Categories

Editor's Choice
Tech Jobs Network
News & Events
Access Control & Identity Management
AI & Data Analytics
Asset Management
Associations
Conferences & Events
Facilities & Building Management
Fire & Safety
Information Security
Infrastructure
Integrated Solutions
IoT & Automation
Perimeter Security, Alarms & Intruder Detection
Power Management
Products & Solutions
Security Services & Risk Management
Smart Home Automation 
Surveillance
Training & Education
Videos
Security by Industry Sector ▾








Print this page printer friendly version

Security in the public sector - a cognitive dissonance

June 2004 News & Events

Dave Jamieson, security practice manager, LIRIC Associates

There are a number of key areas that can cause security projects in the public sector to fail. These fall into a number of areas, including: management, acceptance of responsibility, education, business continuity issues.

Management

Too often, senior management do not rate security as important. This tends to be because there are few senior managers who have come up through security-associated roles. Experience has demonstrated that although senior managers want security, they do not understand the full requirements, in that they will not allocate the resources (human, financial or infrastructure) necessary to effectively manage the security required for a particular project. The only way to ensure that senior management accepts the requirements for appropriate resource is to clearly brief them on the requirements and clearly associate it with business benefits.

This is an area where security managers regularly fail. Security managers have to have a clear understanding of the business strategy because if they do not, they will not be able to identify the business benefits that will be accrued by investing resources in a security project. Accordingly, they will not be able to 'sell' the concept and get the investment and support of senior managers. This is best done by identifying a senior management 'sponsor', who can champion your cause at board level. However, a word of warning - be careful when identifying your 'sponsor'.

One other area that is regularly missed, or 'glossed over', is the management infrastructure necessary to support a security project. You need to ensure that your security management infrastructure involves representation from all areas involved in a project. Those representatives need to be at senior level in order to make decisions on behalf of their business area. It needs to include some form of Security Working Group (Management Information Security Forum, in ISO/IEC 17799:2000 (BS 7799)), some form of Change Control Board and usually a Business Continuity Group. The Terms of References (TORs) of such groups need to be clearly laid down and it is vital that their reporting chain to senior managers be defined. Beware of clashes at board level by differing sponsors, not a good idea.

However, be careful not to swamp senior managers (sponsors) with unnecessary reports from your security management groups. You need to feed them with issues they need to be aware of and those that will require agreement at board level. When presenting issues you have, you need to clearly explain the issue, identify a number of solutions, your preferred option (supported by arguments and financial data) and clearly state what you expect of the individual/board. Such issues need to be defined in less than an A4 page, supported where necessary by other documents.

Time and again presentations fail because the security manager has missed one of these basic requirements.

Acceptance of responsibility

The individual acceptance of responsibility for an asset is an area that is historically anathema to the public sector. It is perceived that it is not in the interests of employees (lots of additional work) and could damage their careers. As one of the corner posts of asset protection under ISO/IEC 17799:2000 (BS 7799) is acceptance of responsibilities for assets within an individual's area of responsibility, this can pose a significant hurdle.

For individual managers to willingly accept the responsibility to look after key assets, a major change in culture is sometimes necessary. Having done some work for a Government Agency, I found that they have adopted a simple no-blame culture, encompassed into a few words, the purpose of this requirement [Acceptance of Responsibility] is not to attach blame to an individual should something go awry. Rather it is for key staff (asset owners) who will manage any changes necessary to attain or maintain the confidentiality, integrity or availability (CIA) of assets under their control.

Quite often, the management change process necessary to maintain or achieve the necessary CIA levels required, involves resources outside of the control of the asset owner. This may include a Change Control Board, Business Continuity Planners or an organisation-wide security forum.

Overall, this is a relatively simple concept, but if it is not clearly explained to staff, they will not accept the need and you will not succeed.

Education

Education is such a key area and is so often paid lip service by many public service organisations. We have all suffered the death by viewfoil or Powerpoint slide presentation by staff who are either badly briefed, poor presenters (not everyone is good at talking to colleagues) or worst of all, so poor they miss out whole sections of material or give inaccurate information. Such poor presentations make security a joke to users. This is something we cannot afford to happen, particularly nowadays with the increasing number of threats that the public sector is facing.

As part of ISO/IEC 17799:2000 (BS 7799) compliance requirements it is necessary to record which staff have received what security briefings and training. Do you get everyone to sign a bit of paper or go round with a checklist noting those present? Not a lot of fun, particularly if your organisation is spread over a wide geographic area and you do not know the staff.

We have conducted training for various organisations using a number of differing formats. The most successful has been those computer-based training (CBT) packages that:

* Identify individual users.

* Offer short, relevant modules.

* Include Q and A test questions and record the results of users.

Such modules can be combined for both induction training (all modules) and for refresher training (individual modules). Of course one of the most attractive elements to such training is that it can be made available to the user at their desktop, thereby avoiding travel costs and time lost away from the workplace. Also, by using such a package you can be sure that staff are educated to a common standard and by checking the results from the Q and A tests you get feedback on the effectiveness of your modules in getting the security view across to your staff.

