Sack security personnel who can't say why they're adding security - Dr Ian Levy, CESG

Information assurance body technical director says more security doesn't always mean better security

If web security personnel can't explain the specific reasons why they want to put more security software on the corporate network, then they shouldn't be in a job, because more security doesn't always mean better security.

That's what Dr Ian Levy, technical director for CESG (Communications Electronic Security Group), the UK government's national technical authority for information assurance, told the audience at the Government ICT 2014 conference at the QEII Conference Centre in Westminster today.

CESG's core customers are central government departments and agencies, along with organisations that form part of the wider public sector.

"I'm obviously the evil, Cheltenham [location of GCHQ] security geek. I'm the one who won't let you use iPads. I'm the one who makes PSN horrible," Levy said on the requirement for security in government, but he argued, more layers doesn't necessarily mean more protection.

"Here's the thing, more security isn't always better. It's got to be proportional and appropriate security. If people are telling you to put security on your systems but they can't explain why, sack them!" he argued.

Levy's presentation - entitled ‘Fighting the winged cyber ninja monkeys' - "because talking cyber security is boring" - addressed the many restrictions on what government employees can do with IT, such as using their own smartphones or tablets for work-related activity.

"With the technology available today, we don't believe you can do bring your own device [BYOD] securely for central government data, and the Information Commissioner agrees with us," he explained.

He said that no matter how often you attempt to drive the security message home, somebody is going to fall foul of a malicious link in an email or on a website, or be careless with password selection.

"All users are dumb, at some point. People are human, humans make mistakes, so no matter how many times I say don't click the link, somebody is going to click the link," he said.

"No matter how many times I say don't use the same password for PayPal and something else, someone's going to do it."