IFSECInsider-Logo-Square-23

Author Bio ▼

IFSEC Insider, formerly IFSEC Global, is the leading online community and news platform for security and fire safety professionals.
November 29, 2008

Nothing found. Please check your show/episode id.

Download

State of Physical Access Trend Report 2024

Defensive tactics

The Centre for the Protection of National Infrastructure (CPNI) was formed in February 2007 thanks to the merger of the National Infrastructure Security Co-ordination Centre (NISCC) and part of MI5 (the UK’s Security Service) with the National Security Advice Centre (NSAC).

The advice it offers UK plc aims to reduce the vulnerability of the national infrastructure to terrorism and other threats, keeping the UK’s essential services (delivered by the communications, emergency services, energy, finance, food, Government, health, transport and water sectors) safer. Without these services, the UK could suffer serious consequences, including severe economic damage, grave social disruption or even the large-scale loss of life.

Accountable to MI5’s director general Jonathan Evans, the CPNI operates from a non-avowed public building in central London where, understandably so, security is incredibly tight. Indeed, to allow a recording device to be brought in, there’s a delay before SMT is allowed to sit down with Stephen Cummings – the CPNI’s director – in an upper floor Boardroom overlooking the London skyline. Well-dressed, serious and articulate, Cummings speaks in measured tones (and with a slight northern accent) in addressing the questions put to him.

Security Management Today (SMT): It seems the British security services are taking on more of a public face. Are you interacting with the public to a greater extent?

Stephen Cummings (SC): We don’t interact with the public. We interact very much with a professional security community, largely with organisations and businesses which are providing critical services to the public. So, while we have a web site where we make information publicly available to others who might want it, our focus is with the professional community.

As such, we think we are dealing with a community in which we can have some considerable mutual trust and respect and, because of that, we are able to engage relatively openly with that community and share information with it as openly as we can. The community needs vital background information to make the sort of decisions that need to be made about security.

SMT: How do you go about interacting with that community?

SC: In terms of the most critical organisations providing the most critical services, we have a one-to-one relationship there. We have a team of advisors – and other security experts backing up advisors – who deal directly with in-house security managers or risk professionals.

Another channel that we have is to facilitate or run a number of what we call ‘information exchanges’ whereupon we bring together people from specific business sectors to share information, experiences and expertise about security and risks in their arena.

We also run Forums which are more about cross-cutting issues or cross-cutting technology or security issues. For instance, we have an information exchange concerning process control systems in the national infrastructure. This cuts across all sectors because it focuses on a technology issue.

The organisation also runs an annual conference, and we have a restricted access Extranet. Access is granted to those in whom we have a high degree of trust, and where we know they work in organisations and positions where they need access to that slightly more developed information than is put on the public web site. In short, we try to make our advice and information available using a wide variety of channels.

SMT: The UK’s critical infrastructure is largely privately owned and protected. Is it difficult to make organisations take the need for protection regimes seriously?

SC: I don’t think it’s about making them take protection seriously, because many privately owned and operated companies working in the national infrastructure arena do that anyway. Really, from a Government perspective it’s all about letting them know the priorities in terms of security. It’s about affording them access to information [and] advice from Government which they might not find when dealing with non-Government sources.

The reason we do this work – and the reason the Government takes part in this work – is not to benefit the individual companies. Our focus is on companies and assets which have a direct or indirect impact on the citizen. Our prime interest is the citizen, and advising companies to help them maintain their services to them.

SMT: Do you need the full support of the business community at all times?

SC: Absolutely, because the business community owns most of the national infrastructure. Every country has its own way of describing the national infrastructure and what it consists of. We say national infrastructure comprises those business sectors that provide essential services to the citizen on which normal life depends. Many of those sectors are areas operated almost completely by the private sector, and we have to work in partnership with those private sector operators in order to help them attain the level of security they need to have in place to ensure continuity of service to the citizen.

Absolutely, we have to work with the private sector and work in partnership. It’s not a case of telling them what they must do. It’s not a case of regulation. It’s really focused on providing them with information and advice that helps the ‘installation’ of good security.

I don’t particularly like the expression ‘security as an enabler’, because it’s a bit of a cliche – it’s usually in the business’ own interest to have good security in place because it will ensure continuity of service, confidence about the services provided and, in some cases, it does genuinely realise a competitive advantage over those organisations that don’t have such good security arrangements in place and practice them on a regular basis.

SMT: Most organisations – including Government – spread security across a number of areas. Human Resources might be responsible for personnel security, the IT Department for IT security. How hard is it to impart what now seems to be a strong need for operational integration and cohesion?

