes the ‘full potential of
egovernment will only be seen when the
European population is connected to the
internet and e-skilled.’
For the population at large e-Skills
suggests a European standard for
e-competency, calling for EU-wide
indicators of digital competencies
and media literacy. This follows an EU
TechUK suggests the next government should
appoint a chief privacy officer to oversee and
maintain public services.
focus on developing basic IT skills.’
One of the problems is the digital
inclusion gap. It is difficult to deliver
digital skills when only 83 per cent of
course, as NIACE acknowledges with its
view that ‘adults need to take ownership
of their own learning and development.’
They put forward the idea of a personal
skills account for all adults linked to an
entitlement to career reviews to help people
decide what skills development will work
for them.
In the higher education space, Policy
Exchange suggests removing the cap of
10 endorsements per academic institution
from the Tier 1 Graduate Entrepreneur visa.
BCS has a lot of traction in the digital
skills space – and it takes the view that
there are certain baseline competencies
that are needed to make digital skills
training effective. These skills are needed
to support growth – not just in education
and large business organisations, but also
SMEs and the civil service. This is not just
an education piece - there is a disconnect
with actually policy.
Lessons can and should be learnt from
recent history. In the UK the education
system has failed to educate those coming
into IT, with a historic failure to educate
at the school level in computer science
report showing that only 25 per cent of
people self-report a high level of digital
competency.
Some of this is about philosophy of
disciplines and, whilst there is progress
now, it could be said to be 20 years too late.
Technology is already at the core of
all businesses. The House of Lords is
currently undertaking a review of digital
skills, and cyber skills have been added as
an important part of this inquiry. BCS sees
this as a good starting point in the vital
upskilling process that needs to happen.
However there are caveats to this
discussion. BCS notes that there is a strong
sense of déjà vu about some of these
initiatives. Similar discussions took place
in Peter Mandelson’s knowledge economy
drive in the 1990s. Now these things must
be actioned.
One route that needs pursuing is
ensuring that there is a tax regime that
stimulates growth, especially as the EU
already looks to the UK as a good exemplar
in this area.
And what about IT professionalism
and digital skills in the civil service itself?
Reportedly, no government departments
are pushing for continuous professional
development – an area BCS understands,
can promote and views as vital for the
March 2015 ITNOW
49
MANIFESTOS
development of the industry.
To help the public at large take
advantage of digital services it was
suggested by BCS that there could be
incentives and help made available so the
public can all use them. There also needs
to be confidence in the system, as there are
still fraud issues and perceptions of cyberdanger that put users off. People will be
reluctant to access online services if there
are no assurances.
Reading’ links). Should the UK improve
access to non-EEA countries?
Tier 1 Exceptional Talent Visas come up
again here: Tech City can make 200 Tier 1
Exceptional Talent Visa applications - is that
enough? Certainly Coadec recommends
relaxing the eligibility criteria, with the idea
of enriching the local workforce.
For BCS an interesting angle here is
professionalism, long a campaign point.
eSkills talks about the new principles of
BCS notes a strong sense of déjà vu. Similar
discussions took place in Peter Mandelson’s
knowledge economy drive in the 1990s.
End-to-end services should be securely
coded. The example of GDS, which has
developed products and services that
people want to use, was mentioned. But,
in the end, BCS wants people to use digital
services because they are the easiest way
rather than because of incentives.
Identity assurance and security
For members of the public this is a big
issue. The Policy Exchange put forward the
concept of an independent data ethics
committee. Its idea is that this would
include not only representatives from
government, business, the charity sector
and legal groups, but from citizens groups
as well. It sees the creation of a Code for
Responsible Analytics to guide the
government in the responsible use of data.
If this included collection and re-use issues,
that would be a good approach.
European and global integration
A European Commission report from 2014
‘Does digital tech create or kill jobs?’
suggests that the skills gap is larger in UK
than in the rest of the EU.
techUK mentions tech exports and
recommends that the next government
should appoint a ‘Digital Trade Czar based
in FCO.’
The work force
A number of the above points could be
added to the issues around the digital and
IT workforce. Coadec usefully asks how the
UK can improve talent access. (see ‘Further
50
ITNOW March 2015
the 21st century: ‘collaboration, openness,
sharing, interdependence and integrity.’ We
may well ask where professionalism is here.
The legislative landscape
The legal aspects of IT, from data protection,
use of big data and perceptions of the public
to the allowing of data use to benefit UK
business are huge – and get bigger when
the EU and global context is taken into consideration.
Coadec comments on data protection,
mentioning that because startups and
SMEs lack the resources of larger
companies they can be particularly affected
by well-meaning but poorly thought out
provisions. They also acknowledge the
historical problem: pre-digital law and
regulation do not take into account such
things as ‘the value of user ratings, social
trust, GPS tracking and verified online IDs.’
Again a general philosophy could be
a good starting point. Policy Exchange
maintains that there should be a
data as the British Library.
Policy Exchange recommends that the
government conduct annual reviews to
ensure that legislation and the regulatory
and legal systems on intellectual property
keep pace with technical change. Is this
laudable goal realistic or even workable?
techUK mentions the recent and much
debated ‘right to be forgotten’ and how
that fits in with the concepts of free speech
and personal data and reputation. It calls
it a retrograde step with unintended
consequences, perhaps an example of
being badly ‘affected by well-meaning
provisions’ mentioned by Coadec.
BCS views: EU and regulation
The UK has had an uneasy relation with the
EU, beyond the toing and froing of political
posturing. The Institute aims to take the
global view into account too. The internet
is global and therefore should be talked
about in a global context - and not all EU
views are shared globally.
EU data protection and privacy
legislation is seen as being too
protectionist. This endangers potential
innovation and growth - fortress Europe.
Whilst the US view is freedom of
information and speech, it is poor around
the issue of net neutrality. The UK should
consider itself to be in a position to
enlighten and present a pathway to follow
– the best of both worlds.
To its credit the EU is pushing digital skills
in education, but in its regulatory frameworks
is less forward-thinking. For example, there
is no regulation for filtering of material linked
to terrorists - no regulatory process around
what should be censored.
Regulation is a two-edged sword.
Policy Exchange: HMRC has 80 times as much data
as the British Library
presumption that a citizen is in control of
their own data – very much in keeping with
web-creator Sir Tim Berners-Lee’s recent
comments on the subject, which BCS
agrees with.
It goes on to say that DP legislation
should focus on use rather than the
collection of data, quoting the stunning
figure that HMRC has 80 times as much
There is a danger of over-regulation,
which could stifle business and restrict
freedoms – especially as UK PLC’s success
is increasingly based on services provided
over the internet.
The BCS view is that generally the
UK approach is ahead in aspiration
and delivery. However, there are issues
around identity assurance. There is a
This document is ‘live’ and developing - give your views on
the issues raised via BCS Policy Hub: http://policy.bcs.org
polarisation in legislation around data and
privacy - with the UK excluded from many
international talks.
Interestingly in the EU, Estonia is said to
be the most innovative, with the UK held
back somewhat with too much legacy as
it moves from heavy industry. Progress
taking a leadership role in having skills
legislation that encourages innovation.
For the elderly there seems to be no
mileage in persuading them to up-skill
and there is no money from government
to do that. They need to cut costs and
cannot afford to offer telephone support.
have made people wary, with the feeling
that adequate security controls are not
yet in place. We have not yet reached
the point where citizens make decisions
based on trust of government.
www.bcs.org
Policy Exchange: ‘Ordnance Survey should make
their maps and data free to use.’
needs to be sped up.
The tech itself
What about the hardware, the metal itself?
Coadec says that the UK needs to
continue to invest in superfast broadband
and raise the level of ambition for digital
infrastructure. Especially taking into
consideration where the next areas of
growth for IT are likely to be. According to
figures from the techUK report, these are
(with value estimates):
• IoT $7.3bn by 2017;
• wearables $70bn 2024;
• 5G 40 fold increase by 2018;
• robotics $29bn 2018;
• autonomous vehicles £28bn by
2020.
As techUK notes these tech trends are
disruptive and global.
