Our collective conscience is being regularly jolted by high profile data losses and compliance incidents. I cannot but help comparing them to the high profile crises that occur from time to time in the Oil and Gas Industry. Whilst the environmental impact of a large oil spill has a planetary effect, and I am not for a moment saying a large data loss incident is in the same league as say the Gulf of Mexico spill for BP, I cannot help but get the sense that some of the underlying issues that lead to these events are similar in origin.
In my opinion the root cause of these continuing problems in compliance management is a fundamental lack of understanding on the part of Board and Executive teams of the nature of the shift, we have all witnessed, from the physical to the electronic world.
There are always exceptions, but this lack of understanding leads to a state of denial, where financial service organisations view compliance much like road traffic penalty points to be avoided, rather than an inherent part of their ‘Business as Usual’ regime.
The Exxon Valdez oil spill in Prince Sound, Alaska on March 24th 1989 was a tipping point for the Oil and Gas Industry. The disastrous effect on the reputation of that company and the impact of that event on its business activities not only started a sea change in the thinking of the Board and Executive teams but it is widely recognised as the start of the whole safety and zero harm cultures within the Oil and Gas Industry. Indeed, I experienced this first hand recently when coming down the stairs in the office building of an oil company – a stranger approached and asked me if I would hold onto the handrails whilst walking down the stairs. Overzealous in its execution maybe, but that’s the extent to which that industry has made the cultural shift necessary to change the behaviour of their people.
It’s not all doom and gloom – I am very encouraged by the tie up between the British Bankers Association (BBA) and the City of London Police. They have just announced plans to work closely together to stop cyber criminals stealing from customers by setting up a “virtual ring of steal” around London’s financial heart. This is exactly the type of joined-up thinking that is required in this new digital world.
Finally, as someone who works with organisations to help defend against compliance and security incidents, I can only feel a level of sympathy for the IT Security, Information Governance and Compliance folks at Barclays. It’s hard enough “walking the wall” every day, but an incident of this size always turns a crisis into a drama and makes the day job even harder.