“We value your privacy” – oh yes? Can you prove it?

How many web sites state baldly “We value your privacy”? If you are curious and decide to click on that little link, buried at the bottom of many a webpage, that says ‘Privacy Policy’, this is one of those over eager phrases that likely awaits you. Jokes abound: “yeah, they value it so highly, they go and make a stash of money off of selling it to others!”. Do you? Do the cloud services that manage your data? Do you know for sure? How?

Imagine you are in a meeting of the Board, or the governing body of any public or private institution, and you want to ask – someone, anyone – what your organization’s privacy policy actually involves, what do you ask? As I quoted yesterday,

Common agreed Standards help the conversation by, at the very least, providing the right questions that should be asked by fiduciaries.

The value of many Standards can be as simple as knowing that they exist; knowing that they may be applicable; and knowing who to ask about whether they apply and are applied.

We know that the ISO/IEC 27018 Standard exists (at least from reading this, if not before!); we know that it applies to privacy in cloud-based services and helps protect personal information. You are in the Board meeting and your duty as a fiduciary is to ask questions. How about starting simply with “Do we use ISO/IEC 27018?”. “Yes? Great…” – now what? The CIO, the CTO, the procurement manager, whoever it might be, is telling you that the Standard is used. You are no technology specialist but is it really enough to take their word for it?

Maybe. As a comparison, in a small organization it might be enough to know that the accountant uses double-entry bookkeeping and pays all taxes. In more substantial undertakings, those assertions are checked, audited, internally and often externally – again, using commonly accepted standards.

Back to our Board, and in a similar vein, you will be exercising due diligence by asking more: “what can you show, to a lay Board member like me, that what you say about our use of technology Standards has some weight here?”.

This is where compliance and certification come in to the picture. First of all, compliance.

Showing compliance with a standard helps demonstrate an organization’s trustworthiness. Providing current and potential customers the clear signal of compliance with ISO/IEC 27018 is an easy way to confirm that personal information handled by a cloud service provider will be used only as they approve and that is being held securely. Nowhere is this more important than in the public sector, where government agencies are often subject to stricter obligations to protect information in their care.  When it comes to navigating the difficult waters of European Union data protection rules, 27018 also means that customers can count on the provider of the cloud service to help them meet their obligations.

What does compliance involve?

A cloud service’s compliance with ISO 27018 controls means that a customer will know that the service provider:

  • will keep them informed where their data is stored and who is handling it, including all “sub-processors”;
  • will ensure that their staff and contractors are bound by confidentiality agreements and receive appropriate training in handling sensitive data;
  • will not use their personal data for marketing or advertising without their explicit consent;
  • will return, transfer or destroy customer personal data at their request;
  • will help the customer with requests for accessing, correcting or deleting personal data;
  • will notify the customer promptly of any data breach and of the measures being taken to make amends, so that customers can comply with their own obligations to their users;
  • will only comply with legally required requests for disclosure of personal data;
  • will subject their services to independent and regular review.

Customers are sometimes subject to information security rules that restrict where data can be stored.  Because 27018 requires certified cloud providers to inform customers of the countries where their data may be stored, customers will have the visibility they need to ensure compliance with applicable data transfer and public procurement rules. 27018 also requires cloud providers to be upfront about the identities of any sub-contractors they engage to help with data processing before customers enter into a contract.  And if any of this changes, the cloud service provider is required to inform customers promptly to give them an opportunity to object or terminate their agreement.

Some cloud providers use cloud customer data for their own independent commercial purposes, including for targeted advertising.  This worries customers, who often handle sensitive data that shouldn’t be re-used by third parties.  To make sure that the customer is always in control, 27018-compliant providers may not use customer data for their own independent purposes, and cannot use that data for advertising or marketing purposes absent explicit consent from the customer, which cannot be a condition for receiving the cloud service.  The choice should always be with the customers.

Customers are often concerned that cloud services will lead to “lock in”, reducing flexibility and nimbleness over time and creating a culture captive to a single standard, software tool, or system.  ISO/IEC 27018 requires the cloud service provider to implement a policy to allow for the return, transfer and/or secure disposal of personal information, within a reasonable period of time.  In this way, the customer can be confident they won’t be “caught” by lock in.