Three interesting views come up here:
Coadec suggest that ‘most investment in
digital infrastructure should be funded by
the private sector.’ But we may well ask
where that leaves less well-populated
areas, which are more expensive to get to.
The Policy Exchange gives a specific
example of opening data use, saying that
‘Ordnance Survey should cease to be a
trading fund and be removed from the
Shareholder Executive to make their maps
and data free to use.’
techUK asks for the creation of a major
new IoT programme to clearly articulate
the nation’s ambition to be a world leader
in IoT.
BCS views: The impact on the individual
IT should always be centred on people. So,
as mentioned above, this starts with the UK
This means that the interface needs to be
functional and simple to use.
As mentioned before, Estonia is an
interesting case - a place where everyone
is online. Could that be the aim for the
UK? This raises questions on the extent
of the role of government and where it
should cross-over with the private sector
on, for example, the rollout of high-speed
broadband to the whole population,
regardless of the geographic difficulty in
doing so.
The government also has a huge role in
protecting citizens’ data. As technologies,
app-driven experiences and online traffic
volumes have increased, has the idea of
consent been made no longer viable?
The BCS skills agenda should
include educating parliamentarians –
they are making decisions based on
briefings that may not give a full enough
picture. The BCS campaign strand on
professionalism includes the idea of
accountability – and whilst we would not
expect parliamentarians to be held to the
standards of a fully-fledged IT professional,
education at this level is paramount.
The pace of change outstrips legislation
easily. We are facing a future of work
that will include driverless vehicles,
computerised health diagnoses (see
Watson), streams of data coming from
personal databases and autonomous
machines on the IoT - possibly anonymised,
possibly de-anonymisable.
Individual citizens need to know where
they stand, have a clear view of their rights
and expectations and a way of keeping
abreast with the implications of change.
Notable IT systems failures in the past
Further Reading
Tech UK ‘Securing our Digital Future’
http://bit.ly/1CLpbYV
Coadec ‘The Startup Manifesto’
http://www.coadec.com/wp-content/
uploads/2014/09/Startup-Manifesto.pdf
NIACE Manifesto
https://www.niace.org.uk/sites/default/
files/images/niace_manifesto_skills_for_
prosperity_june2014_bw.pdf
UK Digital Skills Taskforce interim report
http://www.ukdigitalskills.com/wp-content/uploads/2014/07/Binder-9-reduced.
pdf
Policy Exchange Tech Manifesto
http://www.policyexchange.org.uk/
images/publications/technology%20
manifesto.pdf
http://www.nesta.org.uk/publications/
politics-foresight#sthash.X4Ng5WrP.dpuf
http://www.nesta.org.uk/publications/
politics-foresight
COADEC on improving talent access.
http://bit.ly/16E6Y2O
BCS Entrepreneurs
http://www.bcs.org/category/17002
March 2015 ITNOW
51
CES2015
DRIVE-BY
COMPUTING
doi:10.1093/itnow/bwv023 ©2015 The British Computer Society
Images: © BMW nVidia
When Henry Tucker went to CES2014 one of the things he was most impressed by were Audi’s computer
controlled cars. You could park them simply by pressing a button on your smartphone. They could also take the
controls in slow moving traffic, but because of legislation they couldn’t do more than that.
At CES2015, Audi was once again in
attendance with what looked like the same
cars and the same technology. This time
though at least one of the cars drove itself
from California to Las Vegas for CES.
This is the sort of leap forward I was
expecting. After all, the previous year’s car
had control hardware and software the size
of a laptop whereas the previous year had
a whole boot full!
The thing is the technology exists to
make self-driving cars safe. The Audi has
six radars, three cameras, and two light
detection and ranging (LIDAR) units. The
computers that allow the car to analyse the
road, choose the optimal path and stick to
it fit neatly in the boot. What is holding the
industry back is legislation.
The common argument, when people
are presented with computer controlled
52
ITNOW March 2015
cars is, ‘what if the software crashes?’ To
which I would say: is that any different
from your car breaking down? When you
look under the bonnet of modern cars
there are two things you can access
yourself, unless you happen to be a
mechanic, and they are the oil and the
water for the windscreen washer. With a
computer-controlled car it’s exactly the
same.
The other thing people sometimes
say is, ‘what if it goes out of control?’
Now this is clearly from the realms of a
Michael Crichton thriller where the cars
go wrong and start acting malevolently.
Again this isn’t going to happen. Software
and hardware already exists to remotely
disable cars - car rental firms use it to
disable stolen vehicles. Software and
hardware only go out of control because
of human intervention, not through their
own will.
I think that computers will be better
drivers than humans; they won’t take risks,
they’ll stick to speed limits and will be
more efficient.
One thing you do need in order to have
these self-driving cars though are accurate
maps. Paper maps and sat navs are
never 100 per cent accurate. With this in
mind we had a chat with Nokia about its
mapping project called Here.
It is sending cars out around the world
to map roads in amazing detail so that
cars, such as the Audi and every other one,
can drive safely on the roads because it
knows what is ahead of it.
Here also works with technology to
share real-time road information. So, for
example, if you are driving around a bend
and a car is coming the other way it has
sent information up into the cloud to tell
systems that there is an obstacle in the
road. Then, as you go around the bend,
your car receives that information and can
approach it with caution.
Now Audi and Nokia weren’t the
only companies to show off things they
have been working on. In fact most of
the major car manufacturers were in
attendance and there were keynotes from
Ford and Mercedes-Benz. In fact some
commentators are now saying that CES is
more important for the auto industry than
the traditional car shows.
BMW showed an electronic car valet
system that not only parks your car for
you (always a good idea) but then drives
it back to you after you press a button on
your watch. Now if that’s not straight out of
a sci-fi movie I don’t know what is.
It also showed its crash prevention
system that uses laser scanners to
measure the space around the car, so if
you don’t see an obstacle it will and will
then brake accordingly.
QNX, a subsidiary of Blackberry,
showed off a system of driver assistance
that uses sensors, cameras, navigation
engines, cloud-based services, speech
interfaces, and acoustics software to create
experiences that simplify driving tasks,
warns of possible collisions and enhances
driver awareness.
At the 2014 show I spoke to BMW and
they told me about their system for in-car
apps and it now seems that Ford has got
in on the act too. The company showed
off its systems where you can access
your phone’s apps using the app link tool,
including services such as streaming
music app Spotify.
One thing that annoys probably every
driver on the roads worldwide is road
works and the associated traffic jams that
they often cause. The constant stop-start
nature of these jams is something that
Bosch is looking to address with its Traffic
Jam Assist technology that it is introducing
in the first part of 2015 to give drivers
a ‘hands free experience’ in jams up to
around 45mph.
Even companies such as nVidia, which is
usually associated with computer graphics
development, have got in on the act. In
fact at CES2015 the main features of its
stand were two cars. It showed off its new
nVidia Drive CX that features a Tegra X1
processor that is designed to power a car’s
digital cockpit experience such as the sat
nav and entertainment functionality.
It also showed off its nVidia Drive
PX in-car computer that allows for app
development for semi and fully autonomous
driving. One such application is nVidia’s own
Deep Learning that, according to nVidia,
allows your computer to learn from its
surroundings and, to quote nVidia, ‘become
intelligent.’ It also features surround vision,
360 degree cameras, that can be used for
autonomous parking.
Driving around in our cars is,
statistically, one of the most dangerous
things we can do. Technology such as this
will, I think, start to make the road a lot
safer for all of us.
www.bcs.org
nVidia’s pedestrian detect feature
March 2015 ITNOW
53
ACCESSIBILITY
THE
ACCESSIBILITY
BUNFIGHT
Images: © FitLinxx - Sleep Number
‘We anticipate bunfights ahead,’
so said the Chair of NHS
England’s Accessible Information
Standard (AIS) at the first
advisory group meeting. Dr
Howard Leicester MBCS reports
on the current state of
accessibility in the UK.
AIS is now part of the UK Disability
Strategy and is a developing model for
other sectors. Documents in alternative
formats and face-to-face support are ‘in
scope’. However, despite obvious overlaps,
the web was ruled out.
I immediately called for development of
a parallel standard for ‘the orderly conduct
of bunfights’.
