Security in the public sector - a cognitive dissonance

June 2004 News & Events

There are a number of key areas that can cause security projects in the public sector to fail. These fall into a number of areas, including: management, acceptance of responsibility, education, business continuity issues.

Management

Too often, senior management do not rate security as important. This tends to be because there are few senior managers who have come up through security-associated roles. Experience has demonstrated that although senior managers want security, they do not understand the full requirements, in that they will not allocate the resources (human, financial or infrastructure) necessary to effectively manage the security required for a particular project. The only way to ensure that senior management accepts the requirements for appropriate resource is to clearly brief them on the requirements and clearly associate it with business benefits.

This is an area where security managers regularly fail. Security managers have to have a clear understanding of the business strategy because if they do not, they will not be able to identify the business benefits that will be accrued by investing resources in a security project. Accordingly, they will not be able to 'sell' the concept and get the investment and support of senior managers. This is best done by identifying a senior management 'sponsor', who can champion your cause at board level. However, a word of warning - be careful when identifying your 'sponsor'.

One other area that is regularly missed, or 'glossed over', is the management infrastructure necessary to support a security project. You need to ensure that your security management infrastructure involves representation from all areas involved in a project. Those representatives need to be at senior level in order to make decisions on behalf of their business area. It needs to include some form of Security Working Group (Management Information Security Forum, in ISO/IEC 17799:2000 (BS 7799)), some form of Change Control Board and usually a Business Continuity Group. The Terms of References (TORs) of such groups need to be clearly laid down and it is vital that their reporting chain to senior managers be defined. Beware of clashes at board level by differing sponsors, not a good idea.

However, be careful not to swamp senior managers (sponsors) with unnecessary reports from your security management groups. You need to feed them with issues they need to be aware of and those that will require agreement at board level. When presenting issues you have, you need to clearly explain the issue, identify a number of solutions, your preferred option (supported by arguments and financial data) and clearly state what you expect of the individual/board. Such issues need to be defined in less than an A4 page, supported where necessary by other documents.

Time and again presentations fail because the security manager has missed one of these basic requirements.

Acceptance of responsibility

The individual acceptance of responsibility for an asset is an area that is historically anathema to the public sector. It is perceived that it is not in the interests of employees (lots of additional work) and could damage their careers. As one of the corner posts of asset protection under ISO/IEC 17799:2000 (BS 7799) is acceptance of responsibilities for assets within an individual's area of responsibility, this can pose a significant hurdle.

For individual managers to willingly accept the responsibility to look after key assets, a major change in culture is sometimes necessary. Having done some work for a Government Agency, I found that they have adopted a simple no-blame culture, encompassed into a few words, the purpose of this requirement [Acceptance of Responsibility] is not to attach blame to an individual should something go awry. Rather it is for key staff (asset owners) who will manage any changes necessary to attain or maintain the confidentiality, integrity or availability (CIA) of assets under their control.

Quite often, the management change process necessary to maintain or achieve the necessary CIA levels required, involves resources outside of the control of the asset owner. This may include a Change Control Board, Business Continuity Planners or an organisation-wide security forum.

Overall, this is a relatively simple concept, but if it is not clearly explained to staff, they will not accept the need and you will not succeed.

Education

Education is such a key area and is so often paid lip service by many public service organisations. We have all suffered the death by viewfoil or Powerpoint slide presentation by staff who are either badly briefed, poor presenters (not everyone is good at talking to colleagues) or worst of all, so poor they miss out whole sections of material or give inaccurate information. Such poor presentations make security a joke to users. This is something we cannot afford to happen, particularly nowadays with the increasing number of threats that the public sector is facing.

As part of ISO/IEC 17799:2000 (BS 7799) compliance requirements it is necessary to record which staff have received what security briefings and training. Do you get everyone to sign a bit of paper or go round with a checklist noting those present? Not a lot of fun, particularly if your organisation is spread over a wide geographic area and you do not know the staff.

We have conducted training for various organisations using a number of differing formats. The most successful has been those computer-based training (CBT) packages that:

* Identify individual users.

* Offer short, relevant modules.

* Include Q and A test questions and record the results of users.

Such modules can be combined for both induction training (all modules) and for refresher training (individual modules). Of course one of the most attractive elements to such training is that it can be made available to the user at their desktop, thereby avoiding travel costs and time lost away from the workplace. Also, by using such a package you can be sure that staff are educated to a common standard and by checking the results from the Q and A tests you get feedback on the effectiveness of your modules in getting the security view across to your staff.