EU data protection law imposes certain requirements on cloud customers – including to allow individuals whose personal information they hold to access that information, to correct it, and even to delete it.  Fulfilling these obligations can be a challenging task where an organization has its data stored in a third-party’s cloud.  But ISO 27018-compliant providers are required to help customers meet these obligations. This includes offering tools that help customers comply with their data protection obligations to their own end-users – including obligations to allow end-users to access, correct and/or erase their personal information

ISO 27018-compliant providers must specify how quickly they will notify their customers of an unauthorized disclosure of PII and how they will help their customers fulfil their notification obligations. ISO 27018 also requires cloud service providers to record the type, timing and consequences of any security incidents, the name of the reporter, to whom the incident was reported, the steps taken to resolve the incident, etc. – creating a record that will in turn assist customers in meeting their reporting obligations.

Customers can be confident that a 27018 compliant cloud service provider will only comply with legally binding requests for disclosure of their data. In the age of major data breaches and revelations about the role of intelligence agencies, this addresses a real concern. An ISO/IEC 27018-compliant cloud service provider must reject any requests for the disclosure of customers’ personal data that are not legally binding.  And if it needs to comply with a legally binding disclosure request (e.g., in relation to criminal investigations), it must always notify the relevant customer, unless prohibited from doing so by law.

Certification, simply stated, is the externally validated proof that something or someone is compliant with a standard. ISO/IEC 27018 certification will help a cloud service provider demonstrate that its cloud privacy policies and practices are robust, and in line with best industry practices. Cloud providers who adopt the new standard may be preferred over cloud providers who lag behind in implementing ISO 27018  – particularly vis-à-vis government customers who are often subject to strict procurement, security and auditing rules.

Getting certified

Organizations won’t certify directly their compliance with ISO/IEC 27018. Instead, it provides an additional statement of the applicability of ISO 27001 and certification against the controls covered in ISO 27002 and the additional controls in 27018. Certification will therefore still be against ISO 27001 and 27002 – but customers and suppliers alike should be looking in the future to see whether certification covers the additional controls covering protection of PII in the cloud, as covered by ISO 27018.

The new standards helps organizations assess potential risks and proposes additional controls for the protection of personal information that may be stored or managed in a cloud-based service.

The new standard will strengthen privacy by adding key protections for sensitive information stored in the cloud, the so called “Personally Identifiable Information” (or PII for short). This is the first international privacy standard for the cloud, incorporating privacy controls specifically for cloud services, and will help a cloud service provider demonstrate that its privacy policies and practices are robust, and in line with best industry practices.

Posted in Data Protection, Privacy, Standards | Tagged | 2 Comments

Good Governance of Cloud Services – role of privacy standards – Sony, are you listening?

I mentioned in my post yesterday, that a 2-page Boardroom Briefing on Privacy in the Cloud has now been released, and which looks at the value of the recently published ISO/IEC 27018 Standard. Please take a look and send me any feedback.

In this and the next couple of posts, I want to go in to a little more detail of the themes covered in last Friday’s roundtable. Today, I want to explain a little more about the recent ISO/IEC 27018 Standard. But first a little background:

It is rare for international standards to reach the average boardroom – but when they do, it is often not as part of thoughtful planned governance but in reaction to a major problem or disaster. Think of the fallout after Enron and the desire to beef up financial reporting standards. Many standards had been widely available but not so widely used. So when major disaster struck, government regulation was favoured over voluntary conformance using available standards.

Now consider the growing complexity of handling personal information as businesses make ever greater use of cloud computing services: A similar pattern of interventionist regulation may emerge in the area of protection of personal information in the cloud if business is not able to demonstrate that it can, and will, use standards available to it; conform with existing legislation where appropriate; and take the effort to follow good business practices.

Do organizations even know what personal information flows through their systems and services? Who is responsible for personal information? How it is managed, stored, backed-up, audited? To what risk is the organization exposed if there are issues with a cloud service provider? Who is liable? For what? To what extent?

We need look no further than today’s further news of the agonies that Sony must be undergoing in response to the latest wave of attacks on their information systems: there’s an interesting short article over at Forbes Can You Guess Who Benefits The Most From Sony’s Data Breach? that starts to highlight their plight.

Thankfully, there is help at hand.

The ISO/IEC 27018 Standard is the first global standard concerned specifically with privacy issues in cloud computing. It’s relatively new (published at the end of July 2014) and represents the result of work by a leading group of standards professionals specializing in problems related to cloud computing, information security, and privacy questions.

The standards world is no stranger to information security. Already since 2005, the ISO 27001 standard has provided a framework for identifying and classifying information security risks and choosing appropriate controls to address them. It was largely geared to the needs – prevalent at the time – of information systems managed within the clearly defined boundaries of an enterprise. This was before cloud computing really took off. The new ISO 27018 Standard recognizes that as cloud computing services have become more common, organizations are looking to understand how the increased use of such services are impacting their exposure to potential risk, none more so than in the delicate and difficult are of personal information and privacy.

