what is all the fuss about?
‘The Cabinet Office has not yet established a clear role for itself in coordinating and leading departments’ efforts to protect their information’- National Audit Office (NAO) reported recently. An unfair criticism in my opinion, based on changes currently under way. The report further stated that the ambition to undertake such a role by the cabinet office is weakened by limited information collected by departments on security costs, performance and risks. Okay, so now we are focusing on the why’s and the identifying the specific trouble spots.
‘but...then came trouble’
The 47-page NAO report, ‘Protecting Information Across Government’ indicated that the Cabinet Office is taking actions to improve inter-departmental support by streamlining roles, improving communications and effectively coordinating across the Government space by putting measures in place for policy, principles & guidance.
But you are unlikely to read about that because then came trouble as the whole issue veered off course! ‘DAMNING’, ‘SLAMMED’, ‘SLATED’ shouted out a myriad of IT to politics related websites and publications. Most of these articles have brilliantly summarized the findings but put a spin on the report to try and prove ‘just how bad things are’.
so just how bad is it, doc?
Yes, I agree it isn’t all rosy based on NAO’s stats and findings. However, at Securestorm as experienced advisers in the digital security space, we have a different outlook on the matter. The key questions should be: 'Findings? Learning? Solutions?' - We decided to take the practical approach to actually understand the study and came up with solutions.
let’s talk solutions !
"A critical finding in the report identified that traditional security boundaries have become blurred, with increasing dependencies between central government and the wider public sector due to increased information flows and shared technical infrastructure"
As a fix, we believe in wide adoption of an easy to use, pragmatic and proportional security and risk management framework, such as:
- Security Framework for Digital Risk Management* (organisations across public sector can take advantage of tech advances, agile development and re-use services)
- ‘The common solutions to solve common problems’ risk management approach from CESG
- The Digital Services Risk Management Record*, a standardized data schema for security assurance and risk management information (all central government departments and other organisations from the public sector would be able to exchange security and assurance data on common services, platforms and products)
This combined with a robust risk management process will get organisations to share security and assurance data across public sector and thus minimizing external dependencies, security spending and successfully counter the NAO's criticism that government security measures are not demonstrating or supporting cost reductions. It would also most definitely reduce security breach risks.
we can talk the talk...
"Another key finding within the NAO’s report centered on the Cabinet Office’s lack of visibility of information risks in departments and government organisations"
To counter this, developing a government wide accessible, central repository of shared security and assurance data, based on Digital Services Risk Management Record* schema is the way to go. This enables the Cabinet Office to analyse organisational information risk trends, gain insights of progress made and better protect their information.
"Though not a direct criticism, the NAO's report also identified that there is a significant challenge for senior staff in understanding responsibilities for protecting information and that many decision-makers lack relevant experience, and absence of inter-organisational process awareness"
To overcome this, a solid security-to-business co-ordination is required in the form of roles such as Chief Information Security Officer (CISO) and the use of business language reporting to Board Members and Accounting Officers. An output of the Digital Services Risk Management Record* schema is the Accounting Officer / Senior Information Risk Owner (SIRO) Risk Report* which provides decision-makers with a concise report of the information risks within a service or system in a business language and standard format.
keeping it real is our mantra!
"An additional finding in the NAO report was; though there is a range of guidance and practical assistance available to central government and the wider public sector and despite a drive to delegate for information protection to organisations, uptake has been variable and staff are often confused as to the differences between schemes, such as Cyber Essentials and the ISO27001 Information Security Management System"
The Security Framework for Digital Risk Management* empowers organisations; through harmonizing the different elements of government security guidance and principles into a coherent approach, while the use of standardized security profiles would enable organisations to develop proportional security baselines, tailored to the service or system in question.
casting a wider cyber net
"The NOA concluded that “protecting information while re-designing public services and introducing new technology to support them is a complex challenge for government. To achieve this, the center of government requires departments to risk manage their information, but few departments have the skills and expertise to achieve this by themselves”
As part of the government’s move to solve these issues, against a backdrop of nationwide cost reduction, a pilot is being undertaken to look to move central government departments into security clusters and pooling their scarce resources. While this will counter the lack of skills and expertise in departments in the short term, it doesn’t support the wider public sector. The Verdict. Therefore, the only effective solution is to reduce the complexity and effort required to pragmatically manage information risks, as longer term plans such as increasing the security talent pool via education, take time to bear fruit.
and finally…the Holy Grail of frameworks
The Security Framework for Digital Risk Management*, co-ordinates and joins together various government security policies, principles and guidance in a coherent and useful way, combining with an easy to use risk management process that will enable central government and wider public sector organisations, to manage information and digital risks for OFFICIAL environments, in a pragmatic and proportional way, as well as exchanging and sharing security and assurance information via the Digital Services Risk Management Record* data schema.
Practical answers to critical problems. There you have it now.
About the Writer: As Securestorm CTO and CISO, Tony Richards is Securestorm’s lead force taking charge of business delivery, client relationship and engaging development programmes to boost the technical expertise, capabilities and accreditation of the company. As a subject matter expert and adviser, Tony is a renowned figure particularly among Government organisations and Digital space who has built his expertise and name providing advice on cyber and cloud security as well as assurance for information and risk management. Tony uses his 16+ years of advisory and security experience across UK to regularly develop thought-leaderships, application tools and standards for organisations.
Talk to us about this article:
*All cited documents are available from Securestorm under a Creative Commons Attribution-Non-Commercial-Share Alike 4.0 International License https://creativecommons.org/licenses/by-nc-sa/4.0/