Security Lessons from the UK

Europeans, and Brits specifically, handle security differently than do the Yanks. Understanding why and how can help give both sides new ideas.

"We took around 5 percent off the cost of security provision," he says. Initial skepticism vanished once the full benefits had been explained, he reports. "It wasn't so much a question of resistance being encountered, as a need to fully explain the reasoning," he says. "Once the savings were made clear, it became much more acceptable." Role ModelsPepper's broad role brings us to questions of governancetitles and responsibilities, the corporate standing of the CSO, the importance assigned to information securitywhere again the United States and the United Kingdom are separated. Pepper would probably count himself as one of a small minority of British security executives having responsibilities with such breadth. "America is ahead of Britain in terms of the importance that they give to the security role," says Paul Simmonds, global information security director at London-based ICI, who spends a good deal of his working life in the United States, managing the security affairs of American subsidiaries such as National Starch. Convergence of physical and information security in Britain is still very rare, he notes. "It tends to be happening only where there are very obvious physical assets to secure, such as petrochemical companies," says Simmonds.

What's more, he adds, too many British companies still think in terms of IT security, not information security. At ICI, for example, Simmonds has been responsible for changing the name of his function from "IT security" to "information security." "The computer part of the job is pretty minimal; the trick lies in being able to get involved at the business process level," he says. And another small niggle is his own title: "If I was working for an American company, I'd be a CISObut no one over here understands that phraseology. Yet in America, the term director, which is my title, implies middle management, which can cause difficulties." One possible solution: two sets of business cards, one for use in the United States and one for Britain.

While securityand in particular, information securitymay not be the same hot button that it is in the United States, risk, and especially the risks to business continuity from catastrophic events, most surely is seen as critical. A nation that had become almost inured to attacks from the Irish Republican Army has woken up to the fact that there are bigger threats than truck bombsand that truck bombs don't always have to contain fertilizer-based explosive. Although fertilizer-based bombs are deadlyas Oklahoma City showedantiterrorism intelligence postulates there may be even nastier truck cargoes.