ISO 27018 builds on ISO 27001, itself a comprehensive standard for implementing and maintaining an information security management system; and ISO 27002, which provides a set of policies and controls against which an organization can be certified as compliant. ISO 27001 defines an information security management process and basic requirements which aim to address an organization’s overall business risks by selecting adequate and proportionate security controls.

ISO 27018 enhances existing, more general ISO security standards in two important ways:

  • Firstly, it extends the original set of controls to provide implementation guidance for the protection of PII in cloud services; and
  • Secondly, it integrates key requirements for data processors under the European Union data protection legislation.

ISO 27018 provides additional guidance or specific criteria to ISO 27001; it also adds controls that reflect PII considerations specifically for cloud services. Customers will be able to verify compliance with the ISO 27018 controls by examining documents from a third-party ISO 27001 audit or by reviewing a publically available letter from the certifier stating that all 27018 controls were included in the scope of the 27001 certification. I will return to the issue of certification in my blog tomorrow.

So what exactly are the benefits of using and following this particular Standard?

It provides guidance to cloud service providers about how they should go about the processing of personally identifiable information of their customers. It is based on six main areas:

  • Consent: cloud providers must not use the data they receive for purposes of their own advertising and marketing unless expressly instructed to do so by the customer. Moreover, it must be possible for a customer to use the service without submitting to such use of its personal data for advertising or marketing.
  • Transparency: Cloud providers must inform customers where their data resides and make clear commitments about how that data is handled.
  • Accountability: The standard asserts that any breach of information security should trigger a review by the service provider to determine if there was any loss, disclosure, or alteration of PII.
  • Communication: In case of a breach, cloud providers should notify customers and regulators, and keep clear records about the incident and the response to it.
  • Independent Audit: A successful third-party audit of a cloud service’s compliance with 27018 documents the service’s conformance with the standard, and can then be relied upon by the customer to support their own regulatory obligations.
  • Control: Customers have explicit control of how their information is used.

No Standard on its own is a panacea. It has to be part of a comprehensive, Board-level led business strategy. As a Director and a Board Chair, I have always seen it as a central part of my function, and that of my peers, to ask questions. So it seems appropriate to leave the last word for today to one of the participants in last Friday’s roundtable:

Common agreed Standards help the conversation by at the very least providing the right questions that should be asked by fiduciaries.

Posted in Data Protection, Privacy, Standards | 2 Comments

Privacy in the Cloud – a role for Standards?

Last Friday, it was my privilege to moderate a roundtable discussion hosted by The Dewey Group in Washington, D.C. with an extremely distinguished panel of speakers:

  • Cameron Kerry, Senior Counsel, Sidley Austin LLP and former General Counsel and Acting Secretary of the United States Department of Commerce;
  • Deborah Hurley, Chair, Electronic Privacy Information Center and Fellow of Harvard University;
  • Ambassador Daniel A. Sepulveda, Deputy Assistant Secretary at the Bureau of Economic and Business Affairs, U.S. Department of State; and
  • Naomi Lefkovitz, Senior Privacy Policy Adviser at NIST

The discussion, together with a couple of dozen participants from across industry and privacy groups, was wide ranging and intense but focused on a number of important themes:

  • growth of the digital economy without a concomitant growth in the governance of digital information and the consequences of its use;
  • growth of cloud computing and the outsourcing of technology;
  • the need for (and limits to) information security coupled with protections from privacy breaches and harm;
  • the role of Standards – particularly in helping the conversations that senior executives need to have with their CTOs and CIOs.

My 2-page Boardroom Briefing on Privacy in the Cloud, released to coincide with the event, particularly looks at the value of the recently published ISO/IEC 27018 Standard.

I will be publishing a series of blogs over the next couple of days that go into a little more detail of our discussions and the themes covered.

Posted in Privacy, Standards | 2 Comments

Governance of big data – read @digiphile’s excellent contribution

The 31st January 2014 article by Alex Howard in Tech Republic – “Data-driven policy and commerce requires algorithmic transparency” – warrants being read several times over and widely discussed.

At its heart, it is an argument against exactly what the title implies: that policy and commerce should not be driven by big data even if they are increasingly informed and helped by big data.

