Ministry of Defence | Defence News | MOD confirms loss of recruitment data

[Ian Batten]

On 23 Jan 08, at 0120, Adrian Midgley wrote:

> Ian Batten wrote:
>> Define `properly'.  I think in most environments outside spooky ones
>> which live and die by compartmentalisation, and perhaps even in  
>> those,
>> security is seen as the stuff that gets in the way of doing your job.
>
> Yes, but the stuff that gets the job done, that is _essential_ to  
> making
> the job possible to get done, is not being made to work, nor is  
> there a
> halt at a point before the new system is brought into action.


>
> Modernising Medical Careers last year; Defence Solicitors System  
> yesterday.

How did the MMC/MTAS debacle impact on the people who built, operated  
and maintained the website?   They still got paid, no-one went to  
jail, Patsy defended it in Parliament.  If you were doing the ``do I  
busk this insecurely but cheaply, or do I do the job properly?''  
game, what incentive is there to act securely.  Their customers  
didn't seem to care either, as even in the face of plenty of evidence  
that the MTAS website was insecure the medical schools and trusts  
continued to defend it to the hilt.

It's a common scenario.  Neither the designers nor the customers want  
to pay any penalty for security (ie in complexity, testing, design,  
user interface) because they are optimists and believe nothing will  
go wrong.  And because it usually doesn't, their behaviour is  
reinforced.    Suppliers and end users within the customer company  
conspire to appease the security function within the customer company.

ian