Security in the public sector - a cognitive dissonance

June 2004 News & Events

There are a number of key areas that can cause security projects in the public sector to fail. These fall into a number of areas, including: management, acceptance of responsibility, education, business continuity issues.


Too often, senior management do not rate security as important. This tends to be because there are few senior managers who have come up through security-associated roles. Experience has demonstrated that although senior managers want security, they do not understand the full requirements, in that they will not allocate the resources (human, financial or infrastructure) necessary to effectively manage the security required for a particular project. The only way to ensure that senior management accepts the requirements for appropriate resource is to clearly brief them on the requirements and clearly associate it with business benefits.

This is an area where security managers regularly fail. Security managers have to have a clear understanding of the business strategy because if they do not, they will not be able to identify the business benefits that will be accrued by investing resources in a security project. Accordingly, they will not be able to 'sell' the concept and get the investment and support of senior managers. This is best done by identifying a senior management 'sponsor', who can champion your cause at board level. However, a word of warning - be careful when identifying your 'sponsor'.

One other area that is regularly missed, or 'glossed over', is the management infrastructure necessary to support a security project. You need to ensure that your security management infrastructure involves representation from all areas involved in a project. Those representatives need to be at senior level in order to make decisions on behalf of their business area. It needs to include some form of Security Working Group (Management Information Security Forum, in ISO/IEC 17799:2000 (BS 7799)), some form of Change Control Board and usually a Business Continuity Group. The Terms of References (TORs) of such groups need to be clearly laid down and it is vital that their reporting chain to senior managers be defined. Beware of clashes at board level by differing sponsors, not a good idea.

However, be careful not to swamp senior managers (sponsors) with unnecessary reports from your security management groups. You need to feed them with issues they need to be aware of and those that will require agreement at board level. When presenting issues you have, you need to clearly explain the issue, identify a number of solutions, your preferred option (supported by arguments and financial data) and clearly state what you expect of the individual/board. Such issues need to be defined in less than an A4 page, supported where necessary by other documents.

Time and again presentations fail because the security manager has missed one of these basic requirements.

Acceptance of responsibility

The individual acceptance of responsibility for an asset is an area that is historically anathema to the public sector. It is perceived that it is not in the interests of employees (lots of additional work) and could damage their careers. As one of the corner posts of asset protection under ISO/IEC 17799:2000 (BS 7799) is acceptance of responsibilities for assets within an individual's area of responsibility, this can pose a significant hurdle.

For individual managers to willingly accept the responsibility to look after key assets, a major change in culture is sometimes necessary. Having done some work for a Government Agency, I found that they have adopted a simple no-blame culture, encompassed into a few words, the purpose of this requirement [Acceptance of Responsibility] is not to attach blame to an individual should something go awry. Rather it is for key staff (asset owners) who will manage any changes necessary to attain or maintain the confidentiality, integrity or availability (CIA) of assets under their control.

Quite often, the management change process necessary to maintain or achieve the necessary CIA levels required, involves resources outside of the control of the asset owner. This may include a Change Control Board, Business Continuity Planners or an organisation-wide security forum.

Overall, this is a relatively simple concept, but if it is not clearly explained to staff, they will not accept the need and you will not succeed.


Education is such a key area and is so often paid lip service by many public service organisations. We have all suffered the death by viewfoil or Powerpoint slide presentation by staff who are either badly briefed, poor presenters (not everyone is good at talking to colleagues) or worst of all, so poor they miss out whole sections of material or give inaccurate information. Such poor presentations make security a joke to users. This is something we cannot afford to happen, particularly nowadays with the increasing number of threats that the public sector is facing.

As part of ISO/IEC 17799:2000 (BS 7799) compliance requirements it is necessary to record which staff have received what security briefings and training. Do you get everyone to sign a bit of paper or go round with a checklist noting those present? Not a lot of fun, particularly if your organisation is spread over a wide geographic area and you do not know the staff.

We have conducted training for various organisations using a number of differing formats. The most successful has been those computer-based training (CBT) packages that:

* Identify individual users.

* Offer short, relevant modules.

* Include Q and A test questions and record the results of users.

Such modules can be combined for both induction training (all modules) and for refresher training (individual modules). Of course one of the most attractive elements to such training is that it can be made available to the user at their desktop, thereby avoiding travel costs and time lost away from the workplace. Also, by using such a package you can be sure that staff are educated to a common standard and by checking the results from the Q and A tests you get feedback on the effectiveness of your modules in getting the security view across to your staff.

