Security Lessons from the UK

Europeans, and Brits specifically, handle security differently than do the Yanks. Understanding why and how can help give both sides new ideas.

March 01, 2005 — CSO — "Two countries, separated by a common language" was the conclusion that British Prime Minister Winston Churchill reached after working with America to defeat Hitler's Germany during WWII. Brits do things one way, Americans often another wayeach for their own very good reasons.

And it's a distinction that holds true in the world of security too. "Some of the differences between the U.K. and the U.S. still strike me forcefully," notes Richard Starnes, an American information security professional who has been in England for five years, currently serving as president of the U.K. chapter of the Information Systems Security Association and as director of incident response at telecommunications company Cable and Wireless. Time and again, Starnes says, he sees Americans fall foul of the assumption that security policies and practices designed for organizations within the United States will be culturally and legally acceptable in the United Kingdom and other European countries. It is, he says, "not an assumption that's valid." The bottom line: What works well in Los Angeles may not work at all in Leeds or Liverpool.

Why not? Simply put, on any one of a number of axesculturally, regulatory, organizationally, historically and geographicallyChurchill was right. Britain and America are very different. For example, the United Kingdom has a decades-long head start on preventing terrorist attacks. Yet while U.S. businesses may have built less antiterrorism capability, security at the moment may have higher organizational standing at U.S. businesses in the receding wake of 9/11. For the CSO, the time required to understand this and other differences, and their ramifications for corporate security leadership, is time worth investing for two reasons. First, American-headquartered companies with operations in Britain have an obvious need to know. Second, even companies operating solely in the United States can learn a trick or two from best practices of their counterparts across the Atlantic. From differences in detail right through to the big strategic picture (more on that later), there's value in the English point of view. Elbow RoomOn the tactical end of the scale, take the differences stemming from the physical, human and environmental geography of the country itself. Britain's mild climate and benign geology mean that its security professionals are sometimes taken aback at their American counterparts' sanguine approach to data centers located on earthquake fault lines or in "Tornado Alley," says Jason Creasey, head of projects at the London offices of the Information Security Forum International, which counts corporate giants such as Boeing, Procter & Gamble and Citibank among its 260 members. "To British eyes, it seems strange," he says.