Avatar photo

Chartered Security Professional (CSyP) and certified technical security professional (CTSP)

Author Bio ▼

Peter is an expert in the physical security industry having spent 35 years gaining considerable knowledge and understanding of security technology and the principles and practices of protecting people and assets, along with the ethics necessary for leading a respected company. Over 20 years as MD of multi-award-winning security system integrator 2020 Vision Systems, the company achieved a high standard of recognition and the patronage of many respected organizations. Through his dedication and leadership, 2020 obtained industry approval with the SSAIB and Quality, Environmental, and Health and Safety accreditations.Peter is a member of the Security Systems and Alarms Inspection Board (SSAIB), a UKAS accredited Certification Body, and its representative on the British Standards Institute (BSI) technical committee responsible for drafting European CCTV Standards. He is also a member of the Security Institute and Security Leaders Technology forum and the author of a number of published security articles.
November 26, 2019


Lithium-Ion batteries. A guide to the fire risk that isn’t going away but can be managed

Cyber security

Cyber security: whose domain does it fall under?

CyberSecurity-Whoserole-19It’s a question companies throughout the world are trying to find the answer to, as cyber security can be perceived to fall under the remit of both IT and security teams. Here, Independent Security Consultant, Peter Houlis, with the support of Dr Chaditsa Poulatova (co-author), Academic and International Advisor at Cyber Rescue Alliance, argues that it is very much still an issue for the security team.

A few months ago, I attended an IT workshop on cyber security. For a security veteran, listening to the IT professionals talking was like taking a step back in time. “Why can’t we get the attention we deserve in the Board room? Why does the C’ suite underestimate our value? Why don’t the CEO, CFO, COO appreciate the importance of cyber security? We need more finance, more technology. Don’t they understand the risk? We need to increase the fear factor.”

No, No, No!

Foremost, the ‘fear factor’ has historically proven a poor way of selling security, making it a grudge purchase. Moreover, at executive level, ‘risk is just risk’ – it doesn’t matter where it emanates, it’s about how the organisation controls and manages it for commercial gain, in line with the business risk appetite.

From my personal experience of applying an ISO 27001: 2018 Information Security Management system during my tenure as Managing Director of a multi-award-winning security integrator, I can confidently state cyber security is not an IT problem. With the increasing convergence of the physical and digital world, it remains a security problem and a business issue.

Cyber security is assumed an IT department problem because it focuses on defending computer systems and the digital infrastructure from attack or misuse and data centres, websites, programmes, servers and accounts, all of which are vulnerable to cyber attacks. However, it is a lot more complicated than merely deploying technology, as the threats are numerous, varied and dynamic. That’s not to decry the necessity of virus-protection software, analytics and robust firewalls.

Company culture

Cyber security shares a symbiotic relationship with physical security. As such, it sits within the far-reaching Information security management discipline which concerns all an organisation’s information assets, whether they are digital or physical, or whether an attack manifests itself virtually or physically. Accordingly, it is not the problem of an individual or department, but more of a critical business issue; which can have a significant financial impact, and consequently the responsibility of every employee from the ‘C’ suite to the shop floor. The strategic value of security must permeate throughout an organisation by cultivating and embedding a culture of security awareness, and making it a business priority based on sound management, training and communications.

A security-aware culture will enable organisations to adapt to the evolving environment, while staying focused on the primary objectives, by reducing risks to an acceptable level and increasing resilience considered an essential executive business strategy.

Security awareness is all about changing employee conduct, substituting high-risk behaviours for required outcomes to reduce and mitigate security risks to the organisation. For instance, employees recognising security threats and vulnerabilities by identifying someone asking seemingly innocent questions, or overlooking small security misdemeanours, or even suspiciously following them. As well as this, it’s crucial employees know how to respond to breaches; who to notify, but also ensuring their adherence to security policies and the consequences of failure to comply.

Security professionals have grown to appreciate the value of an active security culture. It has been described by the Australian Government publication, The Insider Threat to Business (2010), as:

  • Awareness and ownership – an organisation’s individuals and teams understand the security threats and vulnerabilities and accept their actions can affect the risks, and appreciate security is an integral part of the organisations’ business.
  • Compliance and reporting – employees take complying with security policies and procedures, and the reporting of security breaches, as standard practice.
  • Communication and challenge – all employees are familiar with the rationale behind the security measures and are confident to challenge others if they are not complying with security requirements.
  • Senior sponsorship and enforced disciplinary procedures – senior managers place and demonstrate a high value on security, dealing consistently and rigorously with security breaches, according to well-established guidelines.
  • Discipline and offering incentives – sensitive access or information is restricted unless there is a definite requirement, and rewarding employees for ideas for improving security and reporting security breaches.

An embedded security culture complemented with the appropriate security processes and procedures raises staff confidence and awareness to tackle a diverse range of criminal activities. This can be anything from theft and fraud prevention to espionage and terrorism, and empowers them to undertake the appropriate corrective action to alleviate the risk. Furthermore, it will help counter a disproportionate reliance on technical security measures and reinforce the importance and value of adhering to security policies and procedures.

Security leadership

Without doubt, leadership is a cornerstone of good business, with strong security leadership fundamental if one is to develop a security culture to aid resilience and in crime management. The security lead needs to understand risk and have security knowledge to develop business-friendly security policies and processes in conjunction with other business units. Yet above all, needs to be a competent manager vested with the requisite management skills; the ability to plan, organise, direct, coordinate and control, and all these functions entail from a security perspective.

Equally important is effective communication. The ability to converse and exchange information, ideas and instructions throughout the organisation and command the respect of both superiors, subordinates and peers, is vital to nurturing and building alliances on mutual respect for ability and subject knowledge. Furthermore, security leaders must develop good but ethical relationships with external bodies, being flexible on small issues but dogmatic in matters of morality and legality.

Achieving a dynamic security culture relies on strong leadership and communication to instil expected behaviour through persuading and explaining why this is in each person’s interest. Get this done and you are well on your way to adequate security in both the physical and virtual realms.

Related Topics

Notify of
Inline Feedbacks
View all comments