Stuck in the very problem I’m trying
to solve, I am a deaf and blind health
informatics academic. Reading, writing
presenting, facilitating are all impossible
for me without technology.
‘The right tools in the right hands help
everyone,’ said Stephen Hawking at the
2012 Technology For Good Awards.
Yet I have found very few, truly
accessible academic texts. My assistive
technology - a screen-reader that converts
onscreen text into synthetic speech or
braille - works with few of the guides and
tools freely available in education and
collectively known as EduApps.
I cannot send a legible text message on
an iPhone without a bluetooth keyboard
The accessibility component of the
Government Digital Service ‘Service
Design Manual’ identify my assistive
technologies as tools for testing
rather than aids for
would-be developers.
doi:10.1093/itnow/bwv024 ©2015 The British Computer Society
Evidence of considerable
need
Accessibility should be
mainstream by now.
Small screen, multienvironment mobile
phones are widespread,
while literacy challenges
are a known, national
problem (the Office for
National Statistics [ONS]
quoted ‘56 per cent of
the Northern Irish adult
population’ as examples,
before updating that page
54
ITNOW March 2015
[‘accessibility policy’] in 2013).
This - from the consultation document
preceding the NHS Information Strategy
- suggests possibilities for mutual
understanding between the IT mainstream
and disabled people through shared
(assistive) technologies:
‘‘Voice recognition software is used to
great effect in a number of clinical settings.
Significant improvements are expected in
devices to allow touch and even gesture
input of information into computers.’
Support for potential professionals, like
me, is unclear. A Freedom Of Information
Request in 2010 showed that Access To
Work (the Government agency supporting
disabled people in work) does not record
job roles or technology provided.
Across university students, ca. 10 per
cent have disabilities (in 2011/12 78,905
out of a total of 870,910). The Higher
Education Statistics Agency provide free
data on students by disability categories,
but not their academic disciplines.
The chart below shows the spread of
impairments reported to HESA in 2011/12,
the latest year for which figures are
available.
‘Learning difficulty’ probably means
dyslexia and is the highest group by far.
Those with sight or hearing loss seem very
under-represented. Data on staff were not
available. It should be noted that these are
self reported impairments. Many people
choose not to reveal any impairments they
may have, so the true numbers will be
higher.
Data on the general population come
from the ONS. Its ecommerce monitoring
development programme includes mobile
and internet use from its existing Never/
Ever online survey .
Between 6 and 7 million people have
never been online. A further 9 million
people are online but in need of help. Most
of the people in these categories are older
or disabled people.
Assumptions about who needs what
might be made based on another ONS
The Society of IT Managers ‘better
connected’ programme found only 25
per cent of council web and mobile sites
met even basic accessibility standards.
Abilitynet have found similar in eNation
reports .
The One Voice Coalition for Accessible
ing process, from version 1 in 1999. WCAG
updated to version 2 in 2010.
WCAG2 is expanding (mapped to and
appropriately adjusted) to cover documents
and software, through general ICT , and to
interactive web pages, via the rich internet
applications (ARIA) programme .
Between 6 and 7 million people have never
been online. A further 9 million people are
online but in need of help
ICT has now merged with the former
e-access forum to become the Digital
Accessibility Alliance advising government.
One Voice also won this pledge at the Lib
Dem’s 2014 main conference:
‘Review anti-discrimination law,
A special working group - on cognition
and learning disabilities - has recently
formed to encompass many traditionally
excluded by the predominance of text. Their
scoping document identifies many groups,
including dyslexia, and many missing
technologies.
WAI is built into
the British standard
(BS8878). It is developing
through several
specialist teams, an
interest group and its
education and outreach
task force. Nevertheless,
I still feel more needs
to be done to make
the WAI approach easy
to understand and
implement, especially by
those like me dependent
on assistive technologies.
product. The Life Opportunities Survey
(LOS). This a regularly repeated major
survey commissioned by the Office for
Disability Issues (ODI). LOS is specifically
designed to measure impairment rates
and impacts of policies.
Impairments are the secondary
consequences of conditions. With ‘chronic
pain’ highest on the list, those most
affected across the full 29 per cent of
the adult population are not the ‘usual
suspects’. But sensory loss, memory and
dexterity challenges do rise markedly with
age.
LOS also shows lower disposable
income in household with at least one
disabled member. Work and education
opportunities are also lower among the
disabled.
Important standards in transition
guidelines and standards on access to
digital goods and services to ensure they
are fit for the modern age and to ensure
fair access to digital public services, the
digital economy and the workplace.’
The underlying standards are
internationally recognised and come from
W3C’s Web Accessibility Initiative (WAI).
There are three connected components:
• Web Content Accessibility
Guidelines (WCAG) - covering
webpages and systems;
• Authoring Tool Accessibility
Guidelines (ATAG) - for content
management systems
• User Agent Accessibility
Guidelines (UAAG) - notably
combining browsers with Assistive
Technologies.
ATAG and UAAG are currently in the updat-
Join the bunfight
I focus on health. It keeps doors open in all
other sectors of society.
We know the scale and we have the
data to estimate needs. The accessibility
standards, though not fully developed, are
essentially in place.
The AIS Chair, who launched the
bunfight, also said ‘I’ll buy the champagne
if we pass full stage approval.’
Now is the time to make the party
happen. Support NHS England through the
BCS Digital Accessibility Specialist Group
and all its connections.
The champagne is on order, and I’ve
promised to provide the buns!
www.bcs.org/groups/dasg
March 2015 ITNOW
55
BRIEFING: BUSINESS INTELLIGENCE
STATE OF PLAY REPORT
doi:10.1093/itnow/bwv025 ©2015 The British Computer Society
Image: iStockPhoto/135161171
BUSINESS INTELLIGENCE
January 2014 saw BCS, The Chartered
Institute for IT produce its first State of
Play report on business intelligence (BI).
What’s changed for 2015? Brian Runciman
MBCS reports.
The 2015 IT spending forecast from
computerworld.com listed five areas
where respondents expected increased
spending, and third position went to
analytics and business intelligence.
Harnessing big data through enterprise
analytics, data mining and BI had 38 per
cent of IT executive respondents to the
survey expecting to spend.
They quote Gartner analyst Richard
Gordon on the new data coming into the
enterprise: ‘There’s a wave of data coming
from customers and social media. And as
the internet of things rolls out, there will
be even more information on customers.
Businesses are scrambling to figure out
how they can extract value from that
information.’
According to Andrew Brust, Research
Director of Gigaom Research, in each
of the last few years there has been an
overarching theme in the data arena. He
says that ‘2012 was the year big data
became really hot; 2013 was the year it
grew more accessible, through SQL-onHadoop; and 2014 was the year it became
far more versatile, with the addition of
YARN and Spark. 2015 will be the year
Hadoop matures.’
Whilst that may mean that there are
no huge breakthroughs, Brust notes that
the maturing of BI technologies will see
a move to more standardisation, more
adoption and therefore a more successful
integration of BI into the enterprise.
He predicts that Hadoop will become
more usable, more adoptable by the
enterprise and more developer friendly.
More on Hadoop, NoSQL and relational
databases are in the Gigaom report
‘Outlook: Big data and analytics in 2015’.
The mention of analytics in that title is
key – there has been a lot more coverage
56
ITNOW March 2015
during 2014 on the role of analytics. BI
solutions are more readily embraced the
more obvious their benefit is, so easy-touse analytics are key to a successful BI
platform.
Big data continues to be a muchbandied phrase, especially as it relates to
predictive analytics, but of course many
industries have been using data and
analytics for decades – the new tools just
make it much easier. One article in the
BCS report shows the potential benefits
of predictive analytics for the healthcare
industry. IT Professional magazine
examines what is truly new in terms of
predictive analytics, and what it means for
the IT industry.
Pat Saporito from the SAP Global Center
of Excellence for Analytics, says that BI
centres of excellence can play a key role
in managing corporate growth and in
enhancing the ‘analytic IQ’ of business
managers and owners. He shows that
centres of excellence can define and
operationalise a Bl strategy, and ensure
that the analytics get put into action.
