The government can't handle the truth

Why does the DTI needs to have one of its most influential reports on IT security sponsored by vendors who have a vested interest in the results being as dire as possible?
Written by Leader , Contributor

The results of ZDNet UK's last IT Priorities survey showed security at the top of IT professionals' to-do list. We weren't surprised, and neither were you.

For such an important issue, there's an almost criminal lack of clarity and unsullied information to act on. Many of the gate-keepers of primary data in the security sector are the same companies that exist to create shareholder value by selling security services and products: only non-shareholders will think this causes divided loyalties.

An awareness of a company's primary purpose helps us all decode the advice and data it gives out. While an antivirus company will know a great deal about viruses and virus writers, the information it chooses to convey and the advice it decides to give will never work against its own business plans. Fair enough. We know that, you know that. The advice may well be useful, provided we season it with a pinch or two of salt.

Warnings from Government are another matter entirely however. A missive issued from Whitehall carries a certain amount of weight: on matters like public health, we trust them to have our best interests at heart.

But while up to now the Department of Health has been judicious and careful not to create a sense of panic around the bird-flu virus — the same cannot be said for the DTI's behaviour around the electronic kind and IT security in general.

This week the latest excerpt from the DTI's Information Breaches Survey was released. There may be some justification in using an external consultancy such as PricewaterhouseCoopers to put together a report of this scale, even if we'd rather the government had that sort of expertise in-house. After all, consultants merely do the bidding of their paymasters: if the DTI had funded the deal itself, there'd be no question of impropriety.

Yet companies such as Microsoft, Symantec and Entrust coughed up. We don't know what their outlay bought them, but we trust it produced shareholder value. The antivirus excerpt certainly carried large adverts for Symantec while ignoring the importance of understanding operating systems and unreliable patches in setting a workable security policy. It's not what we would have written.

As an industry we have learned to acquiesce and accept a certain latitude when it comes to security advice. But while we may be happy to filter the output of private sector firms, government must be held to higher standards — especially a government willing to do anything for cash. When investigators are done sniffing around the Capita-scented trail of Erminegate, they may choose to dig a little deeper. We'll be delighted to hold their coats.

Editorial standards