By adopting such a package, you get a lot of pluses and very few minuses. The main minuses being the initial capital outlay and annual maintenance costs (updates for modules). Purchasing an update package can negate even the annual maintenance costs for some CBT packages thereby allowing the client to update the modules themselves.

Business continuity

Too often the public sector decides upon a business continuity (BC) solution without examining the real requirements of their organisations. They have not conducted an impartial impact analysis of their services and their BC strategy, where they actually exist, are flawed. As such, BC plans derived from this information is flawed. Additionally, due to the not inconsiderable costs in running full BC tests, most of the public sector rely on either very limited practical tests or desk bound paper-based exercises, that do not identify failings in the actual plans because they do not practice the plan for real.

If BC is not cost effective, why do many of our major financial institutions practice it on a regular basis? If it were not necessary, they would not do it. You could say the public service is not in the market to make money. However, it is there to support, in one way or another, UK plc and the general public.

You do not need to incur huge additional costs in running BC tests. To give you one example; you are planning to replace a file and print server for capacity planning reasons. Before taking it into use you build it as a database server. Once built and the necessary applications and data have been loaded, you simply connect it to a switch and onto one or two user workstations. You prove that business analysts can access the data and the IT staff has practised a system rebuild. You have carried out two BC tests, one is an IT system rebuild and by using business analysts to check the business rules of the database are still in place you have conducted a business process test. You have not incurred the cost of the server, it was bought under another vote, and as for staff, unless you are employing specific contractors your staff would have been at work anyway.

In summary, for security to be effectively employed it all needs to be joined up, you need to adopt a holistic view of security, which is why ISO/IEC 17799:2000 (BS 7799), when implemented correctly, can be so effective.

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Pentagon appointed as Milestone distributor
Elvey Security Technologies News & Events Surveillance
Milestone Systems appointed Pentagon Distribution (an Elvey Group company within the Hudaco Group of Companies) as a distributor. XProtect’s open architecture means no lock-in and the ability to customise the connected video solution that will accomplish the job.

Sophos celebrates partners and cybersecurity innovation at annual conference
News & Events Information Security
[Sponsored] Sun City hosted Sophos' annual partner event this year, which took place from 12 to 14 March. Sophos’ South African cybersecurity distributors and resellers gathered for an engaging two-day conference.

Sales basics for security installers
News & Events
Being the best security business in South Africa means little if no one uses your services. Your business success is only partly linked to how good you are at security installations.

From security technician to salesperson
News & Events
Being great at security sales starts with having the right mindset. How you think informs what you say and how you act; and how you act informs the results you will achieve in your business.

From the Editor's Desk: Something old and something new
Technews Publishing News & Events
      Welcome to the 2024 edition of SMART Security Solutions’ Mining Handbook. Mining is a challenging industry for security professionals, although security is a challenge on this continent, no matter your ...

Risk management: There's an app for that
Editor's Choice News & Events Risk Management & Resilience
Zulu Consulting has streamlined the corporate risk management process with the launch of Risk-IO, a web-based app designed to consolidate and guide risk managers through the process, monitoring progress as one proceeds.

Integrated information platform for risk management
Editor's Choice News & Events Risk Management & Resilience
Online Intelligence recently launched version 7 of its CiiMS risk and security platform. Speaking to SMART Security Solutions after the launch event, the company’s Arnold van den Bout described the enhancements in version 7.

Unlocking Africa's AI potential
Editor's Choice News & Events AI & Data Analytics
Africa's AI market is set to grow exponentially; by investing in AI education, training, and ethical practices, African nations can harness the power of AI to transform the continent and create a brighter future for its people.

Linking of security officers by security businesses
PSiRA (Private Security Ind. Regulatory Authority) News & Events Risk Management & Resilience
[Sponsored] By law, all security businesses are required to declare their employees to PSiRA so that they can be accounted for administratively. Failure to link employees by security businesses is a contravention of the Code of Conduct and a criminal offence.

Milestone XPerience Day South Africa
Milestone Systems News & Events
The 2024 Milestone XPerience Day in Johannesburg took place on 01 February 2024, where the video technology sector’s brightest and best minds gathered to share information and networking.