Continuing our series of Opinion articles from members of The Security Institute, consultant Ian Johnson discusses how a lack of awareness of the full range of activities that need to be considered within a security policy can often lead to a worrying fragmentation in approach.
If you were to ask members of the general public to explain what the word 'Security' means to them, you would receive a wide variety of responses. Responses that probably wouldn't be that detailed. Locks, alarms and CCTV would likely be mentioned on more than one occasion, with awareness levels affected by crime-related television programmes and media stories people had recently seen.

While responses within businesses wouldn't be so simplistic, they're often not as comprehensive or well-informed as you would hope. There's considerable variation in what individuals perceive to be the requirements or priorities of a security programme.

Of course, everyone thinks about security of a building (or buildings), and the equipment necessary to achieve that security. However, they might be a little more hazy about the development of coherent security strategies and procedures, or perhaps the special requirements of high profile events such as company Annual General Meetings.

The situation isn't helped by the growing complexity of security threats faced by corporate concerns. Risks associated with terrorism have changed considerably in recent years, but this doesn't necessarily mean that all (or even the majority) of organisations have given serious thought to whether security policies need to be changed as a result.

In addition, there's an increasing risk of information being compromised. The threat of competitors (and indeed the media!) gaining access to information they shouldn't have is now very real, particularly as the techniques for being able to do so have grown more and more sophisticated. Technological developments such as e-communications and cordless telephones have brought many benefits, but also increased the risk of the unauthorised gaining access to confidential information.

In themselves, information security breaches can lead to reputational and commercial damage, and indeed litigation – either via a company's corporate governance responsibilities or by way of requirements under the Data Protection Act 1998. However, it would be true to say that many organisations still don't have a coherent policy in relation to information security.

A dilution in focus
The number of organisations with a Head of Security – and that includes large global businesses – has diminished over the past 20 years. A situation may exist where the facilities manager has the major responsibility for security. Their natural focus on the premises, though, necessarily means that they're thinking very much in terms of the building and what equipment should be 'attached' to it.

Similarly, the IT manager may be assuming a degree of responsibility for information security. However, there's nobody to systematically work out the type and level of risks facing the organisation, and to ensure a security policy that covers all threats.

Any lack of joined-up thinking can lead to some fundamental problems. For instance, there may be no member of staff who feels that information destruction is one of their core responsibilities. Consequently, the task is carried out under sufferance, and there's limited awareness of the organisation's responsibilities as the data controller under Data Protection Act legislation.

Handing over confidential material to an information destruction contractor doesn't mean that all the responsibility for that now lies with them. For example, the client ought to undertake an audit to ensure that the service provider is operating to suitable and recognised professional standards.

The likelihood of having security practices that are completely in tune with the needs of the business become much less likely if the development of these practices isn’t properly co-ordinated. There are clear benefits in tasking one individual with overa

Generally, a lack of understanding of security can lead to too much reliance being placed on the contractor. Certainly in terms of expecting them to come up with the right level, scope and standard of service while providing relatively little client input. Although suppliers are used to meeting this kind of challenge, a good level of knowledge on both sides is definitely desirable in terms of achieving effective liaison, devising the optimum solutions and, of course, being able to identify unprofessional suppliers or those who just aren't suited to the project in question.

Understanding security practices and technology is not all there is to security. Far from it. The practitioner also needs to get to grips with the objectives of the business, and indeed the type of business that they're in such that they can accurately measure the risk(s).

By way of example, if a retail organisation has decided that it needs to entice 30% more members of the public through its doors in the course of a year, that's obviously going to have an impact on risk. So too might the addition of new products or services to the portfolio.

Be aware that the cost of security measures also needs to be quantified and justified in terms of benefits to the organisation.

The likelihood of having security practices that are completely in tune with the needs of the business become much less likely if the development of these practices isn't properly co-ordinated. There are clear benefits to be realised by having one individual with overall responsibility for security.

It's also worth thinking about setting up a Security Review Group whereupon the various stakeholders within the business can highlight their own priorities and concerns.

Security and its totality
We see it very much as The Security Institute's duty to create a greater understanding of the totality of the security role both within the business community and among the wider general public.

Our publications and regular meetings aim to highlight the impact of – and approaches to – evolving threats, such as terrorism and information breaches, and to promote the value of an integrated approach.