Earlier this year we talked resilience with Phil Wood, the head of security and resilience, at Bucks New University. Mark Rowe returns to talk about that some more, and other things.
After Phil Wood collected me from reception and we bought tea and coffee from Starbucks, we crossed a piazza to another building where Phil’s office is. Phil paused because someone was taking photographs of the reception building. Now I did admit that I, too, had taken some pictures before I had entered reception. As Phil said, some people do take photos for architecture. Or, as in the City of London, the suspicion might be that someone is taking pictures as part of hostile reconnaissance. It’s a sign of how Phil Wood is not only a teacher at Bucks New University, based at the High Wycombe campus; he is also a doer of security. In our March issue, we reviewed his provocative book Resilient Thinking, a slim paperback which, we said, threw down a challenge to security and risk managers. That still sounds about right. As an opening remark, he raised the ‘constantly re-heated’ security management question of how to engage the attention of and influence of the c-suite, that is, the chief executives and chief finance officers and the like of a company. Phil doesn’t have much time for it; he takes the view, if you are asking that question, you haven’t got the answer.
He’s planning a second book next year on the future of resilience. Also due to be published is a collection of case studies from Bucks New mature students on business continuity, security and emergency management. Phil stresses how important it is to think clearly: what methods of forecasting are there, how reliable are forecasts, and how do they apply to security and resilience? He gives cyber as an example. “Everybody is saying cyber is the thing; but it might not be. It might be perfectly containable, something that’s quite easily manageable, and it might therefore be less of a big risk than people think it is. It seems to be assumed and a given that cyber risk is absolutely momentous. In the same way as pandemic was four years ago. And there will be something else that comes along.” Risks, he added, have been around computers since they were invented. Phil will be asking – and drawing on research, as he plans this book to be an academic one – what will be the shape of security, resilience, and business continuity; and where does crisis management fit. “At this stage I don’t know what the answer to the question is.” But, he hopes, the result will be an idea of how to build resilience into an organisation, based on theories; hypotheses; research; and this could be where you come in, as Phil wants to go to the security sector, to ask what is your perception of risk, and the future.
I asked; does resilience look different depending on whether you’re Bucks New University; or an airline; or a sewage works? Resilience, he replied, is about absorbing whatever it is, and keeping going. “There will be an element of security in place to prevent something from making contact with your organisation, but always something will get beyond that. In a badly protected organisation, something will get straight through and organisations put far more effort into the impact management than the protection. And in that case you have the business continuity-type approach. And depending on the sector you have different approaches.” He gave the example of his own university. Like any other, it’s an open site; you can walk onto it from Wycombe town centre. On either side are a shopping centre and a hospital; likewise, open sites because they want people to enter. “We compromise on security, and that’s no big secret, because you have to have a free flow of people.”
Is the pace of change (and what we have to be resilient against) getting faster, I asked? Phil answers first with the Maslow hierarchy (briefly, suggesting that people must satisfy their most basic needs first, food, shelter, before their more sophisticated wishes). Phil suggests a new hierarchy; thanks to technology (in fairness to Maslow, it has come along since him) people need to be constantly bombarded by noise; music; images; information; shopping. It’s a cliché, as he admits; but look at anybody on a train; people have to be playing a game, watching something on some device. (I did look on my train afterwards from Wycombe to London; he was right.) Everything has to be instant; people want to take part in social networks, and that way feel part of a community. And this has changed behaviours, Phil argues. He goes on to BYOD (bring your own device – briefly, the idea in workplaces that staff can bring any phone, tablet, whatever they like to do their work on). As for the security debate about that, Phil says; stop people bringing their own devices, and see what happens!? (They won’t stand for it.) Yes, in some workplaces it is proper to ban internet use; but in many places people will take pictures of themselves at work, and will use the company’s IT to shop online, and expose the company to risk; and there has always been crime and malicious behaviour. The difference is that people’s behaviour is making it easy for the malicious, the criminal, to enter. Yet you cannot put security in (and expect people to abide by it) without explaining carefully and in detail. You can easily explain why you have to guard atomic weapons, and high-value assets; but what when the high-value assets are people?
