Jonathan, Sue. Having just read Johnson's letter (I did wash my hands immediately afterwards!) I thought the rules and guidance were reasonably clear. I'm saying that as someone who's struggled to write information security and data protection policies where every expert has a different opinion, different teams work in their own ways and think they have special needs and the threats, vulnerabilities and risks are constantly changing. I used to have the three Es. First: Education, people need to understand the rules and, more importantly, why their there. Secondly: Embed. Build them, in this case, into day-to-day living, including leading by example. Seeing the cabinet not social distancing isn't helpful, the Scottish CMO's example was unforgivable and there was no way she could stay; definitely a mistaken by the Scottish first minister trying to keep the CMO. Finally: Enforce, but one has to be sure enforcement is practicable otherwise the whole thing falls apart; my deputy was for a strong approach - her father was a policeman - but I had to take the stance we ain't gonna fire the CEO for sharing his email password with his/her PA, they have to be trained how to setup legitimate delegation access via Microsoft's settings. I think the knee jerk reaction is to set huge fines for non compliance but will they get paid in the current economic climate? If not, that creates a bigger credibility problem and law enforcement issue. The government has the 4 Es - ok, I didn't have the engagement issue, it was part of company induction, but they or a by need to strengthen the explain and encourage. Sadly, perhaps the UN's STEM education hasn't prepared some people sufficiently to grasp the issues? I don't claim to have all the answers in this situation but I think the government is right in following policing by consent. |