Amongst other areas discussed, the
BCS report highlights pieces that look at
the need for supply chain organisations to
use effective business intelligence tools to
stay competitive; the role of real-time data
warehousing as a powerful technique to
achieve operational business intelligence;
and the increasing use of BI outside
commercial organisations.
For example, public sector offices in
the US are now expected to perform
like private industries in collecting and
providing pertinent information, according
to one piece in the report. Even though
the use of BI in the public sector is still
in its infancy, the case study from the
DeKalb Country Government located in
Georgia, which has implemented business
intelligence tools for its data management
including social services, billing and public
safety, makes for an interesting read.
In other areas, there are three case
studies looking at the use of business
intelligence tools by accounting firms
in the USA. And in terms of practical
applications, the BCS report covers an
article on how one Fortune 500 company
built itself a real-world Microsoft BI
dashboard; a piece on how BI can support
marketing strategies, based on a case
study approach; and an article on how
to take control of your BI with the tools
offered by SharePoint 2013 and Microsoft
SQL Server 2012.
Strategy
Best practices for business intelligence
This short article presents a list of 11 best
practices for business intelligence, which
the writer has adopted from a number of
online resources. They include: the need
for solutions to produce findings that are
immediately actionable and trustworthy;
and having constant input from business
leaders to keep IT on the right track. The
key point, according to experts, is to form
an ongoing partnership with business, so
the resulting BI solutions are embraced as
easy-to-use and strategically relevant.
By Dennis McCafferty
Source: CIO Insight, October 2014
Selecting the BI platform for your
organisational requirements
This article discusses ways of finding the
right business intelligence (BI) platform
for business enterprises and government
agencies. The writer describes the factors
which typically define the different types of
BI tool users. He also explains the different
integration characteristics and the level
of importance on which evaluation of a BI
platform should be based.
By John Matelski, DeKalb County
To get these articles and more
login to the BCS secure area, go to
‘My Knowledge’ then ‘State of Play
reports’
Members: login
in the secure a to ‘My Knowledge’
a to see furthe
listings witrhed
irect links r
Government (Georgia), and president of the
Independent Oracle Users Group
Source: Database Trends & Applications,
June/July 2014
Analytics
Getting started with predictive analytics
This article reports on the emergence of
business intelligence, and particularly
predictive analytics, in the healthcare
industry. The writer describes what
predictive analytics is and its potential for
the healthcare industry, and then goes into
various cases of how it is being used by
marketers and medical professionals in
the USA. One hospital, for example,
targeted people considering a
mammogram with a campaign about its
mammography equipment, greatly
increasing take-up. The article includes
a section on best practices for putting
together a predictive analytics strategy.
By Lauren Drell and Julie Davis
Source: Marketing Health Services, autumn
2014,
Big data and predictive analytics:
what’s new?
There’s a lot of noise about big data,
especially about its role in the new and
exciting field of ‘predictive analytics’, but
many industries have been using data and
analytics for decades. This article
examines what is truly new in terms of
predictive analytics, and what it means for
the IT industry.
By Seth Earley, Earley & Associates
Source: IT Professional, January 2014
SAP, Oracle Lead Sluggish BI and
Analytics Software Market
This article discusses research by Gartner
that showed the global business
intelligence (BI) and analytics software
market rose to US$14.4 billion in 2013,
with annual growth slowing to 8 percent.
Macro-economic factors were the most
important reason behind slower growth,
but it was also due to IT budgets remaining
flat and confusion on how to use
analytics. At a segment level, businesses
were moving from reporting-centric to
analysis-centric tools. SAP had the largest
share of the worldwide market with Oracle
in second place.
By Nathan Eddy
Source: eWeek, May 2014
Business process analytics using a big
data approach
Business users can continuously improve
their processes by using advanced
analytics methods and emerging
technologies, such as business intelligence
systems, business activity monitoring,
predictive analytics, and behavioural
pattern recognition. However, the high
volumes of event data produced by the
execution of processes during the business
lifetime prevent business users from
efficiently accessing timely analytics data.
This article presents a technological
solution using a big data approach to
provide business analysts with visibility on
distributed process and business
performance. The proposed architecture
lets users analyse business performance
in highly distributed environments with a
short time response.
By Alejandro Vera-Baquero, Ricardo ColomoPalacios, Universidad Carlos III de Madrid,
Spain, and Owen Molloy, National University
of Ireland
Source: IT Professional, November 2013
BI performance
Benefits and barriers to corporate
performance management systems
Corporate performance management
(CPM) systems using business intelligence
technologies can help enterprises
monitor and manage business
performance. In this research, we explored
and presented empirical evidence on the
key benefits of, and barriers to, the use
of CPM systems through a survey of 283
organisations across North America and
China. We identified three key benefits and
ten inhibiting barriers. The research
findings are useful for multinational
organisations that are planning, or are in
the process of implementing or reviewing
their CPM systems, as well as for consulting
companies that are assisting with such
systems implementations in different
regions.
By William Yeoh, Deakin University, Australia;
Gregory Richards, University of Ottawa,
Canada; Wang Shan, Renmin University of
China, Beijing, China.
Source: Journal of Computer Information
Systems, autumn 2014
Succeeding with BI
This article focuses on the significant role
of the business intelligence centres of
excellence (BI COE) in managing corporate
growth and in enhancing the analytic
intelligence quotient (IQ) of business
managers and owners. The writer says that
today Bl COEs define and operationalise a
Bl strategy, and ensure that the analytics
get put into action. She lists the practices
to consider including in a BI COE, such as
ensuring data is trustworthy, and providing
easy access to reports and analytics.
By Pat Saporito, SAP Global Center of
Excellence for Analytics
Source: Best’s Review, October 2014
An overview of information tools and
technologies for competitive intelligence
building: theoretical approach
The paper looks at competitive intelligence
(CI), which is a subset of BI, and concerns
collecting and analysing information about
the behaviours of the various markets’
actors in order to make decisions based on
market trends. This type of information is
mainly of a semi-structured or unstructured
nature, in contrast to the well-structured
information used in BI. The research study
is mainly exploratory and descriptive in
nature, with the objective of providing an
overview of CI issues and investigating the
various information tools and technologies
for CI building. It also highlights the most
important differences between BI and CI.
By Celina M Olszak, University of Economics,
Katowice, Poland
Source: Issues in Informing Science &
Information Technology, 2014
March 2015 ITNOW
57
DIGITAL LEADERS RESEARCH
WHAT DIGITAL LEADERS
WANT AND NEED
doi:10.1093/itnow/bwv026 ©2015 The British Computer Society
Image: iStock/511665345
Everyone wants a larger budget, but when only 8 per cent of participants feel that their organisation has
enough resources and more than 79 per cent indicate that they need enhanced IT skills among their
existing workforce or additional IT staff, the digital leader has plenty on their plate for 2015.
Brian Runciman MBCS reports.
For the fourth year BCS, The Chartered
Institute for IT has run a survey looking
at the needs of the digital leader. And the
faster the development of IT systems, the
more the business views and key problems
stay much the same.
For example, fifty five per cent of
participants rate business transformation
and organisational change as among their
organisation’s top three management
issues for the next 12 months. This is
followed by strategy and planning (50%)
and operational efficiencies (48%).
Businesses are clearly seized of
the need for IT to effect change in
their business dealings and internal
organisation. As would be expected, SMEs
and corporates have slightly differing
needs: Among SMEs the issue most likely
to be in the top three over the next 12
months is strategy and planning (59%).
For companies with over 250 employees,
business transformation and organisational
change (61% versus 40%) and operational
efficiencies (53% versus 36%) are more
likely to be high priorities than for SMEs.
58
ITNOW March 2015
Some issues were mentioned in the
‘free text’ part of the survey that will
undoubtedly become more common
concerns in the medium-term, such as,
regulatory response (which perhaps only
comes onto the radar when legislation is
more immediately looming); and platform
rationalisation.
Specifics: top IT topics
As to specific issues that need to be
addressed, it’s no surprise to see the
greatest number of respondents (60%)
rate information security as among their
organisation’s top three IT topics for the
next 12 months. This was followed closely
by areas that have moved well out of the
‘jargon’ phase and into business critical
applications: cloud computing (55%) and
mobile computing (53%).
