Brian Shorten, chairman of the Charities Security Forum, tells Dan Raywood about the third sector's unique information security plight – and how his network can help.
Charities big and small face unique IT and security challenges. From local hospices to the largest fundraising organisations, the third sector is a mixed bag of experience and information security requirements.
Some opt for external service providers, or even outsource their security functions. Others rely on the abilities of their volunteers, to a degree – if a local supporter has some HTML knowledge, why not give him the task of creating your website? Which is fine, but smaller charities are likely to find that the expertise required to carry out more serious IS jobs eludes them.
This is where the Charities Security Forum (CSF) comes in. Formed five years ago as a network of experienced security people, it recently appointed its first full-time employee in the shape of co-founder Brian Shorten. Formerly CISO of Cancer Research UK until his retirement last year, the chairman has so far attracted 200 charities to the forum and, now it is his sole occupation, is striving to expand the network further.
He says the CSF membership spans “any size, location, sector and turnover” and likens the forum – which started as a project “to find other people in charities to get some hints and tips on security” – to similar networks in the financial services and communications sectors, and those that exist in sport, where friendships are formed and advice is given.
Shorten explains that the nature of this method of information sharing is essential. He cites the example of a telco that officially might declare itself free of problems, but whose security staff, in the environment of a forum, “tell you they get hacked all over the place – and this is how to fix it”. He adds: “It's useful because everybody who gets together gives each other warnings. They send emails and so on – and that's something I wanted for charities.”
He continues: “If they've got three or four staff, [with] HR and payroll [departments], they need to protect records [in accordance with] the Data Protection Act and the Information Commissioner's Office. With a hospice, there are patient records and you've probably got drugs inside. You've got sponsors' and supporters' records that need to be kept.
“If you're taking money by credit cards, that's PCI DSS. However you get the money in, you've got to look after it. You've got to keep the books. If people are giving you donations, you need to get gift aid and tax for that, so that's HMRC. You've got all these supporter details and that takes you straight into the Data Protection Act, and you're responsible for all this because you're managing the charity's security.”
Strength in numbers
Shorten says all this presents a worrying problem for whoever the charity has tasked with information security. “It's probably only you doing it, and you sort of know that you've got to do it, but you don't know the way to do it,” he explains. “You've got all these regulations that are saying, ‘If you get it wrong, you're responsible.' If you screw up credit card details or supporter details, no one's going to say, ‘Yes, but you're doing it with the best of intentions, so we won't worry about it.' The Information Commissioner is going to come knocking at the door and say, ‘You screwed up.'”
It is an issue that has been discussed among CSF members – proof, Shorten says, that a network of professionals is the ideal place to share ideas. His role, he declares, largely involves attracting new members and moderating discussions, as well as offering a mentoring scheme with other senior members of the forum.
The problem with the security industry, he believes, has been a lack of opportunity for general conversation on pressing issues – a place where people can seek advice from their peers without potential wrongdoers getting an insight into a deemed weakness. Shorten attributes this to the nature of the job – if you are the security person who is supposed to know everything, then seeking advice can be a sign of failure.
“It is funny, but Cancer Research was the first place that I had worked at for a long time where I was the sole security person without any sort of back-up. At my previous job at WorldCom, we had something like 100 people in the security department; they were doing different things, but they all backed each other up,” he says. “If I wanted to know how something worked on Windows from a security point of view, I could go and ask one of our security people. At Cancer Research, there were just a few of us and some normal IT techies. The first time I said to someone, ‘I don't know the answer, I'll have to come back to you', I expected them to go, ‘Well, you're supposed to know, you're the security guy, that's why we employed you.' Instead, they said, ‘Okay, fine.' So, I went away and perhaps did a little bit of research.”
He adds: “Because you have to keep on top of all of this stuff, what tends to happen is that you're [seen as] an expert; three months later, someone asks you about it, but things have moved on – you're [expected] to know a lot about everything. That's one of the reasons for having forums: if you don't know it yourself, somebody else will.”