By adopting such a package, you get a lot of pluses and very few minuses. The main minuses being the initial capital outlay and annual maintenance costs (updates for modules). Purchasing an update package can negate even the annual maintenance costs for some CBT packages thereby allowing the client to update the modules themselves.

Business continuity

Too often the public sector decides upon a business continuity (BC) solution without examining the real requirements of their organisations. They have not conducted an impartial impact analysis of their services and their BC strategy, where they actually exist, are flawed. As such, BC plans derived from this information is flawed. Additionally, due to the not inconsiderable costs in running full BC tests, most of the public sector rely on either very limited practical tests or desk bound paper-based exercises, that do not identify failings in the actual plans because they do not practice the plan for real.

If BC is not cost effective, why do many of our major financial institutions practice it on a regular basis? If it were not necessary, they would not do it. You could say the public service is not in the market to make money. However, it is there to support, in one way or another, UK plc and the general public.

You do not need to incur huge additional costs in running BC tests. To give you one example; you are planning to replace a file and print server for capacity planning reasons. Before taking it into use you build it as a database server. Once built and the necessary applications and data have been loaded, you simply connect it to a switch and onto one or two user workstations. You prove that business analysts can access the data and the IT staff has practised a system rebuild. You have carried out two BC tests, one is an IT system rebuild and by using business analysts to check the business rules of the database are still in place you have conducted a business process test. You have not incurred the cost of the server, it was bought under another vote, and as for staff, unless you are employing specific contractors your staff would have been at work anyway.

In summary, for security to be effectively employed it all needs to be joined up, you need to adopt a holistic view of security, which is why ISO/IEC 17799:2000 (BS 7799), when implemented correctly, can be so effective.





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Managed security solutions for organisations of all sizes
Information Security News & Events
Cyber attackers have become significantly more sophisticated and determined, targeting businesses of all sizes. PwC’s Global Digital Trust Insights Survey 2025 Africa and South Africa highlights the urgent need for organisations to implement robust cyber risk mitigation strategies.

Read more...
From the Editor's desk: The good, the bad, and the victims
Technews Publishing News & Events
When the Internet first arrived, everyone was expecting amazing things from it, well, everyone who knew what it was and how it worked. We had the dotcom boom and bust, and it’s fair to say that if we ...

Read more...
Carrier rebranded Kidde Global Solutions
News & Events Fire & Safety
From July 2025, the former Carrier Fire & Security South Africa will operate under its new name, Kidde Fire & Security South Africa, as part of the global realignment of the commercial and residential fire and security business.

Read more...
Facilities Management Expo brings smart, secure operations to the Cape
Securex South Africa News & Events Facilities & Building Management
As organisations across South Africa navigate the challenges of ageing infrastructure and increased cyber-physical risks, integrated facilities management (FM) solutions have become critical to ensuring operational resilience.

Read more...
Specialised Exhibitions changes name to Montgomery Group Africa
News & Events
This name change reflects the consolidation of Montgomery Group’s regional divisions across Africa under one unified management structure, creating a more agile, efficient, and future-focused organisation.

Read more...
Secure data protection without hardware lock-in
Infrastructure Information Security News & Events
New Veeam Software Appliance empowers IT teams to achieve instant protection with Veeam’s fully preconfigured, software-only appliance, delivering enterprise-ready simplified deployment and operational efficiency, robust cyber resilience.

Read more...
Check Point launches open, vendor-neutral MDR services
Information Security News & Events Products & Solutions
New Check Point MDR 360° and MXDR 360° offerings deliver 24/7 managed continuous threat monitoring protection across endpoints, cloud and network environments with built-in identity threat detection and 160+ integrations across hybrid, multi-vendor environments.

Read more...
Unlock the future of security operations in Bloemfontein
DeepAlert News & Events Surveillance
Security professionals and business leaders are invited to revolutionise their offsite monitoring operations at the DeepAlert Product Road Show, taking place on 16 – 17 September 2025, at the Schoemanspark Golf Club, Bloemfontein.

Read more...
Hytera supports communication upgrade for Joburg
News & Events Infrastructure Government and Parastatal (Industry)
By equipping Johannesburg’s metro police and emergency services with multimode radios which integrate TETRA and LTE networks, Hytera is bridging coverage gaps and improving response times across the city.

Read more...
The global generative AI market surpassed $130 billion in 2024
News & Events AI & Data Analytics
According to a new research report from the IoT analyst firm, Berg Insight, the Generative AI (GenAI) market grew substantially in 2024, experiencing triple-digit growth rates in all three major segments: GenAI hardware, foundation models, and development platforms.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.