Security culture in Government

The recent confidential document breaches by UK Government officials have prompted observers such as Dame Pauline Neville-Jones to suggest that there is a “culture of carelessness”. Is this true? And what can be done?

Certainly it would appear that standards of security behaviour have been slipping. It’s unlikely that today’s breaches would not have happened in the past. People handling highly classified material took security very seriously during the cold war.

Things have changed since then. The threat is different today. Civil servants are unlikely to feel they are being watched or tailed by hostile intelligence services. The perceived impact of disclosure is much less than it used to be. And information today is circulated in a much more open way.

Such changes in context act as subtle but powerful cues for the behaviour of staff. We need to introduce new rules, responses and motivators to alter their perception. Security culture can be changed. But only by visible acts, not by demands, policy or wishful thinking.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

The reasons for these failings seem to me to be 4fold 1. Cultural 2. Technical 3. Procedural 4. Personal Culturally, the first UK government failing is that they misunderstand data. They truly believe that 'official' information belongs to THEM, that it relates to, or refers to, you is now (in their eyes) irrelevant. The second cultural failing is they seem unable to distinguish between 'policy' (see 3) and putting policy into practice (see 4). The third cultural failing is a lingering belief that security-by-obscurity works. Contrast the Canadian Security Policy (available on the www), the opening sentence of which says something along the lines of: "The CSP exists to safeguard the security and welbeing of Canadians" with the opening CHAPTER of the UK equivalent MPS (NOT available on the www), which in my opinion woffles on and on about 'official information' without bothering to define what 'official' actually means or ever once mentioning 'people'. Technically, the UK government failing is that they think abandoning an encrypted laptop in a tapas bar (or similar) is not the same as abandoning a piece of paper on the 10:42 Waterloo to Strawberry Hill (or similar). Narrowly, they are correct, the failing is misunderstanding the public perception. The crypto on Hazel Blears' machine will be deemed to 'downgrade' SECRET to RESTRICTED. That the machine is at RESTRICTED means our Minister should have, as a bare minimum, PUT IT AWAY, in a locked filing cabinet would probably suffice. Procedually, the UK government failing is that they have all sorts of policy in place, but it is not effectively pursued. The policy requires frequent audits, checks, balances, awareness refreshers &c to be conducted. Sady, reality at the coal face is that lip service is paid to 'policy'. The personal failing is that significantly less than 1%, it seems to me, actually CARE.