Security in the public sector - a cognitive dissonance

June 2004 News

There are a number of key areas that can cause security projects in the public sector to fail. These fall into a number of areas, including: management, acceptance of responsibility, education, business continuity issues.


Too often, senior management do not rate security as important. This tends to be because there are few senior managers who have come up through security-associated roles. Experience has demonstrated that although senior managers want security, they do not understand the full requirements, in that they will not allocate the resources (human, financial or infrastructure) necessary to effectively manage the security required for a particular project. The only way to ensure that senior management accepts the requirements for appropriate resource is to clearly brief them on the requirements and clearly associate it with business benefits.

This is an area where security managers regularly fail. Security managers have to have a clear understanding of the business strategy because if they do not, they will not be able to identify the business benefits that will be accrued by investing resources in a security project. Accordingly, they will not be able to 'sell' the concept and get the investment and support of senior managers. This is best done by identifying a senior management 'sponsor', who can champion your cause at board level. However, a word of warning - be careful when identifying your 'sponsor'.

One other area that is regularly missed, or 'glossed over', is the management infrastructure necessary to support a security project. You need to ensure that your security management infrastructure involves representation from all areas involved in a project. Those representatives need to be at senior level in order to make decisions on behalf of their business area. It needs to include some form of Security Working Group (Management Information Security Forum, in ISO/IEC 17799:2000 (BS 7799)), some form of Change Control Board and usually a Business Continuity Group. The Terms of References (TORs) of such groups need to be clearly laid down and it is vital that their reporting chain to senior managers be defined. Beware of clashes at board level by differing sponsors, not a good idea.

However, be careful not to swamp senior managers (sponsors) with unnecessary reports from your security management groups. You need to feed them with issues they need to be aware of and those that will require agreement at board level. When presenting issues you have, you need to clearly explain the issue, identify a number of solutions, your preferred option (supported by arguments and financial data) and clearly state what you expect of the individual/board. Such issues need to be defined in less than an A4 page, supported where necessary by other documents.

Time and again presentations fail because the security manager has missed one of these basic requirements.

Acceptance of responsibility

The individual acceptance of responsibility for an asset is an area that is historically anathema to the public sector. It is perceived that it is not in the interests of employees (lots of additional work) and could damage their careers. As one of the corner posts of asset protection under ISO/IEC 17799:2000 (BS 7799) is acceptance of responsibilities for assets within an individual's area of responsibility, this can pose a significant hurdle.

For individual managers to willingly accept the responsibility to look after key assets, a major change in culture is sometimes necessary. Having done some work for a Government Agency, I found that they have adopted a simple no-blame culture, encompassed into a few words, the purpose of this requirement [Acceptance of Responsibility] is not to attach blame to an individual should something go awry. Rather it is for key staff (asset owners) who will manage any changes necessary to attain or maintain the confidentiality, integrity or availability (CIA) of assets under their control.

Quite often, the management change process necessary to maintain or achieve the necessary CIA levels required, involves resources outside of the control of the asset owner. This may include a Change Control Board, Business Continuity Planners or an organisation-wide security forum.

Overall, this is a relatively simple concept, but if it is not clearly explained to staff, they will not accept the need and you will not succeed.


Education is such a key area and is so often paid lip service by many public service organisations. We have all suffered the death by viewfoil or Powerpoint slide presentation by staff who are either badly briefed, poor presenters (not everyone is good at talking to colleagues) or worst of all, so poor they miss out whole sections of material or give inaccurate information. Such poor presentations make security a joke to users. This is something we cannot afford to happen, particularly nowadays with the increasing number of threats that the public sector is facing.

As part of ISO/IEC 17799:2000 (BS 7799) compliance requirements it is necessary to record which staff have received what security briefings and training. Do you get everyone to sign a bit of paper or go round with a checklist noting those present? Not a lot of fun, particularly if your organisation is spread over a wide geographic area and you do not know the staff.

We have conducted training for various organisations using a number of differing formats. The most successful has been those computer-based training (CBT) packages that:

* Identify individual users.

* Offer short, relevant modules.

* Include Q and A test questions and record the results of users.