This theme – one that I have written and spoken about extensively over the years – is a theme to which I will return throughout this year with more focus – the issue of information technology governance and for a number of key reasons, some of which Alex also raises in his article:

  • there is palpable public concern about the lack of oversight and governance of how certain technologies are used, even if such concerns are not articulated as such;
  • the domain of IT governance is now recognized as a distinct area of concern within global standardization work, with the creation in November of a specific and explicit home for this work – the so-called “SC40”, a new group created within ISO and IEC’s global collaboration on information technology standards;
  • there is still a lack of understanding between the very distinct roles of managing information technologies (very much a core senior IT function) and governing their use – very much not an “IT issue” but a broader societal, policy and, within organizations using IT, Board level issue.


Posted in Uncategorized | Tagged , , | Leave a comment

CIO or CTO – what’s in a name?

In the discussions last week on governance of information technologies (see my previous post), points were inevitably raised about the specific responsibilities of different actors, none more than the ubiquitous “Chief Information Officer” or CIO.

Having been so heavily involved in semantics for the last years, it is inevitable that I would turn my attention sooner or later to this title: what does it actually mean? or what is it intended to mean and convey?

Ask most people who have an opinion on the matter (and admittedly it’s a rather marginal sport) and they would probably answer that the CIO is the person in charge of an organisation’s information technology infrastructure. It seems a more senior version (or at least more important sounding title) than simply “IT Manager”.

This got me thinking: well, if that is the case, what then is a “Chief Technology Officer”? Are they the same? If not, what is the distinction? And is it important?

I want to argue that they are not the same; that there is much confusion of roles; and – yes – the distinction is important, as I hope to show.

I think that there is a clear distinction between a CIO and a CTO and that it is about time that the distinction is considered maturely in discussions about governance of large organisations. Some internet start-ups (or should that be up-starts?) play around with new titles such as “Chief Wisdom Officer”, “Chief Laughter Officer” or other such amusing and attention grabbing titles. Any serious and mature organisation will expect that the titles of their senior executives correspond to clearly defined and delineated executive responsibilities. CEO, CFO, and COO are the most commonly used and understood. CIO has entered stage alongside the development in the role played by technology in an organisation’s health and development and as such it would seem logical to include that function in the “CxO Suite”. But what exactly does it involve?

If the responsibilities of managing technology and managing information were so clear cut, there probably wouldn’t be such an issue: if, as a manager, you are “only” responsible for the machines, as arbitrary pieces of hardware – with value as physical assets – you would be forgiven for managing them in the same way as you would for any other physical asset, like buildings, furniture and other machinery and equipment. In former days, such a CTO job probably fell under the responsibility of a COO.

Likewise, if you were responsible for the data, information and knowledge that your organisation generates or manages – with value as intangible assets or “know how” – then you would manage those assets too in a manner appropriate, irrespective of how they are generated or kept. Even before technology pervasiveness, this was an important ‘CIO’ function even if it didn’t carry such a title.

However, it is inherent to the nature of “information technologies” that the lines between the two are blurred. “Before IT” (and I know that I’m addressing a dwindling proportion of the living when I say that), organisations managed content in paper files, folders, with filing clerks, documentalists and librarians. As IT starting to encroach into our daily organisational lives, there was a period during which programmers and developers were relatively indifferent to “content” or data – it was the application that was important and emphasis was on doing something to arbitrary data coming in, processing it and pushing arbitrary data out the other end. How the data came in or went out was very much subservient to the needs of the processing. What that data was, was essentially someone else’s issue.

Book cover of Then came SGML and XML that – by capturing or ‘encapsulating’ data in a structured manner – intentionally promoted the importance of the actual content, allowed it to be repurposed and re-used and gave explicit value to the content by treating that content as distinct artifacts and thus as assets with distinct business value (I actually explore these themes in more detail on my book, Information Architecture with XML, which – although a little dated as regards specific technologies – nonetheless stands the test of time as regards information management).

Despite this disinction between the “contents” and the “container” (the hardware and software that uses, manages and disposes of the content), the term “information technology is still used to embrace both – and the function of CIO generally aligns with that.

And I think that this is wrong. Here’s why.

The way that we manage technology and consider it as a business asset involves a very different skill and set and sense of priorities to managing information as a business asset.

I think that there are two very different and distinct functional roles:

  • responsibility for managing information technology as a corporate asset (the emphasis thus on the technology) – this is the function and role that I would chiefly ascribe to a CTO;
  • responsibility for managing whatever content runs on that technology, also as a corporate asset (the emphasis here being on information) – this is what I would ascribe to a CIO.