Turning to courses at Bucks New; for example, the BA degree in security consultancy. Phil describes it as first covering the key, core elements of security – information, physical and electronic security, and corporate security management; laws covering the field; a module on investigation; ‘and in the final year, more business-focused, to orient consultants towards what businesses need for a consultant, rather than what security expertise can you just throw at them’. The BA is in its second year and as Phil says, security consultancy has very few educational programmes. And to add, there is a difference between security management, and providing trusted advice and consultancy for businesses that need security and resilience guidance. Phil says: “We find a lot of people come to our programmes from industry who are fully aware of the need for standards, guidance, because they are regulated, and subject to governance.” And the other side of the coin; those businesses do not want to fall foul of that regulation. The oil and gas, and financial sectors, are two examples. But, I add, compliance with health and safety or whatever is not the same as being safe. Phil likens compliance to an MoT, or cramming before an exam; you are only examined, audited to a standard, on that day: “And that doesn’t make you a resilient organisation at all.”
He runs through the Bucks New courses for security and risk people: a masters and BA degrees, still a foundation degree; a post-graduate certificate in security management; a Business Continuity Institute diploma; and for launch next year, a post-graduate certificate in terrorism studies. In keeping with the practical and applicable nature of Bucks New risk and security courses, this terrorism course won’t be about (say) the PLO in 1970 but the subject now – is cyber-terrorism, for example, terrorism at all, or just the route to delivering the terror, as aircraft were on 9-11? Is the trend from organised, to lone, attacks? Also planned are some free one-day seminars, at Missenden Abbey nearby, which belongs to the uni. The idea: businesses can send some of their people to discuss, for instance, crisis management, travel security, or terrorism. For one thing, practitioners may do the job because that it’s the way it’s been done, but Phil queries; what’s the evidence to say it’s the best way, now? Also planned, a research service for business. Say someone is interested in footfall across a campus and its effect on access control requirements. Or the effect of signage on a site’s deterrence of opportunist thefts. It’s consultancy, yes, but not something for the awarding of a contract. Phil makes the point that Bucks New is not a business but about education: “The measure of success for us is more people coming to our courses.”
He has just taken over the department of computing and is looking to move into developing IT security within wider courses. Who is the audience for IT security? I ask. He replies that more mainstream security practitioners are realising that they need to become more informed about convergence – the coming together of physical protection, and IT security; and the networked security systems such as CCTV and access control. “So you have got to understand it; it doesn’t mean you have to be an expert. There are concepts and ideas about integration, transmission and storage, and the risks to all of those. And that’s before you even get into the cloud and the wider applicability of the internet.”
As, unusually, Phil is not only a teacher of security at Bucks New but does security at the university, I ask about the practice of security at the uni, like many an open campus. You can walk from High Wycombe town centre to the campus without barrier or fence, indeed without hardly noticing. (As if to chime with this, while we speak, nearby church bells ring for 3pm.) As Phil says, the university has to be welcoming; and students have to feel safe. The uni certainly does not want students to feel excluded from any area they have a right to be in. “If you get security and risk assessment wrong, you either over-compensate and affect student experience, or you under-compensate, and expose students to risk; none of those are really acceptable. So we have to take a critical view of what we are trying to achieve.” Phil has done a security surveys and audits, throughout the security estate, ‘and to look at everything we do in terms of risk profile, and then to take the outcomes of that series of security surveys and to turn them into a set of procedures and processes that will allow us to remain viable as an organisation, and also to attract the people that come here’. That has to be flexible, he adds, because over the year the building occupancy is different. In summer there may be few students, but more building work by contractors and summer-school visitors. Come October, thousands of people are on site, some international. Risks may be of the sort of genuine students trying to access places but having forgotten their access pass. The uni wants security to be as invisible as it can be: “But you have got to be able to respond to changes in occupancy and to be able to change in response to threat and risk, should the threat and risk profile change; we have to be able to respond and ramp up our protection; and we have that capability. We are constantly reviewing our plans, for preparedness and response and that should be for any organisation.” Phil Wood, then, the same as his near-neighbours at Wycombe General Hospital and the Chilterns Shopping Centre, has to balance the risks of a free society and those who would do it harm. As someone who is a practitioner of security and someone seeking to articulate how to be resilient in the face of those risks, Phil Wood is doubly in the front line.
More details
About the man: Before Bucks New Phil Wood was an RAF Regiment officer and was at ARC Training. He is speaking at a CSARN morning briefing in Manchester on organisational resilience on December 5. Visit www.csarn.org.
Bucks New University – visit www.bucks.ac.uk
