I am the Head of Security and Business Continuity at the Department for Work and Pensions, and I am delighted to have this opportunity.
Jonathan has talked about the different aspects of security that are exercising us in Government Departments, and on which we are focusing, to protect people, private information and public finances especially, and to ensure that Government can deliver safe and efficient services to the public.
So, what is security?
For me, effective security is a combination of many things at many levels. It is often misleadingly characterised as made up of the more technical, especially electronic, protections and systems. The genesis of the term “cyber security” has tended to reinforce that view. But I agree with Chris Ensor that people are at the heart of security, including (but not limited to) cyber security.
Moreover, delivering efficient and cost-effective security can only be done through a combination of well-integrated activities with an equal focus on: people skills and encouraging the right behaviours; electronic capability; strong communications; good use of decision-making and management of risks; and especially a culture of learning from experiences (both good and bad).
Strong leadership
Of course to do all these things at the same time requires strong leadership, clever planning and a commitment to joining the dots and especially to engaging with and influencing non-security colleagues and leaders, since they have a critical role to play in reinforcing helpful behaviours and going through the right processes and thinking. It also requires a very strong team ethos, especially in these days of financial constraints, so as to squeeze the maximum effect and generate organisational confidence from diminishing resources.
That leadership must be upwards-facing as well as downwards-facing, in traditional hierarchical terms; and increasingly it is about leading inter-Departmental or pan-Government initiatives – such as Jonathan’s role on this Blog!
Security as a “Cinderella” function?
Of course, being a security professional has always required a thick skin and the ability to be forceful and persistent. It has also traditionally been a bit of a “Cinderella” function in many organisations, trailing in terms of organisational design and therefore consistently on the back foot in the face of both internal demands and external threats. Nowadays, security – allied with, in my case, business continuity, contingency or resilience planning, whatever one wants to call it – are much more at the forefront of business transformation, and this is increasingly being recognised; but I would be interested to hear if others agree.
Security – the basics
It is also increasingly important, in these days of cloud services, digital transformation, social media, and an ever-growing usage of confusing jargon, that we keep our minds on the basics, amongst which I include:-
- Clear accountabilities within the organisation
- Strong governance and prioritisation
- Access to useful tools and funded infrastructure
- Continuous training and education
- Clear and regularly reviewed strategic design and implementation
Risk appetite
And frequent review of risk appetites – importantly, making those risks “real” through use of examples and demonstration - to reflect not only the rapidly changing threat landscape but also the scale and range of the mitigations required in order to provide effective response and maintain public confidence.
Of course many of the words above are also “jargon” to some; but for those of us delivering the services and ensuring security within Government these are the basic measures that enable us to meet our legal and moral obligations and deliver value for public money at the same time.
They are also those fundamentals that are so critical as we increasingly move to an environment in which we are reliant on others – suppliers, delivery partners, sister organisations, and even our customers and the wider general public – to help us deliver basic public confidence and continuous service.
Call for a “Learning organisation”
For me, this all comes together into the challenge of becoming a “Learning Organisation” as espoused by Peter Senge in The Fifth Discipline, and in which connectedness is a virtue and personal leadership, self-reflection and team learning contribute to group satisfaction and thence to success in helping to drive the overall system more successfully.
This is not easy, especially in very large and disaggregated Government or private organisations, where communication and co-ordination are at a premium. But with commitment, good organisational structures and strong leadership, this is an ideal worth aspiring to.