These are the same three issues that
were identified in last year’s survey.
However, the order has changed with
information security and cloud computing
going up one place and mobile computing
dropping two places.
Analysis by number of employees
shows that information security is the
top answer for both SMEs and large
companies (over 250 employees).
Mobile computing is more likely to
be a high priority for larger companies
compared with SMEs (56% versus 45%),
whereas social media is more likely to
be a high priority for SMEs compared
with larger organisations (24% versus
9%) – perhaps a reflection of the shift in
marketing approaches.
The next concerns for the large
organisation were big data (36%) and agile
(22%).
Some of the issues much-discussed
in the media are not yet really on the
business radar in a large way, perhaps
indicating their niche market status at
present. These were the internet of things,
with only 11 per cent representation, and
3D printing with a paltry one per cent.
Other topics mentioned were agile and
operational alignment; robust IT for SMEs;
hosted telephony, general IT reliability
issues; the government digital agenda;
human-centred computing; network
bandwidth growth and new platforms.
One commenter made a valid point
on the range of new services becoming
importance.
Only eight
percent included
‘identifying the
capabilities
of your IT
professionals’
as a top three
priority – with
14 per cent
considering the
IT skills shortage
in their top three
and 16 per
cent counting
performance
management in
their top three.
Having said that, the survey suggests
that recruitment and retention is a higher
priority for more companies compared
with 2014 (up from 14% to 20%).
‘CEO’s in large enterprises are idiots - they no (sic)
nothing about the processes the IT department
uses for risk acceptance and design.’
cloud opportunities, networking, and the
extraction of meaning from big data.
This need came from a smaller business:
‘Up-to-date knowledge of suitable SME lowcost apps and software packages that can be
customised and integrated into our business.’
Concerns came from both ends of the
tech spectrum, from disruptive technologies
to legacy tools and services. Keeping skills
current and identifying the correct new
technologies for the business to implement
is viewed as a big challenge, and the depth
of technical skills came up in a number of
guises. One comment on a specific need
mentioned ‘automation and orchestration
experience skills’, and delineated that
comment with this rider: ‘true experience:
not just app UI, connectivity experience,
device experience, app experience and data
experience.’
A progressive business need that IT can
assist greatly with was identified by one
commenter: ‘expertise in certain languages
such as Brazilian Portuguese, Arabic and
Hebrew’ in their digital products.
The comment from one respondent on
‘technically competent management’ leads
nicely into our next section.
mainstream, saying that whilst
‘implementing digital culture and practice,’
is vital in the 21st century, organisations
still need to be looking at why they
would use these technologies, not just
implementing technologies because of the
‘look’ of them.
Larger organisations are more likely than
SMEs to need additional suitably qualified IT
staff (58% versus 43%).
Other concerns that cropped up, although
in much smaller numbers, were effective
corporate and IT governance; business
change expertise; and, to quote a comment,
‘better CEOs and other execs who understand
The skills and resources conundrum
As noted in the introduction, only eight per
cent of participants feel that their
organisation has enough resources to
address the management issues and IT
trends that their company has prioritised.
More than half (53%) indicate that they
need enhanced IT skills among their existing
workforce – with the same number
requiring additional suitably qualified IT
staff.
Strangely, activities that would support
the above requirements were rather
fragmented – certainly in terms of relative
There is a need for, ‘quality managers who
understand much more than simple economics.’
digital tech and its impact on organisations’
(on which more later). Business skills and
soft skills were also mentioned.
Biggest IT skills gaps: techy
The IT skills gap section garnered the
biggest ‘free text’ response in the Institute’s
survey. IT leaders care about this subject!
The usual suspects were much in
evidence: IT security, taking advantage of
Biggest IT skills gaps: people
The people issues surrounding IT skills are
broad ranging. Let’s start with a refreshingly
honest assessment of those at the top:
‘CEO’s in large enterprises are idiots - they
no (sic) nothing about the processes the IT
department uses for risk acceptance and
design - and are more interested in shiny
things or things that make them look good.
They need to think about what they are
doing and stop poncing about
pretending to know what they are doing
when it is clear that they have never
worked in IT for real, ever.’
Some comments on this problem were
more circumspect (helpful?) – summed up
well with the need for ‘understanding of
March 2015 ITNOW
59
DIGITAL LEADERS RESEARCH
the business and bridging the gap with the
organisation’s vision,’ and, ‘understanding
of the business objectives driving IT
choices.’
The gap in knowledge is more than just
in management for some. One person said
businesses could do without ‘outdated staff
looking back at when they could operate in
“god mode” and dictate to everyone what
they were given - and now moaning that
the world has moved on. IT departments
themselves are in danger of becoming the
biggest blocker on effective organisational
modernisation.’
One comment mentioned the need for,
‘quality managers who understand much
more than simple economics - people
are the key resource to be managed and
encouraged, not beaten into submission.’
Other places where soft and hard skills
one person citing ‘silos of knowledge - not
specifically because information sharing
is poor, but because the organisation is
small and we have specialists in individual
areas.’ Some larger organisations face
related situations, with some commenting
on the breadth of skills now needed in IT
people, making them look for those who
can play multiple roles in a team and have
knowledge of different technologies to
support business partners.
Here’s a laudable, if tough, goal.
‘We need future proofing abilities - the
organisation is running to stand still at the
moment.’
Churn is an issue, with some
organisations finding that the capabilities of
new recruits are insufficient to slot into the
existing workforce when an organisation
loses existing skilled personnel.
‘We need future proofing abilities - the organisation
is running to stand still at the moment.’
may overlap, and mentioned specifically
by commenters as problem areas
included simple experience: commercial
knowledge and experience; the need
for more and better project managers;
implementing agile methods; and fostering
an entrepreneurial culture.
A further wrinkle on the ‘hybrid
managers’ idea came with several
commenters pointing to the importance of
IT people being properly involved in selling
the organisational strategy and getting it
over the line and into delivery.
Some commented on the implications
of outsourcing, asking for, in one case:
‘In-house staff (project coordinators) to
be better capable of querying delivery of
solutions provided by the private sector.’
This respondent notes that skills are lost
to outsourcing and with them an ability to
respond to new technologies.
Specific types of organisation face
particular sets of issues. A public sector
digital leader lamented: ‘As a public sector
organisation it is difficult to recruit suitably
qualified staff due to the limitations on
salary (nationally agreed salary scales).
Even training our own staff will not
fully address the issues. This is further
complicated by the organisation seeing
efficiencies of technology adoption without
the necessary investment in the backend
staff to make these efficiencies a reality.’
SMEs faced something a little different,
60
ITNOW March 2015
One organisation’s loss is another’s
gain in this scenario, of course, with
those leaving sometimes doing so to go
onto better careers, a by-product of a
competitive workforce market.
One commenter gave an interesting
solution to some of these issues: ‘Our
organisation operates on a lean staffing
model, with skills augmented from external
service providers.
The model envisages the system
landscape and architecture to be designed
in-house and bringing in external suppliers
to provide the requisite infrastructure
and applications.’ This organisation still
has needs though: ‘Having a good system
architect and IT security experts are the
key gaps that the organisation faces.
in sub-standard agents without the skill
sets necessary. This causes major delays
and they incur penalties.’
Another ‘people issue’ is around an
increasingly aware consumer base. A
public sector digital leader said that they
need people with ‘digital awareness in
service design, to ensure we’re as digitally
savvy as our citizens’
Then there are the problems in actually
finding those with skills in emerging trends
– by definition a small recruitment pool.
This creates a tension when trying to be
innovative, with one digital leader saying
that the organisation suffers from ‘too
much time spent “keeping the lights on”
and not enough time spent innovating.’
The next three to five years
Looking three to five years’ ahead, the
same three main issues are expected to be
at the top of the list of priorities. However,
the order is slightly different, with strategy
and planning coming out top (46%),
followed by operational efficiencies (44%),
and business transformation and
organisational change (42%).
When asked which IT topics will be
the top three priorities in three to five
years’ time, information security is
again the top answer with 54 per cent.