By adopting such a package, you get a lot of pluses and very few minuses. The main minuses being the initial capital outlay and annual maintenance costs (updates for modules). Purchasing an update package can negate even the annual maintenance costs for some CBT packages thereby allowing the client to update the modules themselves.

Business continuity

Too often the public sector decides upon a business continuity (BC) solution without examining the real requirements of their organisations. They have not conducted an impartial impact analysis of their services and their BC strategy, where they actually exist, are flawed. As such, BC plans derived from this information is flawed. Additionally, due to the not inconsiderable costs in running full BC tests, most of the public sector rely on either very limited practical tests or desk bound paper-based exercises, that do not identify failings in the actual plans because they do not practice the plan for real.

If BC is not cost effective, why do many of our major financial institutions practice it on a regular basis? If it were not necessary, they would not do it. You could say the public service is not in the market to make money. However, it is there to support, in one way or another, UK plc and the general public.

You do not need to incur huge additional costs in running BC tests. To give you one example; you are planning to replace a file and print server for capacity planning reasons. Before taking it into use you build it as a database server. Once built and the necessary applications and data have been loaded, you simply connect it to a switch and onto one or two user workstations. You prove that business analysts can access the data and the IT staff has practised a system rebuild. You have carried out two BC tests, one is an IT system rebuild and by using business analysts to check the business rules of the database are still in place you have conducted a business process test. You have not incurred the cost of the server, it was bought under another vote, and as for staff, unless you are employing specific contractors your staff would have been at work anyway.

In summary, for security to be effectively employed it all needs to be joined up, you need to adopt a holistic view of security, which is why ISO/IEC 17799:2000 (BS 7799), when implemented correctly, can be so effective.





Share this article:
Share via emailShare via LinkedInPrint this page


Further reading:

Unlock the future of security operations in Bloemfontein
DeepAlert News & Events Surveillance
Security professionals and business leaders are invited to revolutionise their offsite monitoring operations at the DeepAlert Product Road Show, taking place on 16 – 17 September 2025, at the Schoemanspark Golf Club, Bloemfontein.

Read more...
Hytera supports communication upgrade for Joburg
News & Events Infrastructure Government and Parastatal (Industry)
By equipping Johannesburg’s metro police and emergency services with multimode radios which integrate TETRA and LTE networks, Hytera is bridging coverage gaps and improving response times across the city.

Read more...
Your Wi-Fi router is about to start watching you
News & Events Surveillance Security Services & Risk Management
Advanced algorithms are able to analyse your Wi-Fi signals and create a representation of your movements, turning your home's Wi-Fi into a motion detection and personal identification system.

Read more...
ProtecLink 2025: Ithegi Electronics supports a safer, smarter security ecosystem
News & Events
If you are a security buyer, operations lead, or technology partner, do not miss ProtecLink 2025, to be held in Polokwane on 16 September 2025, at the Polokwane Royal Hotel.

Read more...
Secutel maintains ISO certifications
News & Events Fire & Safety
Secutel Technologies has successfully recertified all four of its ISO standards, a reflection of its continued commitment to excellence, client trust, and operational integrity.

Read more...
SABRIC appoints Andre Wentzel as interim CEO
News & Events Financial (Industry) Associations
The South African Banking Risk Information Centre (SABRIC) has announced the appointment of Andre Wentzel as interim chief executive officer, effective immediately.

Read more...
Choicejacking bypasses smartphone charging security
News & Events Information Security
Choicejacking is a new cyberthreat that bypasses smartphone charging security defences to confirm, without the victim’s input or consent, that the victim wishes to connect in data-transfer mode.

Read more...
Paxton cuts emissions by over a third
Paxton News & Events
Paxton has announced a significant reduction in its carbon footprint, cutting emissions by 961 tonnes of CO2e in its 2023 second reporting year.

Read more...
Most wanted malware
News & Events Information Security
Check Point Software Technologies unveiled its Global Threat Index for June 2025, highlighting a surge in new and evolving threats. Eight African countries are among the most targeted as malware leaders AsyncRAT and FakeUpdates expand.

Read more...
Securex gears up for Cape Town
News & Events
Four industry expos debut in Cape Town from 21–23 October, providing access to Africa’s tech hub and a rapidly expanding local market, through a platform covering security, OSH, facilities management, and fire safety solutions in one venue.

Read more...











SMART Security Business Directory


While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.

Published by Technews

»  Dataweek Electronics & Communications Technology
»  Electronics Buyers' Guide (EBG)

»  SMART Security Solutions
»  SMART Security Business Directory

»  Motion Control in Southern Africa
»  Motion Control Buyers' Guide (MCBG)

»  South African Instrumentation & Control
»  South African Instrumentation & Control Buyers' Guide (IBG)



© Technews Publishing (Pty) Ltd. | All Rights Reserved.