We hear plenty of talk of targeted attacks and mobile threats in the news here at SC, and Shorten says charities are no different to any other organisation in that they potentially hold large user databases that are their intellectual property. And donors not only trust the charity to use their money wisely, but also to look after the data they hold.
Shorten explains: “If a large charity with millions of supporters loses some of its data, are people going to continue to support it when the media are reporting that the Information Commissioner is on its trail?”
There are also issues that come with a charity's specific activity. Those that carry out testing on animals, for instance, face all manner of threats from activists. Yet Shorten stresses that even the most uncontroversial charity can be vulnerable to attack. He says: “There are three classes of people who attack charities: those who understand what you do and don't like it; those who go for you because they think you've got something they want to criticise; and those who simply believe you're an easy target. I don't think people are going to attack a charity just because it's a charity, not unless they've got a vested interest. They are more likely to attack because they think that the charity is going to be an easy target.”
A force for good
I ask Shorten how he would describe the remit of the CSF in ten words. He says he couldn't do that, but offers the nonetheless concise explanation that if the “bad guys are organised, so we should be too”.
“Though that is a bit tacky,” he quickly admits, before continuing: “It's essentially to help security professionals in charities with common problems, whatever the problem is and whatever the experience of the professional.
“There are stacks of people I can contact and ask, ‘I don't know anything about this, what do you think?' It's interesting when you do that – not only do you get someone saying, ‘Yes, I can tell you about this, this and this', you also get someone advising on technology for supporting iPads, for example. People want to help.”
Shorten concludes by declaring his passion for the project. Having worked for some big organisations, he saw the niche for a communication forum, as well as the goodwill towards charities.
The future of the CSF lies in Shorten expanding its membership, as well as reaching out through speaker conferences and events. His remit – “to find other people in charities to get some hints and tips on security” – has pertinence at a time when global collaboration is a hot topic for the industry. Having a forum where ideas and experiences can be shared could be crucial for members old and new.
Opinion: 'The CSF is a critical resource'
I was new to the voluntary sector when I started in my current role, and the Charities Security Forum (CSF) has been a really valuable resource as a source of advice and support. I've picked up some very useful advice on how to approach the NHS IG Toolkit from the information security managers of some of the medical charities, and have been able to offer support and advice to other CSF members on my particular area of interest, which is data protection.
The role of the voluntary sector in UK society is changing quite a lot, as more charities become integrated into the delivery of health and social care services. It seems to me that the drive toward increased professionalism demanded by these changes can sometimes present a challenge, as long-term workers in the voluntary sector may be suspicious of systems and processes to enhance security and compliance, somehow believing them to be a slippery slope to the ‘dark side' of corporate culture.
The CSF allows us to share ideas and case studies about these challenges so that we can learn from each other's successes. Operating under ‘Chatham House Rules', this gives us the freedom to share genuinely useful information without worrying that, by doing so, we could put an organisation's reputation at risk.
I think that the CSF is a critical resource for smaller charities that may not be able to employ dedicated IS managers, or that outsource a lot of their IT and compliance functions. They can benefit from the expertise and experience offered by the members who do cover these areas in-house. We've had some very interesting and informative speakers at our quarterly meetings, including a representative from the Information Commissioner's Office.
What's more, because security managers often feel as though they operate in their own little niches within the organisations that employ them, it is therapeutic to get together with a group of people who do a similar job in a similar environment.
What can we achieve together? Well, personally I would like to see the CSF play a significant role in strengthening working relationships between the public sector and the private sector, especially in areas such as effective and ethical information sharing. At the moment, the disparate systems, processes and tools in use can be an unnecessary barrier to effectiveness, while at the opposite end of the spectrum an ‘access all areas' approach without appropriate controls is too much of a threat to individuals' rights to confidentiality and privacy.
The CSF is uniquely placed to address some of these challenges and help set standard approaches for secure and effective cross-sector partnerships.
Rowenna Fielding is information security manager at the Alzheimer's Society and a member of the Charities Security Forum.