Such modules can be combined for both induction training (all modules) and for refresher training (individual modules). Of course one of the most attractive elements to such training is that it can be made available to the user at their desktop, thereby avoiding travel costs and time lost away from the workplace. Also, by using such a package you can be sure that staff are educated to a common standard and by checking the results from the Q and A tests you get feedback on the effectiveness of your modules in getting the security view across to your staff.

By adopting such a package, you get a lot of pluses and very few minuses. The main minuses being the initial capital outlay and annual maintenance costs (updates for modules). Purchasing an update package can negate even the annual maintenance costs for some CBT packages thereby allowing the client to update the modules themselves.

Business continuity

Too often the public sector decides upon a business continuity (BC) solution without examining the real requirements of their organisations. They have not conducted an impartial impact analysis of their services and their BC strategy, where they actually exist, are flawed. As such, BC plans derived from this information is flawed. Additionally, due to the not inconsiderable costs in running full BC tests, most of the public sector rely on either very limited practical tests or desk bound paper-based exercises, that do not identify failings in the actual plans because they do not practice the plan for real.

If BC is not cost effective, why do many of our major financial institutions practice it on a regular basis? If it were not necessary, they would not do it. You could say the public service is not in the market to make money. However, it is there to support, in one way or another, UK plc and the general public.

You do not need to incur huge additional costs in running BC tests. To give you one example; you are planning to replace a file and print server for capacity planning reasons. Before taking it into use you build it as a database server. Once built and the necessary applications and data have been loaded, you simply connect it to a switch and onto one or two user workstations. You prove that business analysts can access the data and the IT staff has practised a system rebuild. You have carried out two BC tests, one is an IT system rebuild and by using business analysts to check the business rules of the database are still in place you have conducted a business process test. You have not incurred the cost of the server, it was bought under another vote, and as for staff, unless you are employing specific contractors your staff would have been at work anyway.

In summary, for security to be effectively employed it all needs to be joined up, you need to adopt a holistic view of security, which is why ISO/IEC 17799:2000 (BS 7799), when implemented correctly, can be so effective.

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

4IR is opportunity
In South Africa, digitalisation remains ‘at a nascent stage’ which means significant work still has to be done when it comes to addressing skills development around 4IR in the country.

Five ways to reduce your cyber insurance premiums
Security Services & Risk Management News
With the global costs of cybercrime expected to soar to $13 trillion within the next five years, cyber insurance is booming as organisations try to mitigate the risk of financial losses.

Client satisfaction boosted by 85% at Thungela Mine
Thorburn Security Solutions News Security Services & Risk Management Mining (Industry)
Thorburn Security, a division of Tsebo Solutions Group, has announced its recent collaboration with Kwa-Zulu Natal security company, Ithuba Protection Services, as part of its Enterprise Supplier Development (ESD) initiatives across Africa.

Fidelity SecureFire steps into critical fire response space
News Fire & Safety
With the majority of fire stations around the country being crippled by a lack of resources to offer effective responses, Fidelity Fire Solutions has launched its own ‘first responder’ model, Fidelity SecureFire.

The state of edge security report
News IT infrastructure
Edge computing has grown from being a niche use case in a handful of industries to offering a major opportunity for enterprises across industries to spread computing power around the world.

CHI selects NEC XON as trusted cybersecurity partner
News Cyber Security Industrial (Industry)
CHI Limited, Nigeria's leading market player in fruit juices and dairy products, has engaged in a strategic cybersecurity partnership with NEC XON, a pan-African ICT systems integrator.

Collaboration delivers integrated and holistic security
Guardian Eye CCTV, Surveillance & Remote Monitoring News Integrated Solutions
Guardian Eye and Lytehouse have partnered to integrate their speciality solutions and provide a holistic security offering that overcomes the fragmentation of security systems and services.

Kaspersky appoints new GM for Africa
News Cyber Security
Kaspersky has announced the appointment of Andrew Voges as the new General Manager for Africa to boost regional market positioning and enterprise protection.

AgentZero, the AI that writes emails for you
In an age where digital natives dominate the tech scene, two Boomers are proving that it's never too late to innovate; launching an AI business that promises to revolutionise email communication. It is called AgentZero.

Elvey Group and Technoswitch part ways
Elvey Security Technologies Fire & Safety News
The Elvey Group (a division of the Hudaco Group of Companies) is relinquishing its distributorship of the Technoswitch brand, following Hudaco’s acquisition of Brigit Fire.