Every year at IFSEC, people I meet ask me what’s new, or what’s going on – a reasonable question, that sometimes I don’t know how to answer, writes Mark Rowe.
Something new at the Security Industry Authority (SIA); or, for the last year or two, the proposed Protect Duty (at a ‘pre-legislative stage’, as reported in the April edition of Professional Security Magazine; the writing of legal definitions of what venues and places should be subject to the Duty; who’ll be a ‘competent person’ to survey sites; what an enforcement body will look like; all crucial, but the writing’s not done in public). Ask me next month at Excel and I will answer with something that has been intriguing me ever since the ‘return to work’ after the covid pandemic.
The switch to ‘hybrid working’ by those not on the front line that can as easily work from home or anywhere, as in a head office, had to happen in a hurry in spring 2020. That switch may have happened more gradually, at different times in different places. Its effects are considerable, both inside workplaces and beyond – if workforces don’t require nearly so much office space, what will that do for property values? Where does that leave the railways without the steady income from commuters? What are the implications for security?
Last year I had a good chat with a wise old owl of the security industry. One remark of his that stuck with me was what young job candidates ask prospective employers at interview: ‘how much holiday will I have?’. Others have remarked on the attitude of the youngest in the workforce; that they arrange their work around their non-working life, and do not put work first. That is not to say that the young have a bad attitude or that they do not do their jobs correctly. It does mean that security departments have to work harder, to get across messages, for non-security staff to be secure, in the physical and cyber worlds.
The two do affect each other; as reflected in the details of ISO 27011, the international standard for information security management. It’s not much use having technical controls for your data, if someone can walk into your server room and steal your servers; or, if your data is in the cloud, if a ‘threat actor’ can by social engineering over the phone or in person gather passwords or other information to breach your IT systems.
Hence the need to inform non-security staff about the need to guard in the real world against tail-gating, and to politely but firmly enforce rules such as wearing of identity badges; and in cyber terms, to obey policies, whether about BYOD (‘bring your own device’) or what you can and cannot do with a laptop or phone given you by your employer.
At the recent ‘innovation lab’ day by the contractor Carlisle Support Services in Manchester, featured in the April print edition of Professional Security magazine, Dr Paul Redmond of the University of Liverpool spoke about ‘zombie jobs’ such as accountancy that artificial intelligence will take over; and the four generations in the workplace (the wise old owl I spoke to said five?). Those generations, from pre-baby boomers to baby-boomers (born 1945 to about 1965) and to the most recent, Generation Z (and I have just heard someone talk of the generation after, ‘Generation Alpha’) had quite different, even jarring, approaches to tech, attitudes to the workplace, and one another.
As in the audience in Manchester, typically security people are older. The risk; that older people (of any function) set rules that make sense to their generation, yet make less or no sense to the young, who will find work-arounds. Take cyber. If you’re in your 20s on an entry-level job after you’ve graduated, not earning a large amount and with student debt, are you really going to obey any rule that you shouldn’t use free wi-fi? Or that you ought not to do your home shopping and banking on a company device, despite the convenience, and the saving money? The rules will be ignored.
How are younger workers, doing back-office jobs such as intelligence analyst, to pick up the subtle yet important workplace culture, the way things are done around here, including security (such as, not leaving your password on a Post-It note on the side of a computer)? Government agencies and businesses alike have responded by offering more induction, both for the overall institution and the job role. But what if the young – who think nothing of moving every nine months or year, and who may be leaving in the summer to go travelling, because they couldn’t do it during covid – aren’t that interested?
More in the May print edition of Professional Security Magazine.