This is followed by big data (42%), cloud
computing (40%) and mobile computing
(39%). The information security concern is
the top answer for both SMEs and large
companies.
There are a number of issues which
are expected to become a higher priority
in this time frame - the two showing the
highest percentage increase (compared
with plans for the next 12 months) are
succession planning (up from 9% to 17%)
‘We spend too much time “keeping the lights on”
and not enough time innovating.’
Supplier (service) management is a close
second.’
Biggest IT skills gaps: hybrid
As implied by the last section sometimes
the skills gaps are not in the organisation
itself but in their suppliers. Several
commenters pointed to the issues
surrounding assessing skills within their
outsourced partners. One respondent
complained that, ‘IT capability is being
delivered by an outsource agent who puts
and performance management (up from
16% to 23%).
Compared with the priorities for the next
12 months the IT topic showing the biggest
rise is internet of things (up from 11% to
28%). 3D printing goes up only one per cent
in this context.
Other areas mentioned as being of
medium-term concern were supply chain
integration; embedded wearable security;
other wearables; and predictive analytics.
For SMEs cloud computing is expected
to be the second priority (42%), whereas for
larger companies big data was anticipated
to be the second priority (47%).
People issues seem to be in the category
of ‘we’ll get there eventually’ with the IT
skills shortage, performance management
and recruitment and retention issues
all scoring higher is this future-looking
question than in immediate priorities.
More forward-looking were some of
the technical concerns that may impact
the business. Mentioned specifically
were concerns over the complexity of
virtual environments; polyglot systems
maintenance and migration to a post-Java
script web.
Sleepless nights?
The final question BCS posed in this survey
was: When considering upcoming changes
and trends in the IT industry, what is it that
is most likely to keep you awake at night?
Again, the answers were a mix of the
expected, and some thoughtful ideas on the
longer term.
As ever, security is at the top...and
came in a variety of guises: information
risk and security; availability; security and
stability in cloud computing and security
breaches. There were a lot of mentions
of topic-specific security issues around,
for example, the internet of things; smart
solutions; the compliance agenda, and
general reputational risk. Zero-day exploits
and the ever-changing nature of security
threats, were also mentioned.
Some issues were perceptual, for
example (all commenters’ views):
• The build-up of technical debt by
making wrong product selections;
• The illusions of remote access: that
everything is an app that appears to
have no cost;
• The speed of competitor change,
with the risk of products becoming
outdated;
• The possible effects of the revised
data protection legislation in 2017;
• The corrosive effect of hype and
•
•
•
•
•
•
nonsense in IT;
Slow change in large organisations,
ticking boxes around superficial
initiatives to comfort senior
management;
Cloud hosting being seen as the
panacea for everything by the
business without necessarily
thinking things through – hence also
the integration of different cloud
platforms;
The change in computers caused by
the exascale revolution;
Technically incompetent
management;
The burden of legacy;
Responding to change in a large
enterprise environment. Agile works
at small scale, but it is difficult to
scale without it turning back into
compressed waterfall.
Financially based concerns included (again,
from comments):
•
•
•
nannounced changes to suppliers/
U
customers systems;
Provision of high-speed broadband
to customers for free;
Cost of software licensing Microsoft vs open source.
Some have identified bigger issues. One
commenter laments ‘the complete lack of
human beings involved in recruitment applicant tracking systems have reduced
the quality of the recruitment process to
almost useless.’
And there are ever-present dichotomies,
for example the combination of the
need for computer security and privacy
protection against the public expectation of
easy and quick access. If this tension leads
to shortcuts, that will cause problems. One
commenter warns about the government’s
desire to integrate and adopt collaborative
data sharing without full investigation into
the consequences in terms of resources
and IT security.
Alarms are also raised at the risks
associated with cloud computing and the
US government’s stance on data stored on
infrastructure belonging to US companies
- with the associated data protection
nightmare.
One commenter warns of a ‘collapse
of trust in online systems because of
over-complexity and lack of attention to
resilience and security.’
Positive notes to end on
So, there’s plenty for the digital leader to
do, consider, worry about, look forward to…
and clearly many of them, whilst
concerned about the risks, take an
admirably positive view, one that takes
people rather than just cold technology into
account.
One commenter’s chief concern? Being
‘people-centric: developing systems that
the public want to use.’
Another points to the importance of the
shift of capability from traditional IT roles
to a more distributed user-oriented model,
whilst maintaining control and governance
over the enterprise architecture.
Here are some final answers to ‘When
considering upcoming changes and trends
in the IT industry, what is it that is most
likely to keep you awake at night?’
•
•
•
‘Nothing - that’s why I have a CIO!’
‘Not a lot - that is what claret is for.’
‘I’m confident that we are up to the
challenge.’
The full research is available to BCS
members in the Members’ Secure Area at
bcs.org
March 2015 ITNOW
61
FROM THE BLOGS
BCS JOURNALS
GAMIFICATION AND PROJECTS
The term ‘project gamification’ caught
Project Eye’s attention. As some of the
Project Eye team have had brushes with
delivering project management training,
the idea of using computer games to
simulate project scenarios sounded great.
Given the sophistication of computer
gaming platforms, there could be some
interesting development out there.
It started out with so much promise.
Project Eye looked at a report on project
gamification published by its old friends at
APM, which directed it on to the insights
of Dan Pink on the nature of motivation. If
you have got 18 minutes to spare, his TED
presentation is really worthwhile.
He presents a body of scientific research
that shows that financial incentives can
improve work performance on mechanistic
tasks. However, for more creative and
problem-solving tasks (which Project
Eye guesses includes most software
project activities) an intrinsic interest in
the challenge of the task is more likely to
generate superior performance. In these
cases, financial incentives can actually get
in the way.
Some have promoted gamification as
a way of increasing intrinsic motivation.
Gamification refers to the use of computer
games thinking and mechanisms in
non-computer games environments. The
key elements that have been taken from
computer games are:
• points – you get points for getting
things right and achieving things;
• rewards – you get some kind of
reward if you get lots of points
(apparently this might even be
financial rewards!);
• badges – you can also get some
kind of recognition for your
successes;
• leader boards – you are publicly
ranked competitively with your
co-workers.
One Project Eye acquaintance of mature
years commented that this reminded him
exactly of what his teachers at his north
Kent grammar school did decades ago.
The idea of games is that they should
have an element of fun, but in today’s
cut-throat, competitive, work environment
gamification just sounds awful. Is this just
Project Eye? (Project Eye has just been
reminded it should stress that this is a
personal view and should not be taken as
reflecting any policy formulated or position
taken by BCS, The Chartered Institute for IT
FREE WILKES AWARD PAPERS
as a learned institution).
Much of the research that Dan Pink
described has been around for decades.
The classic ways of increasing the intrinsic
interest of work have been job expansion
– increasing the range of tasks carried out
by an individual, such as getting software
developers to carry out some business
analysis roles – and job enrichment, letting
a worker carry out some tasks previously
carried out by managers, such as when
maintenance programmers are allowed
to talk directly with end users. This seems
to be a much more promising approach
in the world of IT projects than silly point
scoring.
Still the whole point of Project Eye is
to stimulate heated debate. Can project
gamification really be as irrelevant to IT
projects as Project Eye perceives? Put us
right below – but we can’t promise you
any points, rewards or badges for your
contributions.
The winning papers for The Computer Journal Wilkes Award for 2014 have been announced.
Exceptionally, this year the prize has been awarded to two joint winners. These articles are now available
free online, the extracts appear below.
A movable architecture for robust spatial
computing
David H. Ackley, Daniel C. Cannon and Lance
R. Williams, Computer Science, University of
New Mexico, Albuquerque, USA
For open-ended computational growth, we
argue that: (1) instead of hardwiring and
hiding component spatial relationships,
computer architecture should soften and
expose them; and (2) instead of relegating
reliability to hardware, robustness must
climb the computational stack toward the
end users.
We suggest that eventually all truly
large-scale computers will be robust
spatial computers - even if intended neither
for spatial tasks nor harsh environments.