Organisations that are starting the process of migration to cloud-based computing environments are starting to see this more than others, precisely because there are different types of cloud environment and because of the more explicit and logical separation of content from its processing.

An example may make things clearer: take customer relations management (CRM). When the whole of the “CRM system” is managed and hosted in-house, “it” can be seem wholly as belonging to the IT department as a service. The IT people decide on which software to buy, lease or build; and which hardware to use and how it is configured; and how much the whole thing will cost to deploy and maintain. If “users” (and see my caveat on this term) are unfamiliar with the software or find it difficult to use, they were criticised as being stupid and the IT gods wend unquestioned.

Once CRM is ‘outsourced’, or leased to an organisation from a third party, offered as “software as a service”, the dynamics change radically. The service is chosen based on cost, usability, efficiency and effectiveness. As a client you don’t have to worry about the technology infrastructure but neither do you get a say (except through the power of the purse) about how that technology is configured or deployed. You worry, obsess even, over where “your” data is stored, managed and accessed and by whom and according to what rules and processes.

More than that. It actually provokes – or ought to provoke – a thorough re-assessment of who is actually responsible for what. And that’s not as easy as it looks.

It may be easy enough to argue that “post cloud migration, we don’t have any technology to manage as such, so we don’t need a CIO any longer” but many technology issues still remain. What (client) devices are your staff using? How is content secured, both in the cloud and on local devices? How is authentication and authorisation of access performed? By whom? How and where is the content actually ‘domiciled’ and hosted? Some of these may be broader management and governance issues but some are clearly technology ones.

It isn’t so clear cut either when your “content” itself includes home-made software, business processes, models or schema that are not strictly speaking content but are nonetheless business assets and need to be managed as such. So who is responsible? The CIO? Should there be a CIO as well as a CTO? Where do you draw the line?

What I have found useful is to think about what are the distinctive roles of each which – even if performed by the same person as part of the same, rolled-up function, can nonetheless help separated out into distinct responsibilities. Doing this makes it much easier for everyone to understand the complexity of what is being dealt with and ensure that the right questions are asked by governance bodies charged with oversight of an organisation’s “IT”.

The two diagrams below are from a slide deck that I had prepared for our work last week in Tokyo and in which I highlight what I think are the main differences between a CIO and CTO function.

Technology viewpoint

Information viewpoint

My conclusion at present, for what it is worth, is that while the two job profiles are very different, there is no clear demarcation between the two: what is important is that a distinction be made in terms of the types of assets being managed and the relative importance of them to an organisation. If your business is building software, you would treat the software builds as valued assets but any data generated or used by the software (in testing, for example) would be considered irrelevant. On the other hand, if your business is tracking stock information, the information is a valued asset whereas the software being used may be secondary (as long as it performs according to your needs). As the diagrams show, the transition is gradual and each organisation needs to determine how much of which role is necessary for their own good governance.

Posted in Uncategorized | 1 Comment

IT Governance and “Technological solutionism”

At first sight, there wouldn’t seem to be much to connect the impassioned writings of a Belarussian journalist and the sober reflections of a small standards working group that met for its second meeting in Tokyo this past week.

Cover of However, they have more in common than one could imagine. The journalist, Evgeny Morozov, has presented in his most recent book “To Save Everything, Click Here – The Folly of Technological Solutionism” an excoriating critique of what he sees as a major societal danger – that of an elite of technology leaders assuming leadership in domains of which they have absolutely no undertanding nor experience. Silicon Valley, he argues, is on a quest “to fit us all into a digital straightjacket” and yet

Imperfection, ambiguity, opacity, disorder, and the opportunity to err, to sin, to do the wrong thing: all of these are constitutive of human freedom…the urgency of the problems in question does not automatically confer legitimacy upon a panoply of new, clean, and efficient technological solutions so in vogue these days.

Ah, “solutions” – we see the promise of them everywhere (and yes, I confess, it was there in the strapline “Thoughtful Solutions” of my former company, Pensive – but that was when I was younger and more naive). Surely there is nothing wrong with seeking solutions? Well actually, yes there is, as Morozov points out: thinking that any and every issue can be “solved” puts us into a frame of mind where every “problem” ultimately has a corresponding solution. As he rightly argues, this is far from true in the real world. Some issues are simply not “solvable”, many others are not problems to begin with. There is also a deeper misundertsanding that he explores – the distinction that I refer to in my own work between “Outcomes” and “Outputs”. A hilarious example of the difference between outputs and outcomes (unless you are the taxpayers concerned) can be found over on the BBC website.

