NPI is a staunch supporter of Public/Private security partnerships. We are proud to be working with the United Nations and the Organisation for Security and Co-operation in Europe on such partnerships to protect soft targets, including hospitality and tourism. Some countries that rely on tourism need support to build capability to protect the sector and underpin tourist reassurance. Much of the ongoing work focuses on the physical world, building capability, relationship building, practice standards, common ways of working and physical threat mitigation.
All of these are of course critical and there remains much work to be done across the globe; one area that is mainly overlooked is cyber public/private partnership. Hotels and travel companies hold extremely large amounts of personal data that makes the sector attractive to cybercriminals; hotels and hotel companies are not renowned for having strong cyber defences. A serious cyber-attack has the potential to cause as much business disruption and reputational damage at a local and national level as a terrorist attack on a hotel. Given this, we believe that public/private security partnerships should include a cyber strand to build holistic programs that span the whole security threat spectrum.
In many countries, the public sector provides the private sector with a wealth of cybersecurity advice such as the National Cyber Security Centre in the UK, the Cyber Security & Infrastructure Security Agency in the US and Europol Cyber Crime Centre in the EU. These organisations offer excellent cybersecurity guidance and advice; however, these tend to be ‘come and get me’ resources. Large companies and tech services companies are in the know and are much more likely to actively engage but a swathe of other private entities will remain in the dark.
A key issue standing in the way of holistic public/private security partnering is that public cyber people tend to ‘talk’ to private cyber people and public physical security people ‘talk’ to private security people. Surely, effective security partnering will not be achieved until the four elements are engaged, ‘talking’ and delivering a joined holistic capability. Cyber and physical security partnering need to share the same platform and deliver to a joint plan.
Cyber Security public/private partnering faces similar challenges to physical security partnering. The basis of partnering is trust and this may not come as easily. Private may perceive Public with suspicion, seeing them as the regulators or the ‘law’ best kept at arm’s length. Probably more so in the cyber world where companies might be worried that public sector engagement might lead to the discovery of serious issues that have the potential to lead to significant sanctions. This is especially so for companies who operate ‘Emperor’s New Clothes’ cybersecurity programs. This often leads to companies failing to share information and allowing access by public cyber security agencies to assist them. Private sector cyber team reticience is also sometimes reinforced by corporate legal teams who fear that liability issues might be uncovered.
On the other hand, the public sector has always been culturally reticent about sharing information beyond the public service or foundational level for fear of compromising sources or Tactics, Techniques and Procedures. The public sector is also hampered by the issues of information security classification and vetting requirements for those who might receive it. Furthermore, the issue of secure communication for sensitive/classified information is a challenge. These challenges lay at the heart of effective partnering because they form a ‘wall’ between public and private sectors.
In some areas of the public sector, there is a reticence to engage with the private sector because there is a culture that public is about protecting the public and the role of the private is to protect the private sector. This has been changing in recent years as large areas of the public security and intelligence agencies have started to recognise that commerce is part of the National Critical Infrastructure, particularly in the UK. This is particularly true of the NCSC who have excellent outreach and information programs and, in my experience, are willing to roll their sleeves up and proactively assist the private sector to defend their cyber systems. The NCSC and its CISA counterparts are a good template for cybersecurity public/private partnerships but perhaps their outreach could be a little more proactive seeking to deliver effect deeper into UK commercial life.
So, in the UK at least, the public sector is moving in the right direction when it comes to public-private cyber security partnerships. Now perhaps, it is time for more companies to reciprocate and do more to enable partnering, after all they are on the same side in this cyber war with criminals and hostile governments.
- Is your company open to meaningful partnership with the public sector?
- Do you have a public sector engagement strategy?