This paper is an extended introduction for
the spatial computing community to the
movable feast machine (MFM), a computing
For the links mentioned in this post, to
comment and to get regular PM updates
visit:
www.bcs.org/blogs/projecteye
Interacting with Computers The Interdisciplinary Journal of
Human-Computer Interaction
62
ITNOW March 2015
•
•
•
Volume 27, issue 1, January 2015 special
issue: Methods for Studying Technology in
the Home, contains the following papers:
friends;
searching for special deals or
employment;
finding or accessing local services;
staying up to date with news.
For these 11 million people though, does
the digital concern outweigh the
benefits? Let us know what you think
and how these fears might be better
addressed.
To be part of the debate and get further
updates on digital skills visit:
www.bcs.org/digitalskillsblog
•
•
doi:10.1093/itnow/bwv028 ©2015w The British Computer Society
doi:10.1093/itnow/bwv027 ©2015 The British Computer Society
doi:10.1093/itnow/bwu111 ©2014 The British Computer Society
Skills For A Digital World
Digital education starts early in schools,
with children expected to be fully digitally
literate by the time they leave. After this
time, and for people who are not
considered digital natives or not interested
in computers, the onus is very much on
the individual to develop skills.
In the Government Digital Inclusion
Strategy, 21 per cent of the UK population
is quoted as lacking basic digital skills.
This could be down to a lack of access,
skills, motivation or trust, but to put this
into perspective, it means around 11
million people are not benefitting from the
digital world.
There are numerous initiatives by the
government and other organisations, such
as Barclays’ Digital Eagles and the Tech
Partnership, that offer help to encourage
more people online. At BCS, we provide IT
user qualifications to schools, universities,
training centrwes, local authorities and
employers which aim to support digital
skills development from the classroom to
the workplace.
Digital skills could enable people to
benefit from things such as:
• savings by shopping online;
• flexibility of paying bills online;
• keeping in touch with family and
On selecting the nonce length in distancebounding protocols
Aikaterini Mitrokotsa (1,2) Pedro Peris-Lopez
(3), Christos Dimitrakakis(1) and Serge
Vaudenay (1) from (1) EPFL, Lausanne,
LATEST CONTENTS
EVERYONE BENEFITS FROM DIGITAL SKILLS
Last year marked the 25th anniversary of
the WWW. During this time digital
technology has transformed every aspect
of public, private and working life.
model in the spirit of an object-oriented
asynchronous cellular automata.
We motivate the approach and then
present the model, touching on robustness
mechanisms such as redundancy,
compartmentalisation and homeostasis.
We provide simulation data from
prototype movable elements such as
self-healing wire for data transport and
movable ‘membrane’ rings for spatial
segregation, and illustrate how some larger
computations like sorting or evaluating a
lambda expression can be reconceived for
robustness and movability within a spatial
computing architecture.
•
•
•
•
Formal Aspects of Computing Applicable Formal Methods
Volume 27, Number 1contains the
following papers:
• Synthesizing bounded-time
2-phase fault recovery
Mixed methods for HCI research in • Modeling and enhancement of the
the home
IEEE 802.11 RTS/CTS scheme in an
Disruption as a research method
error-prone channel
for studying technology use in
• Integrating stochastic reasoning
homes
into Event-B development
At home with users: a comparative • Formal probabilistic analysis of
view of living labs
detection properties in wireless
Researching young children’s
sensor networks
everyday uses of technology in the • Verification of distributed systems
family home
with the axiomatic system of MSVL
Seeing the first-person perspective • Denotational semantics and its
in dementia
algebraic derivation for an eventTailored scenarios
driven system-level language
Switzerland; (2) University of Applied Sciences
of Western Switzerland (HES-SO), Geneva,
Switzerland; (3) Carlos III University of Madrid,
Madrid, Spain.
Distance-bounding protocols form a family
of challenge - response
authentication protocols that have been
introduced to thwart relay attacks. They
enable a verifier to authenticate and to
establish an upper bound on the physical
distance to an untrusted prover.
We provide a detailed security analysis of
a family of such protocols. More precisely,
we show that the secret key shared between
the verifier and the prover can be leaked
after a number of nonce repetitions. The
leakage probability, while exponentially
decreasing with the nonce length, is only
weakly dependent on the key length.
Our main contribution is a high probability
bound on the number of sessions required
for the attacker to discover the secret, and
an experimental analysis of the attack
under noisy conditions. Both of these show
that the attack’s success probability mainly
depends on the length of the used nonces
rather than the length of the shared secret
key. The theoretical bound could be used by
practitioners to appropriately select their
security parameters.
While longer nonces can guard against
this type of attack, we provide a possible
countermeasure which successfully
combats these attacks even when short
nonces are used.
To view these papers visit:
www.oxfordjournals.org/our_journals/
computer_journal/wilkes_award.html
BCS Members can get a reduced
subscription rate to Interacting with
Computers and Formal Aspects of
Computing:
www.bcs.org/category/17544
ITNOW March 2015
63
F_UOD_0356 UDOL IT advert v2_Layout 1 02/02/2015 17:34 Page 1
THE COMPUTER JOURNAL
RECOMMENDED
READY TO ADVANCE YOUR
CAREER IN COMPUTING?
doi:10.1093/itnow/bwv029 ©2015 The British Computer Society
This paper presents an analysis of the
energy consumption of an extensive
number of the optimisations a modern
compiler can perform.
Using GCC as a test case, a set of
10 carefully selected benchmarks are
evaluated for five different embedded
platforms. Hardware power measurements
on each platform are taken to ensure
all architectural effects on the energy
consumption are captured.
It is shown that fractional factorial
design can find more optimal combinations
than relying on built-in compiler settings.
The relationship between run-time and
energy consumption is explored and
scenarios are identified where they are and
are not correlated.
A further conclusion of this study is
that the structure of the benchmark
has a larger effect than the hardware
architecture on whether the optimisation
will be effective, and that no single
optimisation is universally beneficial for
execution time or energy consumption.
Performance Modelling and Simulation
of Three-Tier Applications in Cloud and
Multi-Cloud Environments
The authors are with the Department of
Computer Science and Information Systems,
Cloud Computing and Distributed Systems
64
ITNOW March 2015
A significant number of cloud applications
follow the 3-tier architectural pattern.
Many of them serve customers worldwide
and must meet non-functional
requirements such as reliability,
responsiveness and Quality of Experience
(QoE). Thus the flexibility and scalability
offered by clouds make them a suitable
deployment environment.
Recent developments have shown
that using multiple clouds can further
increase an application’s reliability and
user experience to a level that has not
been achievable before. However, research
in scheduling and provisioning 3-tier
applications in clouds and across clouds is
still in its infancy. In this article, therefore,
an analytical performance model of 3-tier
applications in cloud and multi-cloud
environments is proposed. It takes into
account the performance of the persistent
storage and the heterogeneity of cloud
data centres in terms of virtual machine
performance.
Furthermore, it allows for modelling
of heterogeneous workloads directed
to different data centres. The CloudSim
simulator is used, and extended, in this
work.
Reusing Garbage Data for Efficient
Workflow Computation
The authors are with: IBM Center for
Advanced Studies (Atlantic), University
of New Brunswick, Canada; Faculty
of Mathematics & Computer Science,
University of Lethbridge, Canada; and
School of Computer Engineering, Nanyang
Technological University, Singapore.
High-performance computing systems,
including clusters, grids and the most
recent clouds, have emerged as attractive
platforms to tackle various applications.
One significant type of application in
HPC systems is workflow computation,
which has been applied in various
scientific and engineering domains.
Workflow computation frequently
produces intermediate result files, which
become garbage after being used and are
usually cleaned up without making any
contribution to future computation.
In this paper, it is argued that such
garbage data could be useful for
future computation and should not be
immediately cleaned up. This is because
workflow computation usually contains
multiple instances that may share some
common data products produced in
the past. This sharing scheme provides
opportunities to reuse the historical data
to speed-up subsequent computation and
simplify re-computation due to faulty or
crashed runs.
To this end, a garbage data manager
(GDM) is proposed, for the workflow
computation in HPC systems. The GDM
organises and manages the garbage
data for batch schedulers to enhance the
performance of subsequent computation.