SC: I don’t think it’s hard to impart that message. Increasingly, companies are integrating their response to security at some point in the organisation. It really depends on what point that happens. In certain cases, it’s relatively high up in the organisation where the different elements of security come together along with different types of risk.

In some organisations, we are beginning to see a kind of central integrating function where the purpose is to look across the different strands of security and ensure that, even where they are being managed or implemented separately, they’re integrated and not being taken forward in isolation from each other.

Even so, when it comes to implementation or the expertise needed to implement that security, maybe this is still delegated and carried through by slightly different channels. The message about integration of security systems and responses is being implemented by a number of major companies.

SMT: Surely there’s a danger in looking solely at counter-terrorism issues at a time when we’re seeing an ‘all hazards’ approach to security emerge?

SC: Well, we don’t deal in ‘all hazards’. We deal with threats. Our web site states that we focus primarily on terrorism and other threats. We are not looking at non-malicious threats such as flooding, famine and disease.

There are arguments for having arrangements in place whereupon work is carried out on an ‘all hazards’ basis, but I also feel there are good arguments for not doing that, which is the model we adopt in the UK.

When it comes to threats, although the focus of our concern is counter-terrorism, in fact threat is only a small part of what drives the programme of work here. We are more driven by vulnerability and the impact on the things we want to protect.

The primary difference we can make in industry is to help it reduce that vulnerability to threat. The threat we are concerned about is mainly terrorism but, actually, if you reduce your vulnerability to terrorism, you will also be reducing your vulnerability to crime, to a disgruntled employee and even, in some cases, accidental incompetence.

If you focus on vulnerability and its reduction that sends a very strong message to industry because they then don’t ask the question: “What’s the terrorist threat to us?” They recognise the wider benefit of reducing vulnerability across the board.

SMT: Particularly in the current economic climate, companies have to look at security and risk assessment from both a business perspective and as a commercial decision. If they say they do not want to take your advice, how are you going to cajole them into ‘crossing the line’?

SC: First of all, in the UK there’s a good history of industrial co-operation. I think there’s a good security culture in place. Industry does see the benefits of putting security in place, both for its own interests and because there’s a sense of corporate responsibility about ensuring continued service to customers.

I would say also that there’s a regulatory requirement on most operators in the national infrastructure to provide guarantees of continuity of service to their customers. It’s for a different purpose not to do with security, but that requirement is there.

What we have to do is provide companies with salient information and advice such that they understand what they’re being asked to do is proportionate. It’s very important in the CPNI – I think we are very clear about this – we don’t talk up the threat, we don’t talk up the response to threat and we are absolutely clear that what needs to be put in place is proportionate security arrangements, because disproportionate arrangements are costly and unnecessary and merely serve to hinder business effectiveness.

SMT: The problem lies, of course, in encouraging co-operation. We have seen the likes of Project Griffin described as a good role model, but does that sort of model transport to other sectors?

SC: Project Griffin is primarily a policing response to security, but that sort of co-operation model does transfer to other sectors. I think it transfers particularly well in those situations where you can make businesses understand that, by sharing information about security, they are not putting themselves at a competitive disadvantage.

These days, most companies recognise that co-operating on security doesn’t affect their competitiveness. In fact, it helps their business. If you have an operator in a particular sector and something goes wrong, very often customers of that business will not think: “Well, I’ll move business to a competitor.” I think they rather cynically feel: “Well, if that can go wrong in that business, it could probably go wrong in many other businesses in the sector, so I’m not going to shift my custom. I’m just going to stop doing business that way altogether.”

The impact of certain elements or ways of managing security ‘going wrong’ in one company can affect the thought processes of others. That’s why it’s actually to business’ competitive advantage to share information and experience.

SMT: On a professional level, what security-related issues keep you awake at night?

SC: The biggest concern is that, first of all, everyone’s resources are limited. Quite properly because, again, the security response has to be proportionate. Clearly, that does mean there can be no guarantees that arrangements have been put in place that reduce the security risk to nothing. I don’t think we’ll ever be in the situation where there’s not a level of risk within the national infrastructure and, as with other parts of society, security must be applied to them.

What keeps me awake at night is that something serious could happen and, as we’ve seen in the UK and elsewhere, that event might well be damaging and cost lives. The reality is that we can’t protect everything.

SMT: If a security event does occur we are faced with the recovery phase. Are you involved in that, too?

SC: That’s not our role. In the UK Government that is the role of the Civil Contingencies Secretariat. We do work very closely with that Secretariat because we do understand that protection against something bad happening is really part of the continuum of dealing with the incident when it happens and then recovering from that incident thereafter.

The CPNI is really concerned with protection, and about preventing an incident from happening.

Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted