Thank you to our Head of Client Development ADVENT IM, Derek Willins.
The Original Article on the ADVENT-IM site can be accesses by clicking on the Logo:
As we endure societal lockdown in an effort to control the spread of COVID-19, thoughts turn to imagining what will change when it’s beaten. I suspect that business continuity, business resilience and risk management will be high on most agendas for a while, alongside the financial restrictions that will decide what gets done and when. Supply chains will be overhauled, as will working from home policies, and mobile equipment. Digitisation will increase, as will automation and complexity. Quite what all the ‘new normals’ will be in two or three years is too hard to call, but it will look different from today.
There is one certainty though. Online crime will continue to grow. Criminal activity has stepped up during the crisis with sophisticated health and virus-oriented phishing and ransomware campaigns; as well as heartless physical attacks on ambulances, and thefts of hospital oxygen cannisters. Our enemies are merciless and cruel. Unified and better-constructed security defences have to be part of the inevitable reviews which will happen. However, I suspect the usual objections to change will centre around finance (specifically ROI) and, how do we get more from less. This latter issue I want to address.
Advent IM’s long held philosophy has always been, that holistic security (one-team, information, IT, physical) is more efficient and effective than unconnected silo’s, and that excellence can be achieved with modest budgets. Underpinning this philosophy is that people and process are the master, and technology is the servant. All too often in the search for quick solutions, the lure of expensive technical security solutions (without good people and process around it), has usually failed to deliver on expectations. A more balanced approach of people and process with technical support is the strategy which brings affordable effectiveness. It was a pleasure therefore, to discover some data which supports Advent IM’s philosophy.
A few months ago, a new report* was published, which caught my eye. It’s a document providing us with a view of the current state of Information Security including current risks and trends, organization structures, and budgets.
There is an analysis of the respondent’s security budgets (as a % of their IT spend) and their security maturity status (based on 0-4: 4 being optimal). Each respondent is then put into 4 quadrants. The two axes are, the (group average) budget, versus the (group average) security maturity.
Conclusions from the report;
There is absolutely no correlation between security spend and security maturity.
There are high security spenders, but with a low security rating (B), and some low-spenders with a high security-mature (A).
The A group with strong maturity and low expenditure, are spread across different industries, and represent about 11% of organisations in the sample.
At face value then, the report tells us that security maturity (excellence, resilience) can be achieved, without massively high investment (less than 7.2% of IT budget). Clearly these organisations have something to teach everyone. Sadly, the analysis stops short of identifying their common attributes. However, there are some inferences that can be made.
The security maturity measure starts at 0 (Non-existent) to 4 (Optimised. i.e. business enabler). On average the sample scored 2.06. This puts them in the ‘Defined’ level which means they have defined security formal process, roles and responsibilities and its all communicated. So far so good.
The next level up (3) is where the A group are getting close to. This means they measure and test that process is working effectively, KPIs are set, some automation is used, and regular reviews and audits are conducted. In short, the A group ensure their way of working is effective and adjust as they go – and all done at below the average expenditure of 7.2% of the IT budget. In our experience, only people and process supported by the right technology, make this happen.
Our experience tells us that most organisational leaders are satisfied that their security operation is currently fit for their purpose. It’s also true that the same people want security to be a bigger part of their business culture, but rarely have a plan to make this happen. However, the evidence is clear that more can be achieved with reduced expenditure, and that all organisations, however confident, should be constantly reviewing and testing what they do. Partly because threats are constantly changing, and partly because great security is an enabler of innovation and productivity.
The financial circumstances post COVID-19 will demand that operational improvements are made. More cloud, more automation, more devices, more data, more risk. Security by design and default, means that planning for a more affordable and more effective security function in a post COVID-19 world starts now.
*Source; Capgemini Information Security Benchmark 2019. Based on 105 companies in EU across 4 large Private channels (Utilities, Finance, Consumer, Manufacturing). CISO’s and CIO’s views.
Some see a perceived lack of testing as the latest stick to beat the government up with the current COVID-19 crisis. The perception that is being left with the general public and with healthcare workers is that testing will provide some magic solution to the crisis. The reality is, being blunt, it won’t; being more accurate, each test has its strengths and weaknesses and no one test is the complete answer, they will only help our understanding of the spread of the infection and help keep us safer.
The current test, which is the one being scaled up, is an ‘antigen’ test. Antigens are molecules capable of stimulating an immune response in the body and that immune response is the start of the production of antibodies.
The antigen test requires a swab to be taken, usually from the back of the throat. That swab then needs to be sent to a laboratory where the antigen is scientifically amplified and compared with a reference to see if it is what they are looking for. This test, called the Polymerase Chain Reaction (PCR), often referred to as real-time PCR (rt-PCR), or the quantitative PCR (qPCR) test, requires trained laboratory technicians, specialist equipment and time for each test, as well as an administrative burden matching tests to results and informing individuals of results.
The current PCR test is an excellent technology but leaves a window as it misses some early cases, at times not detecting infection until a period post symptoms, even though the person can be highly infectious during that time. The test is also manpower and equipment limited, needing people to take samples, technicians and scientists to process and interpret the tests and staff to deliver the results.
Of course, a negative test one day does not mean the individual could not become infected the next day, and this is why it is essential the complimentary Antibody test is further developed and rolled out to identify who has had the infection.
This is a much simpler test using a sample of blood taken from a finger pin prick and it is then put into a device like a pregnancy test kit, but the chemistry on the test stick is designed to look for antibody. Antibodies (sometimes called immunoglobins (IgM and IgG)) are proteins produced by the body over the course of a week or two in response to an infection and are there to fight the infection. Each antibody is designed to recognise a specific part of the cause of the infection (the antigen), lock onto it and stop it replicating thereby fighting the infection.
With the antibody test, a solution is added, and the blood sample moves up the test paper stick, interacting with the chemistry on the stick and giving an indicator that the antibody is present. This will tell someone that they have had the COVID-19 disease in some form and only takes a few minutes to carry out. It does not indicate early infection or necessarily that an individual currently has the infection.
There are other tests currently being offered to the fight against COVID-19 that will complement the PCR antigen and the antibody test. This test is similar in its physical form to the antibody test, but the chemistry is very different. It detects a key very early marker of the activation of the immune system in the body produced from the very early stages of the infection. This happens as the infection enters the body and is active as the body produces certain ‘help’ molecules. A marker that has been identified, following a great deal of research activity into HIV and earlier SARS infections is called neopterin.
The neopterin test does not specifically identify that an infection is COVID-19, but it does detect that someone is suffering from an activation of their immune system and, as such can detect infection at a much earlier stage in the disease than any of the other tests. It is a very simple to use and understand lateral flow test (as a pregnancy test) and can be used and interpreted by health workers and the general public, requiring no specialist support. It is projected to be non-invasive by using only a small sample of saliva, with the test results showing a positive result with a red line in a few minutes only if the individual is suffering a current viral infection.
This new test is not yet part of the governments offering but would complement the other two allowing the resource and time-consuming PCR test to be used only on those who have a positive indication of a viral infection and, critically, detecting those that are too early in the course of infection to be detected by the PCR or antibody test. It could also be used much more frequently as part of a wider screening programme as it can be self-administered, self-interpreted and produces rapid results and allow more informed self isolation, thereby reducing cross infection, potentially dramatically.
What is important is that the strengths and limitations of each type of test are known and understood and that a range of complimentary tests are available to maximise the collection of results that will rapidly let the health system and public understand the risks.
This article was written by Philip Ingram MBE with the assistance of Professor Colin Self BSc, MB, BChir, PhD, DSc, FRSC, FRCPath who has developed the Neopterin test. Please use the contact us page if you want further details.
On Monday, 23 March the Prime Minister announced further instructions to the British public to combat the spread of Coronavirus (COVID-19). His announcement can be viewed here. It places further restrictions on when people can leave their homes and limits travel for work to essential roles only.
I am able to confirm that the current definition of critical worker DOES include regulated (licence holding) security professionals, essential to national infrastructure, operating in roles under the 8 broad headings listed. This status is only directly relevant to the ability to access the school and childcare systems at this time. This critical worker definition does not affect whether or not you can travel to work – if you are not a critical worker, you may still travel to work where this absolutely cannot be done from home.
To prioritise pressure on the schools system, it does NOT extend to all licence holders. It is role dependent. The list may change over time.
Government advice is to stay at home whenever possible. It is to keep your children at home whenever possible – even if you are a critical worker. If, and only if, you are undertaking an essential role, supporting the nation’s COVID-19 response, which you can only do by accessing the school or childcare systems, should you do so as a critical worker.
This definition covers, amongst other areas, security provision in hospitals; schools; social care; courts; government estate; supermarkets and the food supply chain; the transport network; national infrastructure and utilities. If you are providing essential security to a service which itself remains critical and functioning, which attracts critical worker status, then you are likely to be covered. If in doubt, check with whoever contracts for your services.
Roles essential to supporting law and order, with the potential to reduce demand on policing, also meet the critical worker definition. This would include, amongst other areas, the guarding of empty or closed commercial, retail or office premises; the monitoring of similar through CCTV or other remote means; and the provision of alarm response centres including mobile units.
If your role does not clearly fall under the headings above then you may still travel to work, if that work absolutely cannot be done from home. Your aim should be to stay at home whenever possible. If this is not viable then assess whether you can deliver more services remotely e.g. through CCTV. If a physical presence is required then you should seek to minimise the number of staff deployed to the lowest safe level and ensure social distancing is applied.
Note that in any circumstance, critical worker or otherwise, the Prime Minister has been very clear that ensuring social distancing remains the responsibility of the employer.
These are difficult questions in unprecedented times. They are not easy and no-one else can answer them for you. You will need to apply judgement, with the aim of minimising social contact where possible. The words to focus on are ‘necessary’, ‘critical’ and ‘essential’, otherwise please stay at home and minimise the transmission risks for the benefit of your health, your families, the general public and the NHS.
Emergency Planning Manager & LRF Secretariat, North Yorkshire County Council, County Hall, Northallerton, North Yorkshire, DL7 8AD. Contact: Tom Knox Head of Resilience & Emergencies at NYCC and North Yorkshire Local Resilince Forum Secretariat, Tel: 01609 532 110 or 07891 587 376 North Yorkshire LRFCommunity Risk Register
The Welsh Assembly, emergency services, local authorities, health authorities and other emergency planning organisations work together to strengthen the resilience of services in Wales. The Wales Resilience website has more information.
Wales Resilience Forum (pan-Wales forum)
Head of Resilience Team, Welsh Government, Cathays Park, Cardiff, CF10 3NQ. Contact: Paul Critchley Paul.Critchley@gov.wales Tel: 0300 025 3593
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.