The Computer Journal
The Computer Journal has published
advances in the field of computer
science for over 55 years.
Members can get heavily discounted
subscription rates:
www.bcs.org/cjournal/subscribe
Courses starting in May, September or February include:
n
n
Andrew Lee Managing Director
William Hill Online
£19.99
BCS member price
ISBN 978-1-78017-254-5
BSc (Hons) Computing and Information Technology (top up)
MSc Information Technology
Study part-time, 100% online – no exams.
Call us on 01332 594000 or visit www.derby.ac.uk/IT
Whether you’re starting out, moving up or starting again
WE’RE READY WHEN YOU ARE
BC1074_ld__ad_itnow_hp_af.qxp_Layout
1 03/02/2015 14:36 Page 1
bcs.org/books/agile
© BCS, The Chartered Institute for IT, is the business name of The British Computer Society
(Registered charity no. 292786) 2015
BC1078/LD/AD/0215
This article is available on open access.
The authors are with the Department of
Computer Science, University of Bristol and
Embecosm, Lymington.
(CLOUDS) Laboratory, The University of
Melbourne, Australia.
Whether you are looking to update your web, database and
network management skills or seeking a Masters degree to help
you move up the career ladder, our online distance learning
courses give you the flexibility to study alongside your work and
personal commitments.
‘This book outlines
a pragmatic view
across all agile
frameworks.
Its approach is at
the heart of how we
continually evolve
the delivery and
cultural effectiveness
of our organisation.'
CAREERS IN
IT SERVICE
MANAGEMENT
This new series of practical
books provides informed
career development guidance
for IT professionals.
Includes CPD advice, practical
tips and case studies.
For more information and sample chapters, visit bcs.org/itroles
Also available from all major booksellers and ebook stores.
© BCS, The Chartered Institute for IT, is the business name of The British Computer Society (Registered charity no. 292786) 2015
BC1074/LD/AD/0215
The following papers are from The Computer Journal, issue , Volume 58, 2015. The overviews are largely
based on the abstracts. They are provided by Editor-in-Chief, Professor Fionn Murtagh.
Identifying Compiler Options to Minimize
Energy Consumption for Embedded
Platforms
BC1078_ld_ad_itnow_qp_ma.qxp_Layout 1 03/02/2015 17:00 Page 1
LEFT OF THE INSIDE BACK COVER
No photos please
Is it sad that while I was at CES 2015
recent BCS campaigns keep coming into
my mind? asks Brian Runciman MBCS.
Let’s start with the Women in IT
campaign we did last year. The problems
women face in society in general are
inevitably linked in with any industry
specific situation such as ours. So when
Henry, BCS Editor-in-Chief, and I were
looking at an (impressive) display of 80
inch 4k TVs, we were not surprised to see
close-ups of roses lightly covered with
water droplets, so far so generic.
But then the ladies started appearing.
Initially beautiful faces, where you could
clearly see the makeup in skin pores....
perhaps this is making a subversive point,
we thought.
Then, and this is not a joke (on any level),
two lightly clad ladies appeared, pillow
fighting. If it wasn’t so awful it would be
funny, summing up in a nutshell some of
the issues to be addressed.
I won’t mention manufacturers, but TV
folks were far from the only offenders.
An audio company had a cage dancer,
all the IoT and wearable manufacturers
seemed to have a thin attractive female
on a treadmill (irony!). There was a lot of
unconscious (?) sexism about.
I took a couple of photos of these
examples planning to run them with this
piece, but then felt weird about it. If I post
those photos it would start to feel like the
‘sidebar of shame’ on a well known UK
national newspaper’s website. So they
are gone from my phone, even though
I originally took them with the best of
satirical intentions.
It occurred to me that we could
illustrate this story with a picture of Henry
(our Editor-in-Chief) and me, but then
realised THAT would be sexist in this
context. Then I thought we could get our
pictures taken with a female techie, or a
female mover and shaker in the industry,
and realised that would be patronising.
Then I got confused trying to work out
the implications, ethics and political
correctness of the situation and my head
literally exploded (not literally).
Anyway, this is why BCS works so hard
on the ethical side of things.
The magnificent seven
The first session at CES had lots of
numbers of varying interest and the
obligatory (?) Yul Brynner reference.
Steve Koenig, Director, Industry
Analysis at CEA split the global consumer
technology market into two main areas:
mature, including the US, Asia Pacific and
Europe; and developing - the rest.
The thrust of this session was the
popularity of our ever-more loved/invasive
devices and CEA’s predictions for 2015
usage. Unsurprisingly smartphones are
still the main driver, described by Koenig
as the leader (Yul) of the Magnificent
seven: digital cameras, desktop PCs,
tablets, laptops, video game consoles and
doi:10.1093/itnow/bwv030 ©2015 The British Computer Society
Urrghh....
Some of the marketing terms at CES made me a bit queasy. Would any selfrespecting dad or mum refer to themselves as a ‘data-driven parent’? And while we
are looking at this particularly egregious example, if parents need to be ‘empowered’
to ‘stay connected to their newborn’, they are not ready for parenthood!
66
ITNOW March 2015
LCD TVs. Not sure which one is Charles
Bronson, as he seemed to prefer a
different sort of hardware...
One interesting question was posed in
passing: will hardware battles soon be a
thing of past as cloud delivery takes hold?
The three screens
The three screen motif refers to
smartphones, tablets and TVs. The first
two will have a 46 per cent share of the
tech market this year. Indeed they’ve been
rapidly ballooning (as was I in Vegas) for a
while now. Will that continue?
Yul Bryner will move around 1.5 billion
units this year, a 19 percent growth rate
- slowing down but huge. New low cost
handsets coming in 2015 will see 75 per
cent of that, mostly in developing markets.
More than a third of that in China alone.
The likes of Oneplus, coolpad and xiaomi
are pressurising Apple and Samsung in
China. But these companies have global
aspirations too.
Tablet (Steve McQueen?) unit sales are
predicted to hit 337 million this year, again
a slight taper in growth. Like smartphones
a lot of lower cost models are coming
in. Koenig referred to this as ‘maturation
and modification’: a number of players,
a number of form factors, screen sizes
making tablets, phablets, phone and laptop
forms mutate.
TV (surely Robert Vaughan) used to be
called the small screen, but that doesn’t
work now does it? The TV market has
returned to growth: 2 per cent for 2015.
The average screen size for 2015 will be
a not inconsiderable 43 inches. 60 inch
plus LCDs are getting larger shares too.
(Apparently 60 is the new 50!)
4k ultra HD will see a 150 percent unit
increase for 2015 to 23.3 million, with
China dominating demand. Existing 1080p
will be good for consumers because they’ll
get...cheaper, cheapish, cheap (relatively)!
Connected TV will grow, quelle surprise!
60 percent of TVs will be connected
devices in the US, for example, during
2015. What of the curved screen? At
present the numbers are tiny: barely 1 per
cent of the market.
The trends at CES 2015 were largely
as expected: smart watches, health and
fitness tech (mostly wearables), new
automotive tech and the internet of things.
Information:
the new
currency
IRMS
Conference
2015
The Celtic
Manor Resort
17-19 May
Book your place at Europe’s premier information
and records management event now at
www.irmsconference.org.uk
@IRMSConference
#IRMS15
Public Seminars and In-House Training
p
Enterprise Architecture
p
TOGAF™ 9 Certification
p
Zachman Certification
p
Architecture Skills
p
Corporate IT Strategy
p
Enterprise Investment
p
Implementing Change
p
Business Architecture
p
Business Processes
p
Business Rules
p
Requirements Process
p
Business Analysis
p
Data Modelling
p
Information Strategy
p
BI, Big Data & Analytics
p
Data Quality
Conferences
p
Master Data Management and
Data Governance Conference Europe 2015,
18-21 May 2015, London
p
Enterprise Architecture and Business
Process Management Conference Europe 2015
15-18 June 2015, London
p
TDWI BI Summit
7-9 September 2015, London
p
Business Analysis Conference Europe 2015
21-23 September 2015, London
p
Enterprise Data & Business Intelligence
Conference Europe 2015
2-5 November 2015, London