Font Size: A A A

Home > Reviews > The Rules of Security

The Rules of Security

Author Paul Martin

ISBN No 97801 9882 3575

Review date 24/05/2019

No of pages 256

Publisher Oxford University Press

Publisher URL

Year of publication 22/03/2019


Our Review


£ 18.99 (hardback)

The Rules of Security by Paul Martin, published by Oxford University Press in mid-May 2019, is an impeccable and important work that security people can push into the hands of others - fellow security people who can tick off the 'rules' according to their own line of work, people thinking of entering or bettering themselves in the sector, and non-security people who want an authoritative yet crisply-written book on security.

While an outstanding book, it could be even better and ought not to be the last word on the subject, because of what it does not include. To sum up, it's striking how few pound signs there are in the book, except on the outside - where £18.99 is a reasonable price for a hardback, incidentally. No, the lack of £ in the text is the simplest way to express that Paul Martin writes in terms of 'rules' - reasonably enough, as that is his chosen title after all. But the book does not get to the bottom of the practical blocks in the way of a security manager or consultant or specifier, and that crop up again and again in conversation with those people: such as, that it's so hard to consistently get capital spend for a project, unless for counter-terror or especially after a publicised attack.

You have the people at the operational level, interested in getting security (or any other) products and systems and processes to work; and above them in the organisation, the people with the purse strings that want (reasonably) to be convinced of what return the products can bring.

It's not that Paul Martin is blind to this reality, as he sets out - as neatly as anyone in a few lines - towards the start of his book (page 7): "... protective security costs money and adds friction to the conduct of life. For many businesses it is something of a grudge purchase - an expensive necessity that is at best a way of avoiding even bigger costs and perhaps gaining a competitive advantage over rivals. The financial return on investment in security is notoriously hard to quantify in ways that satisfy accountants and auditors. Security at any price is rarely an option."

Here Paul Martin has put his finger on it; how to measure security, something invisible, a feeling, often an absence of something, whether fear or crime (or fear of crime).

One reason why Paul Martin comes across as not of the real world of doing security may be his background; from 2013 to 2016, he was director of security for UK Parliament, and took in physical, personnel and cyber security for the Lords and Commons. It so happens parliamentary security features in the March 2019 print issue of Professional Security magazine. To briefly touch on that trinity of security in Parliament - physical attacks range from the 1605 Gunpowder Plot to the Westminster Bridge terror attack of March 2017; as for personnel, where to start? John Stonehouse, the Harold Wilson-era Labour MP and disgraced minister who turned out to be a spy for Cold war era Czechoslovakia; or the protester breaches of the Commons, presumably thanks to well-wisher insiders providing door passes. And cyber; again, it's well publicised that parliamentarians like most in public life are subject to cyber attack, whether from citizens with grudges or nation states.

Do not turn to this book for an insider's revelations on such topics. Quite apart from the sensitiveness of Parliament, even the 1605 Plot has resonance today (what of the risk of attack on Parliament from the river - pictured?). There should not be criticism of a practitioner remaining discreetly silent - whether in security management or any other sort of management - about old workplaces. For instance, after a mention of the murder of Labour MP Jo Cox in 2016, he calls it 'a pivotal incident ... the deluge of abuse and threats continues'. He closes somewhat mildly: "Social media companies have been widely criticized for not doing much to tackle these issues." Are we to leave it at that - accept online abuse as part of public life (because as Paul Martin does point out, other professions can face such a 'deluge' also)?

The sources Paul Martin quotes are impeccable as everything else in the book; he writes in terms of risk; on IT security he quotes Bruce Schneier; he turns to public-domain cases such as the Soviet-era spy Oleg Gordievsky. On terrorism he mentions (but goes into no more detail than that) the assassination of MPs Airey Neave (in the Commons car park) and Ian Gow (at his home). Turning to Islamist terror, Paul Martin notes that Islamists have not done many if any 'targeted assassinations of individuals in public life'. Might they? 'It remains to be seen', although he adds that those terrorists have a 'general track record of choosing soft targets'.

Cynics would say that a head of security in Parliament does not have to concern himself with money because Parliament makes sure it has whatever it requires, whether armed police inside and out or the cheapest food and drink in central London. Even if that's so, it's far from the whole story, as set out in the March 2019 issue. Security people at the Palace of Westminster (whose numbers have increased greatly in recent decades) face the same obstacles as those providing any other service to the building: its ageing rabbit-warren of rooms and corridors (how to search, or check an evacuation?), the pride of MPs and peers, hardly the sorts to appreciate being told that security trumps whatever it is they want to do (think here of the notorious 2012 incident on Downing Street that led to Conservative MP Andrew Mitchell resigning as the Government Chief Whip, for whatever it was he said to police); and the need to keep the place open to constituents, to not give in to terror, yet secure. All real-world messiness that gets in the way of rational security management.

Oddest of all about Paul Martin not really addressing the imperfect and sometimes downright senseless real world (that security practitioners still have to protect, whether against cyber or physical theft or assault, or even protecting the subjects from themselves) is that the former director general of MI5, Jonathan Evans, points this out in a 400-page foreword: "Security gets entangled in issues of commercial interest, personal status, entrenched practices, poor information flows, and so-called expertise that cannot see beyond the end of its own nose. As a result, people and assets are left unprotected, money is wasted, and frustration or cynicism can flourish." Note that Evans, and in fairness Paul Martin in the page 7 quote, each mention money or expense.

Paul Martin does not ignore the real world. Take cyber, for instance; he is alive to 'security fatigue' (page 154), 'a weary indifference produced by a relentless stream of hectoring security instructions and tedious awareness campaigns'. While he does offer 'a good security culture' as the answer, that he covers also earlier under 'it's all about the people', he admits such a culture, 'a concordance culture', 'is a relatively rare beast'; readers will have to judge for themselves whether they come away equipped to make their workplace one of the rare ones.

A further book by Paul Martin (because he is an author in other fields besides security) that addressed the real world, the one that security managers actually have to negotiate, while following the 'rules' that Paul Martin sets out so ably and readably, could be a book for our time, of Machiavelli-The Prince proportions.