Author: Hilary Watson
ISBN No: 9781409465621
Review date: 19/04/2024
No of pages: 215
Publisher: Gower
Publisher URL:
http://www.gowerpublishing.com/isbn/9781409465621
Year of publication: 11/12/2015
Brief:
Security Culture by Hilary Watson
price
£67.50 (web)
In 15 years I have read hundreds of security books. Seldom have I read a book with such ambition and scope, impeccable sources, and grasp of what’s possible and practical – and what’s not – in the business of security management. Any serious security managers wanting to make things happen in their workplaces should open this book.
That was the testimonial I wrote for Security Culture, by Hilary Watson. On receiving the hardback printed book, and seeing that on the first page – and above other testimonials by the far more worthy Stephen Cooper OBE, the former head of security for the Olympic Delivery Authority (ODA); and the former head of the official UK NaCTSO Chris Phillips – did make me wonder: is the book that good? Because somehow a book as a Word document looks different to the finished thing.
It is with pleasure – and relief – that I can say yes, the book entirely lives up to my testimonial on second reading. The sub-title – A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation – tells you more, as do the chapter headings. What is security culture? Why bother with such a thing, given there’s quite enough things to do in a working day? It’s ‘about motivating employees to respect common values and standards regarding security, whether inside or outside the workplace’; and the author then quotes the definition from the official Centre for the Protection of National Infrastructure. CPNI are indeed one of the few bodies to address this admittedly difficult to handle because invisible subject – ‘shared values about what is important’. (As an aside, the CPNI for example has produced free to download advice about for instance measuring and developing motivation in guard forces). What are the proper attitudes and behaviours – is it good manners, yet bad security, for example, to hold open the door for who you assume are workmates or at least people who are meant to be entering your building?! Or to share passwords or write them on a scrap of paper because they’re so hard to remember, and you’ve got to get that task done? As that implies, security can get in the way of doing a job – and if that is so, no matter how necessary, workers will work around it. They will plug memory sticks into a PC, even though it’s not checked; they will take sensitive paperwork on the train or bus, and wear their ID card on the Tube.
Culture – the way that we do things around here – does matter then. How to get a ‘security culture’? Walton goes on to building the business case, and specifically ‘getting senior level buy-in and commitment’, and more specifically still identifying a ‘champion’ to help get this in front of the board (and the help of the board’s PA to get the item on the agenda). In other words, you’ve got to be savvy. As the author says at the close of that chapter, it’s necessary but not enough to get senior executive support at the outset; you’ve got to keep that support. Hence the book goes on to how to assess security culture – measure it, so as to improve it and prioritise what needs doing.
Now entire books have been written on security metrics, and Walton has only 20 pages. That’s OK; she acknowledges that security metrics is a vast topic, but important. There are ways to identify the ‘impact’ of having a security culture, which includes the real financial cost of security breaches. Not the least important aspect of this book is that as she says the principles apply to all the security domains, physical, information, personnel, business continuity and disaster recovery. Also important is that as an occupational psychologist who worked for the ODA as information security manager (and who is now working in New Zealand), among her cases studies at the back of the book is one on the London Olympics – and as the years pass, we’re in danger of losing or merely forgetting the good security work that went into those Games weeks.
And yet most useful of all, depending on your line of work, may be the three appendices; an example proposal if you’re a consultant looking to deliver a ‘security programme business case’, an example of a paper you may put before a team of senior execs, to get a ‘security awareness’ project going; and a month by month security communications plan, that takes in posters, emails to staff, and e-learning for line managers.
Throughout we’re assuming that you the security manager or head of security has a hold on the day to day stuff; the thefts, the travel risk, and so forth. We all know you can buy locks, gates and IT technical solutions; but how to apply them to such threats as data leakage (whether due to hackers, malicious insiders or simply by accident) and online crime generally. And the security culture approach can work as Walton shows in the case studies, not only for a big-money organisation with a set deadline such as London 2012, but for a small start-up company (if you build in a security mindset, from the start) or a government department (which might think more in terms of compliance).
To sum up, not only does this book take on a big subject, it draws on work ‘from actual organiastions which have attempted to develop a security culture across sectors and in private and public settings’.