And this is where the working group in Tokyo comes in to the picture.

A little under a year ago, the (take a deep breath) International Standards Organisation and International Electrotechnical Commission’s Joint Technical Committee #1 – better known simply  (and gratefully) as “JTC 1” – decided to establish a new working group to take on standardisation work in the field of “Governance of IT”.

Corporate Governance hit the headlines after the turn of the Millennium following the spectacular collapse of companies like Enron and WorldCom and the introduction of legislation such as the Sarbanes-Oxley Act in the USA. There was a feeling that even if large corporations were well managed there were certainly not well governed. The distinction is important. Managers are concerned with deliverables, projects, product lines – in short, with outputs. “Governors”, in practice Boards of Directors, are concerned with the overall impact of the corporation, with outcomes.

In economic models not obsessed purely with the stock value of public companies, corporate governance is concerned with wider economic issues such as the impact on jobs, welfare, the community and environment – arguably the true economic cost of capitalism, the overall societal and economic outcomes of their operations.

If management is concerned with outputs – which are tractable and can be measured – while governance is concerned with outcomes, how can governance be measured? This is the heart of the issue that this new JTC 1 working group is scoped to address. What became rapidly apparent in the discussions last week is that there are many areas of technology where management may be good but where governance is appalling or completely absent: cloud computing, data privacy, Smart Grids and Smart Cities, so-called “Big Data”, the “Internet of Things”. All present enormous governance issues but you wouldn’t always know it, to see the way the ideas are promoted and sold by technology leaders and evangelists – which is precisely Morozov’s core concern: letf in the hands of the technologists, many of these important technology developments will simply not be considered, deployed or evaluated for their wider social, economic and cultural impacts.

This week in London, a special group within JTC 1 will be considering the future of work done on IT Governance and how it is handled within the complex global standardisation system: the frontrunner proposal is that all aspects of management and governance of IT should be handled by a new, dedicated group and that all existing work in the respective fields be transferred to it.

This is proposed, not because management and governance are so similar; nor because the issues to be addressed are the same; but precisely because it would be better for everyone concerned that a single group discuss and determine the appropriate boundaries between the two disciples and thus be able to better target the work that is needed and assign it to the most appropriate group to provide responses and guidelines. If not, there is a danger that “IT governance” withers as a ghetto, minority, interest, while IT managament flourishes without the appropriate insights and oversight of non-IT governirs.

At present, too many  IT issues are handled as if they are purely management issues rather than governance issues. Addressing this however requires tow cultural and organisational changes:

  • firstly, it means that IT “managers” be willing to recognise and accept that their role, although important, should focus on management and does not extend to advising what’s best for the organisation or assessing the impact of technology use (there is another, related distinction, that I explore in the following post);
  • secondly, that Boards of Directors stop shirking their responsibilities and abdicating all responsibility for IT governance because it is “just” or “too” technical. They need to focus on the overall impact and outcomes that use of technology will have on and in their organisations and not be afraid to ask questions.

The distinction is important and goes to the heart of what went wrong with corporations such as Enron. The financial managers were doing their job – and many probably thought that they were doing the right thing to help the corporation – but governance failed abysmally.

It took those failures for legislators and corporations alike to realise that there was a clear separation of responsibilities between governors and managers. The big problem we face is in recognising the similarity – after all, technology geeks are so much more fun and cool than “boring” accountants, so we are more likely to be swayed by their siren song. However, what was true for financial management a decade ago, is true for IT management today. We ignore the distinction between management and governance at our peril and we need to address IT governance as soberly as we have started to do for other aspects of corporate governance. I’m happy to be part of that work and I sincerely hope that JTC 1 fully appreciates the import of its deliberations on the way forward.

Posted in Uncategorized | 1 Comment

Amazon’s bid for the .book domain name – The blame lies elsewhere

Interesting story over at The Verge about publishing industry opposition to Amazon trying to muscle in to own a proposed new .book top-level domain

So why are Amazon attracting all the flack? The real culprit, in my opinion, is the ICANN of worms opened last Spring – I blogged at the time that what they were doing was a very, very, silly idea and would really benefit nobody but crooks and dodgy operators. To be clear, I do not place Amazon in either category. In their shoes, I would have done the same and tried to register .book before anyone else did – a (for them, relatively cheap) insurance policy.

But if you set in motion a process that has limited to no real benefit for legitimate operators but offers a boon for crooks and dodgy operators, what would you call it? Answers on a postcard please…

Posted in Uncategorized | Leave a comment