ID management a 'human problem,' says privacy group

Computerworld Australia - CIOs and IT managers should be aware IT projects fail due to myriad factors and that technology may not be the answer to a problem, according to Australian Privacy Foundation Chair Anna Johnston.

Speaking at an identity management summit in Sydney on "how to stuff up an identity management program," Johnston said she has seen a lot of money wasted on projects driven by technology providers and politicians.

"Politicians and CEOs like to cut the ribbon on new projects," Johnston said. "There's no point in proceeding if there is no point."

In the case of identity management, Johnston said anything from a "human problem" to poor design, legal noncompliance, and lack of transparency can contribute to a failed project.

"Lesson 1 is to check you have a need for technology and that it cannot be solved another way, [and] don't use a sledgehammer to crack a nut," she said. "If you are in government or business and have the responsibility to do identity management projects, you need to step back and see if there is a key business driver. See if technology is the answer [or whether] investing in staff may be a better answer."

Johnston said to avoid poor design by ensuring that the data-checking systems are well designed to start with, not just the technology.

"To get it right you will need to [discuss it] with people across the organization, including HR and marketing," said Johnston, who is also a director of privacy consulting at Salinger & Co. "Most breaches of privacy and security come from your own staff. The most secure technology can't protect you from lazy, accident-prone or corrupt staff."

No longer surprised at how many people write passwords on Post-it notes, Johnston cited one case where an executive would shout out to a secretary "what's my username and password" and the secretary, in an open-plan office, would shout it back.

"If you're in charge of data security in your organization, you should be very afraid of your most helpful staff," she said, adding that her favorite story is of a police officer who accidentally left DNA evidence on a train on the way to a hearing; as a result, the charges were dropped.

"There is no technology system that can compensate for human frailties. You need good peopl,e and data protection must encompass hard copies of data."

Rather than telling employees you need to prove their identity because of terrorists or the Privacy Act, Johnston recommends being open with staff about what the information will be used for.

Reprinted with permission from

Computerworld AustraliaFor more news from Computerworld Australia, visit its Web site. Story copyright 2006 Computerworld New Australia. All rights reserved.